07-19-2019 11:07 PM - last edited on 09-02-2020 10:18 AM by kwadsack
I am using below aws-cli command to remove/disable cloudfront distribution originprotocolssl:SSLv3
07-22-2019 02:36 AM
Since this auto remediation isn't possible yet due to multiple aws CLIs, one will need to set an alert rule for the desired policies, then write a piece of automation/code in AWS (Lambda as an example) for looking at the payload for desired policy X and apply the AWS CLI one wishes in that function, in AWS.
So in macro level, instead of auto remediation to run from Prisma Cloud, it will look like that (high level example) :
- policy X violated
- alert created for policy X
- alert sent to SQS queue due to alert rule in place
- Lambda funtion going through SQS queue and runs a code with wished above AWS CLI to mitigate the violation.
This will also act as an auto remediation, as an interim, due to the limitation of one AWS CLI command per policy.
You will need to create the code in Lambda, while there are a lot of publicly available examples out there.
I hope this has informed you well.
07-22-2019 12:13 AM
This is currently not supported, though a feature request is in development for allowing the multiple commands ability in remediation. I do not have a solid date for you, sadly.
Having said that, one can utilize the SQS integration, configure specific alert rules for remediation to push the alerts to a queue and build an automation code in AWS to pull from the SQS queue and run the multiple lines of code, as an interim measure.
This should do the trick for you.
More info on SQS integration:
07-22-2019 12:27 AM
Thank for the solution. But any alert is auto remediable once aws cli command is specified in Policy remediation,then
07-22-2019 02:36 AM
Since this auto remediation isn't possible yet due to multiple aws CLIs, one will need to set an alert rule for the desired policies, then write a piece of automation/code in AWS (Lambda as an example) for looking at the payload for desired policy X and apply the AWS CLI one wishes in that function, in AWS.
So in macro level, instead of auto remediation to run from Prisma Cloud, it will look like that (high level example) :
- policy X violated
- alert created for policy X
- alert sent to SQS queue due to alert rule in place
- Lambda funtion going through SQS queue and runs a code with wished above AWS CLI to mitigate the violation.
This will also act as an auto remediation, as an interim, due to the limitation of one AWS CLI command per policy.
You will need to create the code in Lambda, while there are a lot of publicly available examples out there.
I hope this has informed you well.
08-18-2019 11:00 PM
Thank you for sharing your inputs and guidance to have a fix to this issue using your specified approach.
Apparently, the prismacloud (Former RedLock) console now looks good with additional features. I believe these changes were a part of new release, but I also wanted to understand if there was any chances to the fit the requirement of using multi-line aws command in the auto remediation section. Awaiting your response !
08-19-2019 12:05 AM
Hello, this is not availble in the recent release rollout and is still a feature request in pipeline.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
