Skip to content

Latest commit

 

History

History
931 lines (720 loc) · 37.6 KB

Bots.md

File metadata and controls

931 lines (720 loc) · 37.6 KB
Raw

Bots

###Optional Bots

acl_delete

What it does: deletes created network acl.
Usage: AUTO: acl_delete

Sample GSL: cloudtrail where event.name='CreateNetworkAcl'
Limitation: None
Note: Logic only bot

acl_revert_modification

What it does: returns an acl to it's previous form.
Usage: AUTO: acl_revert_modification

Sample GSL: cloudtrail where event.name in ('ReplaceNetworkAclEntry', 'DeleteNetworkAclEntry', 'CreateNetworkAclEntry')
Limitation: None
Note: Logic only bot

##acm_delete_certificate What it does: Deletes ACM certificate Usage: AUTO: acm_delete_certificate Limitations: none

ami_set_to_private

What it does: Sets an AMI to be private instead of public
Usage: ami_set_to_private
Sample GSL: AMI should have isPublic=false
Limitations: none

cloudtrail_enable

What it does: Creates a new S3 bucket and turns on a multi-region trail that logs to it.
Pre-set Settings:
Default bucket name: acct<account_id>cloudtraillogs
IsMultiRegionTrail: True (CIS for AWS V 1.1.0 Section 2.1)
IncludeGlobalServiceEvents: True
EnableLogFileValidation: True (CIS for AWS V 1.1.0 Section 2.2)

Usage: cloudtrail_enable trail_name=<trail_name> bucket_name=<bucket_name>
Note: Trail_name and bucket_name are optional and don't need to be set.
Limitations: none

cloudtrail_enable_log_file_validation

What it does: Enable log file validation in cloudTrail Usage: cloudtrail_enable_log_file_validation Limitations: None

cloudtrail_encrypt_log_files_using_existing_key

What it does: Encrypt log file in the cloudTrial with a customer key that user pass as parameter. Usage: AUTO: cloudtrail_encrypt_log_files_using_existing_key <key_id> Note: - The key must have the correct policy for enable CloudTrail to encrypt, users to decrypt log files and user to describe key. For more information https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html - The key the user pass can be an alias name prefixed by "alias/", a fully specified ARN to an alias, a fully specified ARN to a key, or a globally unique identifier Examples: * alias/MyAliasName * arn:aws:kms:us-east-2:123456789012:alias/MyAliasName * arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012 * 12345678-1234-1234-1234-123456789012 Limitations:None

cloudtrail_encrypt_log_files_using_new_key_creation

What it does: Create new customer key with the correct policy for encrypt log file in the cloudTrial. Usage: AUTO: cloudtrail_encrypt_log_files_using_new_key_creation Note: - The bot create a new customer key Limitations:None

cloudtrail_send_to_cloudwatch

What it does: Makes CloudTrail output logs to CloudWatchLogs. If the log group doesn't exist alredy, it'll reate a new one. Usage: cloudtrail_send_to_cloudwatch <log_group_name>
Limitations: none
Defaults: If no log group name is set, it'll default to CloudTrail/DefaultLogGroup
Role name: CloudTrail_CloudWatchLogs_Role
Log delivery policy name: CloudWatchLogsAllowDelivery

cloudwatch_create_metric_filter

What it does: Creates CloudWatch Metric Filters to match the CIS Benchmark. A metric alarm and SNS subscripion is created as well
Usage: cloudwatch_create_metric_filter <email_address> ....
Limitations: Cloudtrail needs to be set up to send the logs to a CloudWatchLogs group first.
Default: SNS topic name is CloudTrailMetricFilterAlerts
Available filters are: UnauthorizedApiCalls, NoMfaConsoleLogins, RootAccountLogins, IamPolicyChanges, CloudTrailConfigurationChanges, FailedConsoleLogins, DisabledOrDeletedCmks, S3BucketPolicyChanges, AwsConfigChanges, SecurityGroupChanges, NetworkAccessControlListChanges, NetworkGatewayChanges, RouteTableChanges, VpcChanges

config_enable

What it does: Enables AWS Config. This DOES NOT create config rules. It only turns on the configuration recorders. Usage: config_enable bucket_name=mybucketlogs bucket_region=us-west-1 include_global_resource_types_region=us-west-1 Limitations: none
Variables (and their defaults): bucket_name = accountNumber + "awsconfiglogs" bucket_region = us-west-1 allSupported = True includeGlobalResourceTypes = True (if you want to change this, use the variable include_global_resource_types_region=<desired_region>)

