Create a Post
Shay_Levin
Admin
Admin

AWS - Automated remediation via Dome9 CloudBots

What do you do if you have hundreds of security groups and many team members that manage those security groups ?

How do you make sure that your environment is continuously secured ?!

In this video, you will learn about the best practices for managing and auto-remediate violated AWS security groups.

You will learn about the following topics:

  • Managing AWS security groups
  • Cloud Security Posture Repository
  • Dome9 GSL Language 
  • Periodic Compliance
  • CloudBots

 

2 Replies
Basilio_Alcant1
Contributor

Hi Shay,

Can you make a video explaining how to complete the multi mode deployment for cloudbots? i was able to complete step 1 and 2 but I don't know where am i supposed to run the script from and what is the <aws profile>? 

See instructions below.

Deploy for Multi mode

For multi-mode, you will setup one account as above for the single mode, and then set up cross account roles in each additional account.

On the AWS CFT console, for your account, perform these steps:

  1. Set the ACCOUNT_MODE environment variable to multi.
  2. Edit the trust_policy.json file (in the cross_account_role_configs folder),to add the account id of the additional account. Then, run the following commands:
cd cross_account_role_configs
./create_role.sh <aws profile>

This script will create the IAM role and policy and the cross-account role for the additional account.

Shay_Levin
Admin
Admin

Hi Basilio,

To run this command you need an AWS profile specific to the account on which you want to create the role

https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html

docs.aws.amazon.com

Named Profiles - AWS Command Line Interface

A named profile is a collection of settings and credentials that you can apply to an AWS CLI command.                                                When you specify a profile to run a command, the settings and credentials are used to run that command. You can specify one profile that is the "default", and is used when no profile is explicitly referenced. Other profiles have names that you can specify as a parameter on the command line for individual commands. Alternatively, you can specify a profile in an environment variable

for example -aws ec2 describe-instances --profile user1

and that would refer to that file  and the entry "user1" in it

You need to use whatever way possible to create an IAMrole and attach a Policy to it.......

That script is 1 way to do it on an account by account basis., the profile just helps your script understand which account it is (a profile is created on the client-side on whichever machine you want to run this script on)

In this case, the simple way is just login to the 2nd cloud account, go to IAM, create a role and attach the policy in it (names and policy contents ) are in that folder

The script is just to automate this action  and then it needs to be repeated for each your cloud accounts

That way the cludbots can assume the role to all the other accounts where they aren't installed and perform all actions allowed by that Policy

Shay