Create the remediation role

This section tells you how to create the role needed before you can use remediation.

By default, Sophos Cloud Optix uses read only permissions that are setup when you add AWS environments.

If you want to use remediation, you must run an additional script first, to provide specific write access permissions to your environment.

After you’ve added an AWS environment, do as follows:

  1. Go to Settings > Environments.
  2. Click Edit environment (the pen icon) beside the environment where you want to add remediation.
    The environment details are displayed.
  3. At the bottom of the page, follow the link to instructions for creating the Remediate Role ARN and Remediate External Id.
  4. You run the script shown via the AWS command-line interface.

The script creates a remediation role with the following permissions:

  • s3:GetBucketAcl
  • s3:PutBucketAcl
  • s3:GetBucketPolicy
  • s3:PutBucketPolicy
  • s3:PutEncryptionConfiguration
  • iam:GetAccountPasswordPolicy
  • iam:UpdateAccountPasswordPolicy
  • cloudtrail:UpdateTrail
  • ec2:DeleteSecurityGroup
  • ec2:DescribeSecurityGroups
  • ec2:RevokeSecurityGroupIngress