Defaults (not changable currently via variable): file deliveryFrequency(to S3) is set to One_Hour config_name = default

ec2_attach_instance_role

What it does: Attaches an instance role to an EC2 instance. This role needs be passed in through the params.
Usage: ec2_attach_instance_role role_arn=<role_arn>

If you have a role that is the same across accounts, and don't want to pass in an account specific ARN, add "$ACCOUNT_ID" to the role ARN and the function will automatically pull in the current account ID of the finding.
Example: ec2_attach_instance_role role_arn=arn:aws:iam::$ACCOUNT_ID:instance-profile/ec2SSM
Sample GSL: Instance should have roles

ec2_create_snapshot

What it does: Snapshots the EBS volumes on an instance
Usage: ec2_create_snapshot
Notes: The snapshot description will show that it was created by CloudBots and the rule that failed that triggered the bot. Also, the snapshot will be tagged with a key of "source_instance_id" and a value with the instance id from the source instance.
Limitations: This will not work on Instance Store volumes. Only EBS

ec2_detach_instance_role

What it does: Detach an instance role from an EC2 instance.
Usage: AUTO: ec2_detach_instance_role
Sample GSL: cloudtrail where event.name='AddRoleToInstanceProfile' and event.status='Success'
Limitations: none

ec2_release_eips

What it does: Disassociates and releases all EIPs on an instance
Usage: ec2_release_eips
Limitations: none

ec2_quarantine_instance

What it does: Attaches the instance a SG with no rules so it can't communicate with the outside world
Usage: ec2_quarantine_instance
Limitations: None

ec2_stop_instance

What it does: Stops an ec2 instance
Usage: ec2_stop_instance
Limitations: none

ec2_terminate_instance

What it does: Terminates an ec2 instance
Usage: ec2_terminate_instance
Limitations: none

ec2_update_instance_role

What it does: Updates an EXISTING EC2 instance role by attaching another policy to the role. This policy needs be passed in through the params.
Usage: ec2_update_instance_role policy_arn=<policy_arn>
Example: ec2_update_instance_role policy_arn=arn:aws:iam::aws:policy/AlexaForBusinessDeviceSetup
Sample GSL: Instance where roles should have roles with [ managedPolicies contain [ name='AmazonEC2RoleforSSM' ] ]

ecs_reboot

What it does: stops an ecs task and the service (which started the task) will create it again and run it.
Usage: AUTO: ecs_reboot
Sample GSL: cloudtrail where event.name='RegisterTaskDefinition' and event.status='Success'
Limitations: none

ecs_service_role_detach_inline_policy

What it does: removes all inline policies from the role of the ECS
Usage: ecs_service_role_detach_inline_policy
Limitations: None

ecs_stop

What it does: stops an ecs tasks and ec2 instances which contain the tasks
Usage: AUTO: ecs_stop
Sample GSL: cloudtrail where event.name='RegisterTaskDefinition' and event.status='Success'
Limitations: none

ecs_delete_repository_image

What it does: Delete an image from ECS repository Usage: ecs_delete_repository_image

if an malicious image was Pushed to a ECS Repository this function will delete the image from the repository.

