Legacy: Remediation

Sophos Cloud Optix can remediate issues related to S3 buckets, security groups, and IAM password policies, in AWS environments.

Warning You must only use this help section if you opened your Sophos Cloud Optix account before November 17, 2020. If you opened your account after that date, you must use the instructions under Add your AWS environments.

This feature helps with administration and management. For example, you can delete unused Security Groups, or make sure your S3 buckets conform to your policies.

To use remediation, you must first grant Sophos Cloud Optix specific write access permissions to your environments. Then turn on automatic or manual remediation.

You can also use webhooks for remediation. Webhooks pass information about Sophos Cloud Optix alerts to your own systems.

Create the remediation role

This section tells you how to create the role needed before you can use remediation.

By default, Sophos Cloud Optix uses read-only permissions that are setup when you add AWS environments.

If you want to use remediation, you must run an additional script first, to provide specific write access permissions to your environment.

After you’ve added an AWS environment, do as follows:

  1. Go to Settings and click Environments.
  2. Click Edit environment (the pen icon) beside the environment where you want to add remediation.
    The environment details are displayed.
  3. Follow the link to the instructions for creating the Remediate Role ARN and Remediate External Id.
  4. Run the script shown via the AWS command-line interface.

The script creates a remediation role with the following permissions:

  • s3:GetBucketAcl
  • s3:PutBucketAcl
  • s3:GetBucketPolicy
  • s3:PutBucketPolicy
  • s3:PutEncryptionConfiguration
  • iam:GetAccountPasswordPolicy
  • iam:UpdateAccountPasswordPolicy
  • cloudtrail:UpdateTrail
  • ec2:DeleteSecurityGroup
  • ec2:DescribeSecurityGroups
  • ec2:RevokeSecurityGroupIngress

Automatic remediation

To turn on automatic remediation for a policy, do as follows:

  1. Go to Policies.
  2. Find the policy where you want to turn on remediation. Click Customize.
  3. In the list of rules, there’s a Guardrail column. If the Guardrail option is shown next to a rule, click it to turn on automatic remediation for that rule.

The changes take effect the next time Sophos Cloud Optix performs a scan.

Manual remediation

To manually remediate an issue from an alert, do as follows:

  1. Go to Alerts.
  2. Click the Alert ID of an alert you want to remediate. This opens the alert details.
  3. If the alert can be remediated, a wrench icon is shown. Click that and select the resources you want to remediate for this alert.
  4. Click Remediate.

You get a pop-up message about the success or failure of remediation.

Which issues can you remediate?

Sophos Cloud Optix supports remediation for the following rules.

Check IAM Password Policy requirements as follows:

  • Contains at least one uppercase letter.
  • Contains at least one lowercase letter.
  • Contains at least one symbol.
  • Contains at least one number.
  • Minimum length of at least 14 characters.
  • Password reuse prevented.
  • Password expiry in at least 90 days.

Check S3 Bucket Encryption and Public Read/Write Permission requirements are as follows:

  • Encryption turned on.
  • Public read/list permission not allowed.
  • Public read/list bucket ACL permissions not allowed.
  • Public write permission not allowed.
  • Public write bucket ACL permissions not allowed.

Check Incident Management rules as follows:

  • Ensure a support role has been created to manage incidents with AWS Support.

Check Sophos Cloud Optix best practice rules as follows

  • Flag resource(s) with public IP and Security Group with ingress from any source on any port.