CloudGuard Dome9 Help
Remediation of Compliance issues using Dome9 CloudBots
You can configure your Dome9 account to use Dome9 CloudBots to automatically correct compliance issues that are discovered in your cloud accounts by Dome9 compliance checks.
On the Remediation page, you can configure remediation steps for specific rules in your rulesets.
You must deploy Dome9 Cloudbots in the cloud accounts to which remediation steps will be applied. See here for details.
Dome9 CloudBots are small programs or scripts that act on the account or cloud asset to correct missing or misconfigured settings (for example, to close Security Groups that are too open). They are invoked by Dome9 when compliance rules fail.
Dome9 CloudBots work only with rules that are invoked from Continuous Compliance policies (and not manually invoked compliance policies).
- Active protection of your cloud environment
- CloudBots can help reduce the workload on the enterprise cloud IT team, by performing remedial actions on misconfigured cloud assets and accounts automatically.
- The response time to remedy a problem is reduced, reducing the window of exposure to risk as a result of the misconfiguration.
- Since cloudbots work with continuous compliance assessments, your cloud environments are assessed repeatedly, so any changes (as a result of unintentional or unauthorized access to the cloud assets) are detected and corrected almost immediately.
- CloudBots will reliably apply the same correction to misconfigurations of the same type. That is, correcting an account policy misconfiguration will be the same for all accounts. In addition, a full audit trace can be kept of all actions, so you are aware of changes that are applied.
- Navigate to the Remediation page in the Compliance menu.
Click CREATE NEW REMEDIATION, in the upper right.
- Select the rules to which the remediation step will be added, from these options:
- a Ruleset (mandatory)
- a specific Rule in the ruleset (optional, if missing,all rules are implied)
- a specific Entity, by its entity id (optional, if missing, all entities in the selected rules are implied)
- a specific Cloud Account, selected from a list (optional, if missing, all cloud accounts for the user are implied)
- Select the CloudBot, from the list. If the cloudbot is not in the list, select Custom, and then add the name of the cloudbot, along with the runtime arguments. The cloudbot must be deployed in the selected cloud account, in the same folder as the other bots.
- Add a comment (optional), and then click Save.