Sample GSL: cloudtrail where event.name='DescribeImageScanFindings' and event.status = 'Success'

##iam_detach_policy What it does: detach all entities that attached to policy Usage: iam_detach_policy Limitations: none

iam_delete_access_key

What it does: Deleting an IAM user AccessKey Usage: iam_delete_access_key

if the root user create an access key or a user that dont need one this function will delete the AccessKey

Example: iam_delete_access_key Sample GSL: cloudtrail where event.name='CreateAccessKey' and identity.type='Root'

iam_delete_default_policy_version

What it does: Delete the default policy version and set the latest instead.
Usage: iam_delete_default_policy_version
Limitations: Most be at least more than one version to the policy.

iam_generate_credential_report

What it does: Generates a credential report for the account.
Usage: AUTO iam_generate_credential_report

iam_group_delete_inline_policy

What it does: Deletes a inline policy attached to iam group Usage: AUTO: iam_group_delete_inline_group Limitations: none

iam_role_attach_policy

What it does: Attaches a policy (passed in as a variable) to the role
Usage: iam_role_attach_policy policy_arn=<policy_arn>
Limitations: none
Examples:
iam_role_attach_policy policy_arn=arn:aws:iam::aws:policy/AlexaForBusinessFullAccess
iam_role_attach_policy policy_arn=arn:aws:iam::621958466464:policy/sumo_collection
iam_role_attach_policy policy_arn=arn:aws:iam::$ACCOUNT_ID:policy/sumo_collection

iam_role_clone_with_non_enumerable_name

What it does: Clones the IAM role and gives it a non-enumerable name. The new name is the original name + 20 length non-enumerable string, Example: MyRole -> MyRole-XaTrEiuNyHsRAqqC_rBW.
Usage: AUTO: iam_role_clone_non_enumerable_name
Limitations: The bot doesn't delete the original role, in order to avoid misconfigurations. After the role will be cloned, it's under your responsibility to delete the original role, after validating it (For example, it's important to make sure that you do not have any Amazon EC2 instances running with the role). If you're using the bot via CSPM, the rule will keep failing until the original role (with the enumerable name) will be deleted. In the response message of the bot, you'll get the information about the old and the new (cloned) role.
For more information see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_delete.html https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#replace-iam-role

iam_user_attach_policy

What it does: Attaches a policy (passed in as a variable) to the user
Usage: iam_user_attach_policy policy_arn=<policy_arn>
Limitations: none
Examples:
iam_user_attach_policy policy_arn=arn:aws:iam::aws:policy/AlexaForBusinessFullAccess
iam_user_attach_policy policy_arn=arn:aws:iam::621958466464:policy/sumo_collection
iam_user_attach_policy policy_arn=arn:aws:iam::$ACCOUNT_ID:policy/sumo_collection

iam_user_detach

Log.ic bot only
What it does: Detaches an IAM user from an IAM group.
Usage: AUTO: iam_user_detach
Limitations: The bot will stop running if the proper 'AddUserToGroup' event is not found
The bot will not notify if the IAM user is already detached or was not attached to the group in the
first place.

iam_quarantine_role

What it does: Adds an explicit deny all policy to IAM and directly attaches it to a role
Usage: iam_quarantine_role
Limitations: none

iam_quarantine_user

What it does: Adds an explicit deny all policy to IAM and directly attaches it to a user
Usage: iam_quarantine_user
Limitations: none

iam_turn_on_password_policy

What it does: Sets all settings in an account password policy
Usage: iam_turn_on_password_policy MinimumPasswordLength: RequireSymbols:<True/False> RequireNumbers:<True/False> RequireUppercaseCharacters:<True/False> RequireLowercaseCharacters:<True/False> AllowUsersToChangePassword:<True/False> MaxPasswordAge: PasswordReusePrevention: HardExpiry:<True/False>
Limitations: ALL variables need to be set at the same time

Sample tag: iam_turn_on_password_policy MinimumPasswordLength:15 RequireSymbols:True RequireNumbers:True RequireUppercaseCharacters:True RequireLowercaseCharacters:True AllowUsersToChangePassword:True MaxPasswordAge:5 PasswordReusePrevention:5 HardExpiry:True

iam_user_disable_console_password

What it does: disable console password for IAM user.

Usage: iam_user_disable_console_password

Limitations: Deleting a user's password does not prevent a user from accessing AWS through the command line interface or the API. To prevent all user access, you must also either make any access keys inactive or delete them.

iam_user_deactivate_unused_access_key

What it does: deactivate unused access key that haven't been in use for some time

Usage: iam_user_deactivate_unused_access_key

Example: iam_user_inactivate_unused_access_key 90

Limitations: default time is 90 days, if there are more then 200 access keys for user should increase maxItems

iam_user_delete_inline_policies

What it does: deleted all iam user inline policies and attach new managed policies if passed as an argument
Usage: iam_user_delete_inline_policies <managed_policies_arn> (<managed_policies_arn> is optional. For more than one policy, use a comma as a separator).

