CloudGuard Dome9 Help
Full Protection mode - Tamper Protection
In Dome9, Amazon AWS Security Groups can be managed in one of two modes: Full Protection or Read-Only. Full Protection provides the Dome9 administrator with full control of AWS security policy definition, access leases, and the ability to interact with dynamic policy objects.
In Full Protection mode, an AWS Security Group can only be managed from Dome9. Attempts to modify a security group from the AWS environment (such as the AWS console) will be detected by Dome9 and will trigger Tamper Protection and can also send an alert/notification. Dome9 will override the change that is made, and revert it back to the definition of the Security Group defined in Dome9.
Here is an example notification from Dome9 Tamper Protection:
The alerts and notifications initiated from Tamper Protection occur when you turn on Full Protection for the desired regions in your cloud account. Dome9 will lock down the configuration of the security groups within that region to ensure that the security group stays properly configured.
In this notification, Dome9 identified and detected an unauthorized change to the security group and reverted it to the previous configuration.
If a verified change is required on a security group, you can navigate to security groups by going to Network Security > Security Groups, and selecting the security group you would like to edit, and configuring the Inbound and Outbound services.
For more information, see AWS Security Groups on how to make the desired change under Full Protection mode.
A secondary option is that you could also temporarily change the detection mode on the desired region to Read-Only (Monitor Mode), configure the security group in AWS, and then revert to Full Protection mode. However, be sure to re-enable Full Protection mode when you are done to ensure proper security and protection.
When you receive an alert or notification in regards to Tamper Protection, this will also be visible in the Dome9 Audit Trail. To view and verify the action of Dome9 Tamper Protection and it's associated information, you can navigate to the Audit Trail and view the Cloud Trail details.
In the menu, navigate to 'Compliance & Governance' and select 'Audit Trail.'
Find the Tamper Protection event in the Audit Trail history. There will be an informational (i) icon to the right of the System event which will display Cloud Trail Details.
Select the Cloud Trail Details icon to display the timestamp, user name, event name, and details of the Cloud Trail event.
Select details to view the additional information about the specific entity event and action.