Before beginning the Remediations setup, please ensure the following pre-requisites have been met:
- Registered and confirmed Aqua Cloud account that has been pre-approved for the Remediations beta.
- Onboarded and licensed AWS account (ensure the "licensed" toggle is set from the "Cloud Accounts" page).
- Admin access to the AWS account you wish to enroll.
- Real-time Events are configured (only required for "automated" Remediations). Please see the next section for more information.
Configuring Events (Optional)
There are two modes of operation for Remediations (read more here). If you wish to use "Manual + Automated" mode, in which Aqua CSPM will attempt to remediate findings in response to real-time events occurring in your cloud environment, then you must configure the event connection prior to enrolling in Remediations.
You can enroll in Events by selecting "Setup Events" next to any licensed AWS account from the "Cloud Accounts" page in the Aqua CSPM dashboard.
Configuring a Remediator
The first step to configure Remediations is to establish a connection between the Aqua CSPM account and your target cloud account in which security risks will be remediated. You can do this by:
- Open the remediator wizard and select your cloud account from the drop-down (https://cloud.aquasec.com/remediator_wizard).
- Follow the on-screen wizard steps to launch the CloudFormation template.
Configuring a Policy
At this stage, Aqua CSPM now has connectivity to your account, but does not have a policy allowing it to actually perform any remediations. Let's create a policy:
- Navigate to the Remediation Policy page: https://cloud.aquasec.com/policies
- Click "Create Policy" at the top right.
- Use the UI to craft rules on how you would like Remediations to occur in your account. You can do this by selecting plugins from the drop-down and choosing whether to allow manual or automated remediations, or both.
- Apply the policy to either a cloud account or Aqua Cloud group (which will apply the policy to all cloud accounts in that group).
- Click "Save" to apply the policy.
After defining a policy, you can test out manual Remediations from the Scan Report page (automated Remediations will simply occur whenever a matching event is detected).
- Navigate to a scan report for the cloud account you have connected to Remediations.
- Click on the "Detailed Results" tab.
- Filter for results that can be remediated by choosing "Yes" from the drop-down under "Remediable".
- Click the drop-down menu to the right of the result and choose "Remediate Result".
- In the popup, enter your "Token Code". You can locate this code by finding the last 6 digits from the external ID deployed for the remediator role in your account.
- Enter any other required or optional fields and click to Remediate.