How to use multiline aws-cli command in remediation

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to use multiline aws-cli command in remediation

L1 Bithead

I am using below aws-cli command to remove/disable cloudfront distribution originprotocolssl:SSLv3

aws cloudfront get-distribution-config --id E29BDBENPXM1VE | jq -c -r 'del(.DistributionConfig.Origins.Items[].CustomOriginConfig.OriginSslProtocols.Items[0])|.DistributionConfig.Origins.Items[].CustomOriginConfig.OriginSslProtocols.Quantity=3 | .DistributionConfig, .ETag' | ( read x; read y;  aws cloudfront update-distribution --id E29BDBENPXM1VE --distribution-config $x --if-match $y )
 
 
It is working fine in awscli but same command is giving error (Multi line command doesn't support in redlock) when used in remediation cli. Can anyone suggest the way to fix this  also wanted to know does redlock support bash scripting for auto remediation.Look forward to hearing from you.Thank  you in advance 
1 accepted solution

Accepted Solutions

Since this auto remediation isn't possible yet due to multiple aws CLIs, one will need to set an alert rule for the desired policies, then write a piece of automation/code in AWS (Lambda as an example) for looking at the payload for desired policy X and apply the AWS CLI one wishes in that function, in AWS.

So in macro level, instead of auto remediation to run from Prisma Cloud, it will look like that (high level example) :

- policy X violated

- alert created for policy X

- alert sent to SQS queue due to alert rule in place

- Lambda funtion going through SQS queue and runs a code with wished above AWS CLI to mitigate the violation.

 

This will also act as an auto remediation, as an interim, due to the limitation of one AWS CLI command per policy.

 

You will need to create the code in Lambda, while there are a lot of publicly available examples out there.

I hope this has informed you well.

View solution in original post

5 REPLIES 5

L2 Linker

Hi @PYARRAMSETTY 

This is currently not supported, though a feature request is in development for allowing the multiple commands ability in remediation. I do not have a solid date for you, sadly.

Having said that, one can utilize the SQS integration, configure specific alert rules for remediation to push the alerts to a queue and build an automation code in AWS to pull from the SQS queue and run the multiple lines of code, as an interim measure.

This should do the trick for you.

More info on SQS integration:

https://docs.paloaltonetworks.com/redlock/redlock-admin/configure-external-integrations-on-redlock/i...

Thank for the solution. But any alert is auto remediable once aws cli command is specified in Policy remediation,then

Alert rule picks that policy for auto remediation. Sqs integration comes into picture while configuring alrert rule. Could you please let me know steps to ingest below multiline aws cli command into sqs. Also wanted to know once alret is triggered does sqs apply fix?I have 50 different aws accounts violated one policy,to apply fix do i need to create 20 sqs ,again it is manual work.Is there any solution in such way that it can applicable all the resources violated in different aws accounts?
 
 
aws cloudfront get-distribution-config --id ${Resource ID} | jq -c -r 'del(.DistributionConfig.Origins.Items[].CustomOriginConfig.OriginSslProtocols.Items[0])|.DistributionConfig.Origins.Items[].CustomOriginConfig.OriginSslProtocols.Quantity=3 | .DistributionConfig, .ETag' | ( read x; read y; aws cloudfront update-distribution --id ${Resource ID}--distribution-config $x --if-match $y )

Since this auto remediation isn't possible yet due to multiple aws CLIs, one will need to set an alert rule for the desired policies, then write a piece of automation/code in AWS (Lambda as an example) for looking at the payload for desired policy X and apply the AWS CLI one wishes in that function, in AWS.

So in macro level, instead of auto remediation to run from Prisma Cloud, it will look like that (high level example) :

- policy X violated

- alert created for policy X

- alert sent to SQS queue due to alert rule in place

- Lambda funtion going through SQS queue and runs a code with wished above AWS CLI to mitigate the violation.

 

This will also act as an auto remediation, as an interim, due to the limitation of one AWS CLI command per policy.

 

You will need to create the code in Lambda, while there are a lot of publicly available examples out there.

I hope this has informed you well.

Thank you for sharing your inputs and guidance to have a fix to this issue using your specified approach.

 

Apparently, the prismacloud (Former RedLock) console now looks good with additional features. I believe these changes were a part of new release, but I also wanted to understand if there was any chances to the fit the requirement of using  multi-line aws command in the auto remediation section. Awaiting your response !

Hello, this is not availble in the recent release rollout and is still a feature request in pipeline.

  • 1 accepted solution
  • 10072 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!