  • iam_user_delete_inline_policies (only deletes)
  • iam_user_delete_inline_policies policy1_arn,policy2_arn

iam_user_force_password_change

What it does: Updates the setting for an IAM user so that they need to change their console password the next time they log in.
Usage: iam_user_force_password_change
Limitations: none

iam_entity_create_and_attach_permissions_boundary

What it does: Creates/Updates policy based on provided input, and attaches it as permission boundary to an iam entity (Role/User), in case dryRun flag is set no action will be taken. Usage: iam_entity_create_and_attach_permission_boundary policy_name=<policy_name>, if policy name is not provided a default name will be set: CIEMSuggestion-IAM-ENTITY-NAME. Limitations: none

iam_entity_remove_permission_boundary

What it does: Removes an attached permissions boundary from iam entity (Role/User). Usage: iam_entity_remove_permission_boundary entity_arn=<name|all> [cloud_account_id=<123456789>] [--dryRun] Limitations: none

igw_delete

What it does: Turns off ec2 instances with public IPs, detaches an IGW from a VPC, and then deletes it.
Limitations: VPCs have lots of interconnected services. This is currently just focused on EC2 but future enhancements will need to be made to turn off RDS, Redshift, etc.

kms_cmk_enable_key

What it does: Enables a kms cmk (customer managed key)
Usage: kms_cmk_enable_key

kms_enable_rotation

What it does: Enables rotation on a KMS key
Usage: kms_enable_rotation
Sample GSL: KMS where isCustomerManaged=true and deletionDate!=0 should have rotationStatus=true Limitations: Edits can not be made to AWS maged keys. Only customer managed keys can be edited.

lambda_detach_blanket_permissions

What it does: For lambda that failed, it check all the policies that grant blanket permissions ('*') to resources and detach it from the lambda role Usage: lambda_detach_blanket_permissions Note: The bot will detach the policies that have admin privileges from the lambda role so you will need to configure the specific policies to grant positive permissions to specific AWS services or actions Limitations:None

lambda_disable

What it does: Disable lambda function (by put function concurrency = 0).
Sample GSL: cloudtrail where event.name like 'UpdateFunctionCode%' and issuer.type='Role'
Usage: AUTO: lambda_disable
Limitations: none

lambda_enable_active_tracing

What it does: Enable lambda active tracing Usage: lambda_enable_active_tracing Limitations: none

lambda_tag

What it does: Tags a lambda function
Usage: AUTO: lambda_tag <key> <value>
Notes: value is an optional parameter. you can pass only key, without value. Usage: lambda_tag <key>
Limitations: Tags/values with spaces are currently not supported. it will be added in the future.

load_balancer_enable_access_logs

What it does: enables access logging for a load balancer (elb, alb)
Usage: AUTO: load_balancer_enable_access_logs
Limitations: None

mark_for_stop_ec2_resource

What it does: Tags an ec2 resource with "marked_for_stop" and
Usage: mark_for_stop_ec2_resource <unit(m,h,d)>
Example: mark_for_stop_ec2_resource 3h
Note: This is meant to be used in conjunction with a more aggressive action like stopping or termanating an instance. The first step will be to tag an instance with the time that we want to trigger the remediation bot.
From there, a rule like "Instance should not have tags with [ key='marked_for_stop' and value before(1, 'minutes') ]" can be ran to check how long an instance has had the 'mark for stop' tag. Limitations: none

THIS WORKS ACROSS ALL EC2 RELATED SERVICES:

