Full Protection mode - Tamper Protection
In Dome9, Amazon AWS Security Groups can be managed in one of two modes: Full Protection or Read-Only. Full Protection provides the Dome9 administrator with full control of AWS security policy definition, access leases, and the ability to interact with dynamic policy objects.
In Full Protection mode, an AWS Security Group can only be managed from Dome9. Attempts to modify a security group from the AWS environment (such as the AWS console) will be detected by Dome9 and will trigger Tamper Protection and can also send an alert/notification. Dome9 will override the change that is made, and revert it back to the definition of the Security Group defined in Dome9.
Here is an example notification from Dome9 Tamper Protection:
The alerts and notifications initiated from Tamper Protection occur when you turn on Full Protection for the desired regions in your cloud account. Dome9 will lock down the configuration of the security groups within that region to ensure that the security group stays properly configured.
In this notification, Dome9 identified and detected an unauthorized change to the security group and reverted it to the previous configuration.
To make a change in a Security Group that has Tamper Protection enabled, the change is made in Dome9.
- Navigate to the Security Groups page in the Network Security menu.
- Select the Security Group to be modified.
- Make the necessary changes to the Security Group (for example, add or modify Inbound or Outbound services). See AWS Security Groups for details on how to create or modify Security Groups).
- Save the changes.
When you receive an alert or notification in regards to Tamper Protection, this will also be visible in the Dome9 Audit Trail. To view and verify the action of Dome9 Tamper Protection and it's associated information, you can navigate to the Audit Trail and view the Cloud Trail details.
Select Audit Trail from the Settings menu.
Find the Tamper Protection event in the Audit Trail history. There will be an informational (i) icon to the right of the System event which will display Cloud Trail Details.
Select the Cloud Trail Details icon to display the timestamp, user name, event name, and details of the Cloud Trail event.
Select details to view the additional information about the specific entity event and action.