topic Re: RQL Custom queries for AWS needed URGENTLY in Prisma Cloud Discussions

RQL Custom queries for AWS needed URGENTLY

FKisambu — Thu, 08 Dec 2022 09:41:53 GMT

I am new to RQL and I need to build custom queries quickly for compliance reporting an would appreciate if any SME can help with providing RQL queries for the below, rather than myself spending sleepless nights to re-invent the wheel when an expert somewhere would take them 5 min. Kindly assist

Custom RQL queries needed for :

=========================

1) Ensure the unused Key Pairs and Security Groups from AWS console are removed.
2) Ensure that you create Separate Keys and Groups for each set of Application Instance. Don’t use single Security Group and Key Pairs for the entire region
3) Ensure PEM keys for SSH are not shared with User
4) Ensure that you always have source IP address specified in the IAM Policies.
5) Ensure IAM instance roles are used for AWS resource access from instance-to-instance.
6) Ensure User Activity is monitored for the Audit purposes.
7) Ensure CloudTrail logs are encrypted at rest
😎 Ensure a log metric filter and alarm exist for security group changes
9) Ensure appropriate subscribers to each SNS topic
10) Ensure PEM keys for SSH are not shared with User
11) Ensure the usage of different CMK per type of data based on its classification and region
12) Ensure that their is a private connection between VPC and S3 and the traffic never leaves the Amazon network
13) Ensure the In-Transit data encryption in the communication between datacenters and Amazon AWS
14) Ensure that where used secure SSL Ciphers when connecting between the EC2 instance and ELB
15) Ensure standard / approved AMI used to launch the EC2 Instances

appreciate the quick response.

Many thanks

Re: RQL Custom queries for AWS needed URGENTLY

RichVega — Fri, 09 Dec 2022 18:19:37 GMT

Hello,

I would suggest opening a support case with the relevant account information so we can go ahead and hop on a call with you to determine some of your use cases and work with you on getting these RQL's constructed as well as walk you through some of the RQL related documents we have available.

Thank you.

Support Portal Link: https://support.paloaltonetworks.com/

Re: RQL Custom queries for AWS needed URGENTLY

FKisambu — Sat, 10 Dec 2022 13:37:16 GMT

Thank you for the response. I am currently unable to create support cases for some reason. During the recent Office Hours, someone took my email and they said they would look into it. Not heard from them since.

Kindly assist.

Thanks

Re: RQL Custom queries for AWS needed URGENTLY

TommyHunt — Tue, 13 Dec 2022 14:43:15 GMT

@FKisambu, you will likely require professional services to develop these custom rules or do it yourself.

Based on my experience, RQL as Prisma Cloud Policies are good for detecting and alerting. Use the native remediation, if possible.

Another option is to automate the remediation then simply code a "daemon" in a popular programming language like python or bash; schedule to run periodically; poll the Alert APIs; implement your decision-making policies then take appropriate action within that daemon.