  • Image
  • Instance
  • InternetGateway
  • NetworkAcl
  • NetworkInterface
  • PlacementGroup
  • RouteTable
  • SecurityGroup
  • Snapshot
  • Subnet
  • Volume
  • Vpc
  • VpcPeeringConnection

network_firewall_enable_logging

What it does: Enable logging (Flow Logs or Alert) for a network firewall. The log destination type must be specified, the options are: S3, CloudWatchLogs, KinesisDataFirehose.
For S3 and CloudWatchLogs, the bot can create the log destination, by adding 'create' as a third parameter. For KinesisDataFirehose, the name of the delivery stream MUST be provided as a parameter.
Usage: AUTO network_firewall_enable_logging <LoggingType> <LogDestinationType> <LogDestination>
<LoggingType> can be: FLOW, ALERT
<LogDestinationType> can be: S3, CloudWatchLogs, KinesisDataFirehose (Case-Sensitive!)
Examples:
network_firewall_enable_logging FLOW S3 create (the bot will create the bucket)
network_firewall_enable_logging ALERT CloudWatchLogs create (the bot will create the log group)
network_firewall_enable_logging FLOW S3 my-bucket (logs will be sent to my-bucket. if there is a prefix, please provide it like this: my-bucket/prefix)
network_firewall_enable_logging FLOW CloudWatchLogs my-log-group (logs will be sent to my-log-group)
network_firewall_enable_logging FLOW KinesisDataFirehose my-delivery-stream (logs will be sent to my-delivery-stream)
Limitations: None

rds_quarantine_instance

What it does: Attaches the RDS instance a SG with no rules so it can't communicate with the outside world
Usage: rds_quarantine_instance
Limitations: Instance needs to be "Available" in order to update. If it's in "backing up" state, this will fail
(Might not work with Aurora since it's in a cluster)

route53domain_enable_auto_renew

What it does: Configures Amazon Route 53 to automatically renew the specified domain before the domain registration expires.
Usage: AUTO route53domain_enable_auto_renew
Permissions: route53domains:EnableDomainAutoRenew

route53domain_enable_transfer_lock

What it does: Sets the transfer lock on the domain. The bot will return the operation ID of the request, which can be used in order to track the operation status by the GetOperationDetail. For more details: https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_GetOperationDetail.html
Usage: AUTO route53domain_enable_transfer_lock
Permissions: route53domains:EnableDomainTransferLock

sns_set_topic_private

What it does: set sns topic to private
Usage: sns_set_topic_private policy<class str>policy

ssm_document_set_private

What it does: removes all aws account that can access the file except of the one that pass as a param. Note that the account ID's should be separated by column. Usage: ssm_document_set_private AccountIdToAdd=<account_id_1>,<account_id_2> Example: ssm_document_set_private Limitations: None

##s3_allow_ssl_only What it does: force s3 bucket to accept only ssl requests Usage: AUTO: s3_enforce_ssl_data_encryption Limitations: none

s3_block_all_public_access

What it does: turn on S3 Bucket Block public access : Block public access to buckets and objects granted through Future New AND Existing public ACLs and Bucket Policies.

Usage: s3_block_public_all_access

Limitations: none

Notes: - before running this bot, ensure that your applications will work correctly without public access

iam_revoke_access_key

What it does: Revoking an IAM user AccessKey Usage: iam_revoke_access_key

if the root user create an access key or a user that dont need one this function will revoke the AccessKey

Example: iam_revoke_access_key Sample GSL: cloudtrail where event.name='CreateAccessKey' and identity.type='Root'

s3_delete_acls

What it does: Deletes all ACLs from a bucket. If there is a bucket policy, it'll be left alone.
Usage: s3_delete_acls
Limitations: none

s3_delete_permissions

What it does: Deletes all ACLs and bucket policies from a bucket
Usage: s3_delete_permissions
Limitations: none

s3_disable_static_website_hosting

What it does: deletes ant s3 static website hosting Usage: s3_disable_website_static_hosting Limitations: None

s3_enable_encryption

What it does: Turns on encryption on the target bucket.
Usage: AUTO: s3_enable_encryption <encryption_type> <kms-key-arn> (<kms-key-arn> should be provided only if <encryption_type> is KMS)
Note: <encryption_type> can be one of the following:

