Automatic Remediation with CloudBots

CloudBots automatically correct compliance issues discovered in your cloud environments by CloudGuard compliance checks. You can configure your CloudGuard account to use CloudGuard CloudBots.

You can configure remediation steps in different contexts of the CloudGuard portal.

You must deploy CloudGuard CloudBots in the cloud environments to apply remediation steps.

CloudBots

CloudGuard CloudBots are small programs or scripts in Python that operate on the account or cloud asset to correct missing or misconfigured settings. For example, they can close Security Groups that are widely open. CloudGuard invokes CloudBots when compliance rules fail.

CloudBots work with rules invoked from Continuous Posture, Intelligence, and CIEM policies.

For some rules, CloudGuard recommends you use one of the preconfigured CloudBots or create your CloudBot if there is a rule violation. For other rules, you can use only your custom CloudBots.

CloudBots provide:

  • Reduction of risks related to misconfigurations in your cloud environment, to comply with the compliance industry standards.

  • Reduced workload on the enterprise cloud IT team by performing remedial actions on misconfigured cloud assets and environments automatically.

  • Reduced response time to remedy a problem to decrease the window of exposure to risk because of the misconfiguration.

  • As CloudBots work with continuous posture assessments, your cloud environments are repeatedly assessed, so any changes (because of accidental or not approved access to the cloud assets) are detected and corrected almost immediately.

  • Reliable application of the same correction to misconfigurations of the same type. Correcting an environment policy misconfiguration is the same for all environments. In addition, a full audit trace can be kept of all actions, so you know about the applied changes.

The CloudGuard portal provides multiple options to configure remediation:

  • Go to CSPM > Remediation and click Create New Remediation. For more information, see Adding Remediation

  • Go to CSPM > Rulesets, select a ruleset, select a rule, and click Add CloudBot below Automated Remediation.

  • Go to CSPM > Assessment History and select an assessment result. In one of the failed rules, click Expand to see the list of findings and click Configure remediation () for a failed entity. For more information, see Creating Remediations

  • Go to CIEM > Remediation and click Create New Remediation. For more information, see Remediation

  • Go to CDR > Threat Monitoring > Remediation and click Create New Remediation. For more information, see Remediation

  • Go to Events > Posture Findings or Threat & Security Events, select an event, and click Fix it. For more information, see Applying a CloudBot immediately (Fix it)

Onboarding CloudBots

To apply remediation steps, you must onboard CloudGuard CloudBots in the cloud environments. For manual deployment of the CloudBots, see https://cloudbots.dome9.com/.

For deployment through the CloudGuard portal, see below.

To onboard CloudBots through CloudGuard:

  1. In CloudGuard, open the Environments page from the Assets menu.

  2. Select an environment to be protected with CloudBots.

  3. In the CloudBots column, click Enable CloudBots to start the remediation onboarding wizard.

    As an alternative, you can click and open the environment page. From the top menu, select Add CloudBots.

  4. Follow the on-screen instructions to complete the wizard.

  1. Create an AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. Lambda function that runs the bots and an SNS topic to trigger the Lambda function.

  2. Select a region enabled on your account.

  3. Deploy a CFT on your AWS account.

  4. Click Check Now to make sure the CFT deployment is successful.

  1. Create an AzureClosed Collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of data centers managed by Microsoft®. FunctionApp function that runs the bots.

  2. Deploy an ARM templateClosed Azure Resource Manager template is a block of code that defines the infrastructure and configuration for your project on your Azure subscription.

  3. Paste the function URL into the wizard and click Next.

Remediation

You can add a remediation for a specific rule in a ruleset or all rules in a ruleset. You can limit remediation to specific environments or entities.

To add a remediation for a specific rule:

  1. Navigate to CSPMRulesets.

  2. Open the ruleset that contains the rule to which to apply a remediation.

  3. Use the Filter and Search toolbar to find the rule.

  4. Click Add to add a predefined CloudBot recommended by CloudGuard. If no recommendation exists, click Add CloudBot to create a new custom CloudBot and add it.

    The Edit Remediation window opens with the selected rule and ruleset.

  5. Select the remediation parameters. You can combine the options, so the remediation applies to the combination of all the selected options.

    1. Environment that applies the remediation to rules in the selected ruleset only when the ruleset is applied to the selected environments. If you do not select an environment, CloudGuard applies the CloudBot to all the available environments where the selected rule is triggered.

    2. Entity, by its entity ID (optional, if missing, all entities are implied); this selects all rules that contain the selected entities.

  6. For rules that recommend remediation, the CloudBot appears in the field. For rules without recommendations, select the CloudBot from the list. If the CloudBot is not in the list, select Custom, and then add the name of the CloudBot, along with the runtime arguments. The CloudBot must be deployed in the selected environment, in the same folder as the other bots.

  7. Add a comment (mandatory field) and click Save.

To add a remediation for all rules in a ruleset:

  1. Navigate to the Remediation page in the CSPM menu.

  2. Click Create New Remediation in the top right.

  3. Select the rules for which the remediation applies, from the given options. You can combine the options, so the remediation applies to the combination of all the selected options.

    1. a Ruleset (mandatory)

    2. a specific Rule in the ruleset (optional, if missing, all rules are implied)

    3. a specific Environment that applies the remediation to rules in the selected ruleset only when the ruleset is applied to the selected environments

    4. a specific Entity, by its entity ID (optional, if missing, all entities are implied); this selects all rules involving the selected entities

  4. Select the CloudBot, from the list. If the CloudBot does not show, select Custom, then add the name of the CloudBot, along with the runtime arguments. The CloudBot must be deployed in the selected environment, in the same folder as the other bots.

  5. Add a comment (mandatory) and click Save.

  1. Navigate to CSPM > Remediation.

  2. Select one or more remediations to delete and click Delete Selected.

More Links

Posture Findings and Security Events

Assessment History