Aqua Wave

Within the Aqua CSPM Remediation feature, there are two modes of operation:

1. Manual (User-Triggered) Remediations - any user (with the correct access) who is viewing an Aqua CSPM security report, will now see a new "Remediate" button next to all supported findings. Clicking this button will allow the user to trigger a remediation that is executed by Aqua, according to a pre-defined policy that you configure.
   
   
2. Manual + Automated (Event-Triggered) Remediations - when Aqua CSPM receives an event from AWS CloudTrail or CloudWatch Events, we will evaluate it, trigger a real-time scan of the newly-detected resource, and remediate any findings according to a pre-defined policy that you configure.

There are additional differences between these remediation types including: how the connection is made to your cloud account, what resources are deployed into your account, what pre-requisites are required to trigger a remediation, and how the remediation occurs, which we will discuss below.

Connection Process

To begin using Remediations, you must provide a connection to your cloud account that will enable Aqua CSPM's infrastructure to assume temporary access and make control-plane-level API calls. Aqua CSPM provides a CloudFormation template (for AWS) that allows you to quickly deploy the necessary resources in a reliable fashion. This template can be deployed in an individual account, or quickly across all of your accounts using AWS Organizations and AWS CloudFormation StackSets.

This connection to your account is called a "remediator."

In manual mode, the CloudFormation template deploys the following resources:

1. An IAM role, called "AquaCSPMRemediatorRole"
2. An IAM policy attached to that role with a set of permissions that allow Aqua CSPM to perform remediations (e.g. "ec2:RevokeSecurityGroupIngress" or "s3:PutBucketEncryption").
3. A trust relationship attached to that role with an external ID consisting of a UUID and a 6-digit code.

In automated mode, the CloudFormation template deploys the following resources:

1. Everything from the manual mode above.
2. A KMS key with a policy allowing Aqua CSPM's remediator role to use it to decrypt.
3. A Secrets Manager secret containing MFA key data.
4. A secret policy allowing Aqua CSPM's remediator role to access the secret in step 3.
5. A Lambda function that is responsible for rotating the 6-digit code attached to the IAM role's trust relationship every 5 minutes.
6. A CloudWatch event to trigger the Lambda function every 5 minutes.
7. An IAM role for the Lambda function allowing it to update the trust relationship of the remediation IAM role.

In both deployment models, you have full control over the entire connection process because all of the IAM roles, permissions, and secrets needed to perform a remediation are fully owned by your account. Aqua CSPM does not save the 6-digit code associated with the IAM role's trust relationship, preventing us from assuming the role except in specific scenarios described below.

After the stack is deployed, you will copy the ARN of the IAM role back to the Aqua CSPM dashboard.

Triggering a Remediation

In manual mode, a remediation is triggered by an Aqua CSPM user from your account clicking "remediate" on a scan report finding. If you have configured your account policy to allow this remediation, the following steps will occur:

1. The user selects a supported result from the scan report to remediate.
2. A box asks the user for the 6-digit code. They may retrieve the code by opening their AWS console and copying it from the IAM role settings. This ensures a two way trust for user: they must have access to both the Aqua CSPM account, as well as to the AWS account in which the remediation will be performed.
3. Aqua CSPM crafts an IAM policy specific to the resource and remediation. For example, if S3 bucket encryption is being added, the policy would contain "s3:PutBucketEncryption" permissions on "arn::aws:s3:bucketName".
4. Aqua CSPM uses the saved IAM role and external ID, combined with the token, to perform an STS "Assume Role", passing the policy from step 3. This ensures that the session is scoped only to the specific calls necessary to perform the remediation.
5. The credentials returned are used to perform the API calls against the resource needed for the remediation.

In automated mode, a remediation is triggered by a real-time event, received from AWS CloudTrail or CloudWatch Events. If the event matches the account policy, the following steps will occur:

1. Aqua CSPM's remediator will use the KMS key deployed in your account to access the Secrets Manager secret (also deployed in your account).
2. The secret contains the MFA key material needed to generate an OTP-compliant 6-digit code that matches the code currently attached to the trust relationship in your account.
3. Aqua CSPM crafts an IAM policy specific to the resource and remediation. For example, if S3 bucket encryption is being added, the policy would contain "s3:PutBucketEncryption" permissions on "arn::aws:s3:bucketName".
4. The 6-digit code retrieved in step 2 will be appended to the stored external ID, which, combined with the stored role ARN, will be used to perform an STS "Assume Role" on the remediator role deployed in your account, passing the policy from step 3. This ensures that the session is scoped only to the specific calls necessary to perform the remediation.
5. The credentials returned are used to perform the API calls against the resource needed for the remediation.

Note: The automated remediation connection can also be used manually by following the same "manual" steps. The only difference is that the 6-digit code is only valid for 5 minutes.

Comparison