  1. s3 (for s3-managed keys)
  2. kms (for customer managed keys - RECOMMENDED) - for kms you MUST provide the <kms-key-arn>.
    EXAMPLES:
    s3_enable_encryption s3
    s3_enable_encryption kms arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

s3_enable_logging

What it does: Turns on server access logging. The target bucket needs to be in the same region as the remediation bucket or it'll throw a CrossLocationLoggingProhibitted error. This bot will create a bucket to log to as well. Usage: s3_enable_logging
Limitations: none

s3_enable_versioning

What it does: Turns on versioning for an S3 bucket
Usage: s3_enable_versioning
Limitations: none

s3_limit_access

What it does: Removes policies for the following actions for principals '': s3:Delete, s3:Get*, s3:List*, s3:Put*, s3:RestoreObject and s3:*.
Usage: s3_limit_access
Notes: The bot Removes these actions from the policy. if this is the only action, the whole policy will be removed. If necessary, modify the policy after the deletation, to limit the access to specific principals.
Limitations: The bot removes the policies for all the mentioned actions, if exist.

s3_only_allow_ssl

What it does: Ensure that S3 Buckets enforce encryption of data transfers using Secure Sockets Layer (SSL) Usage: s3_only_allow_ssl Note: The bot looks at the bucket policy and adds to the current policy the missing actions(s3:GetObject and s3:PutObject) and the SSL statement. if no policy in the bucket, an SSL policy will add to the bucket Limitations: none

secretsmanager_enable_encryption

What it does: Enables data-at-rest encryption using KMS CMK (Customer Master Key).
Usage: AUTO secretsmanager_enable_encryption
EXAMPLE: secretsmanager_enable_encryption aaaaaaaa-bbbb-cccc-dddd-eeeeeeee
Notes:
secretsmanagers can be encrypted by a symmetric key only.
As a security best practice, we recommend to encrypt it with CMK. The bot will throw an error for aws-managed keys.
The provided key must be in the same region as the secret.
Required permissions: "secretsmanager:UpdateSecret", "kms:GenerateDataKey", "kms:Decrypt".

sg_clear_rules_for_any_scope

What it does: Removes rules from a security group by port, protocol and direction only (for any scope).
Usage: sg_clear_rules_for_any_scope ( is not mandatory).
Please provide the cidrs of the white list seperated by a comma, without spaces. for example: 10.0.0.1/32,10.0.0.2/32
Permissions:

  • ec2:RevokeSecurityGroupEgress
  • ec2:RevokeSecurityGroupIngress
  • ec2:DescribeSecurityGroups

sg_delete

What it does: Deletes a security group
Usage: sg_delete
Limitations: This will fail if there is something still attached to the SG.

##sg_modify_scope_by_port

What it does: modify Security Group's rules scope by a given port , new and old scope(optional). Direction can be : inbound or outbound

Usage: sg_modify_scope_by_port <change_scope_from|*> <change_scope_to>

  • When '*' set for replacing any rule with the specific port

Examples:

    sg_modify_scope_by_port 22 0.0.0.0/0 10.0.0.0/24 inbound
    sg_modify_scope_by_port 22 * 10.0.0.0/24 inbound

Notes:

-  if the port is in a rule's port range, the bot will change the rule's ip to desire ip , to avoid that
  specify existing rule's scope instead of using '*'
- to split the rule around the port you can use the bot : #sg_single_rule_delete

Limitations: IPv6 is not supported yet

sg_rules_delete

What it does: Deletes all ingress and egress rules from a SG
Usage: sg_rules_delete
Limitations: none

sg_delete_not_matching_cidr

What it does: Deletes all rules on a security group , that have the given port and have a scope outside the given cidr * following GSL - SecurityGroup should not have inboundRules contain [ port<=x and portTo>=x and scope!= y ]

Usage: sg_delete_not_matching_cidr

Parameters: port: number scope: a.b.c.d/e direction: inbound/ outbound

Example:

sg_delete_not_matching_cidr 22 10.163.0.0/16 inbound

*all the sg's rules with port 22 that have scope with range outside of 10.163.0.0/16 scope ,  will be deleted

Notes :

-  before running this bot, ensure that your applications will work correctly without those rules
- if a port is in a port range and there is a mismatch in cidr the rule will be deleted ( with all the other port in range )

Limitations: IPv6 is not supported yet

sg_rules_delete_by_scope

What it does: Deletes all rules on a security group with a scope(cidr) containing or equal to a given scope, port and protocol are optional

Usage: sg_rules_delete_by_scope <port|> <protocol|>

Parameters:

scope: a.b.c.d/e
direction: inbound/ outbound
port: number/ *
protocol: TCP/ UDP/ *
-When '*' is any value of the parameter

Examples:

sg_rules_delete_by_scope 0.0.0.0/0 inbound 22 tcp

all rules with 1.0.0.0/16 scope will be deleted for any port and protocol:
sg_rules_delete_by_scope 1.0.0.0/16 inbound * *

all rules with 0.0.0.0/0 scope will be deleted for port 22 and any protocol:
sg_rules_delete_by_scope 0.0.0.0/0 inbound 22 *

Notes :

- the bot deletes the rule without splitting ports ( do not create new rules without the deleted port)
  for deleting rule with split use - sg_single_rule_delete bot .
-  before running this bot, ensure that your applications will work correctly without those rules
- if a port is in a port range the rule wont be deleted ! use * on port parameter to delete the rule for any port

Limitations: IPv6 is not supported

sg_single_rule_delete

What it does: Deletes a single rule on a security group Usage: sg_single_rule_delete split=<true|false> protocol=<TCP|UDP> scope=<a.b.c.d/e> direction=<inbound|outbound> port=

Example: sg_single_rule_delete split=false protocol=TCP scope=0.0.0.0/0 direction=inbound port=22 Sample GSL: SecurityGroup should not have inboundRules with [scope = '0.0.0.0/0' and port<=22 and portTo>=22]

Conditions and caveats: Deleting a single rule on a security group can be difficult because the problematic port can be nested within a wider range of ports. If SSH is open because a SG has all of TCP open, do you want to delete the whole rule or would you break up the SG into the same scope but port 0-21 and a second rule for 23-end of TCP port range? Currently the way this is being addressed is using the 'split' parameter. If it's set as false, CloudBots will only look for the specific port in question. If it's nested within a larger port scope, it'll be skipped. If you set split to true, then the whole rule that the problematic port is nested in will be removed and 2 split rules will be added in its place (ex: if port 1-30 is open and you want to remove SSH, the new rules will be for port 1-21 and port 23-30).

If you want to delete a rule that is open on ALL ports: Put Port 0 as the port to be deleted and the bot will remove the rule. If you want to delete a rule that is open to ALL : Put protocol=ALL and the bot will remove the open rule that configured with ALL as protocol If you want to delete a rule that is open no matter to the configured protocol Put protocol=* and the bot will remove the open rule
Set Split to True sg_single_rule_delete split=true protocol=TCP scope=8.8.8.8/32 direction=inbound port=0

Limitations: IPv6 is not supported

sns_enforce_sse

What it does: makes sns topic use server side encryption (sse)
Usage: sns_enforce_sse kmsKeyId=aaaaaaaa-bbbb-cccc-dddd-eeeeeeee
Limitations: none

sqs_enforce_sse

What it does: Configures server-side encryption (SSE) for a queue
Usage: sqs_enforce_sse <kmsKeyId> <kmsRegion>
Notes:
For encryption with SQS-owned encryption keys, use the bot without any parameters (i.e: sqs_enforce_sse)
For encryption using kms, provide <kmsKeyId>. <kmsRegion> is not required - provide it if the kms key is in a different region than the SQS.
Examples:
sqs_enforce_sse (for encryption using SQS-owned encryption keys)
sqs_enforce_sse kms aaaaaaaa-bbbb-cccc-dddd-eeeeeeee
sqs_enforce_sse kms aaaaaaaa-bbbb-cccc-dddd-eeeeeeee us-east-2
sqs_enforce_sse kms mrk-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa (for multi-region key)
sqs_enforce_sse kms mrk-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa (for multi-region key, if it's in a different region)
Limitations: The KMS key MUST be in the same AWS account as the SQS.

sqs_configure_dlq

What it does: Configures a Dead-Letter Queue (DLQ) for a source queue.
Usage: AUTO sqs_configure_dlq
Notes: A dead-Letter Queue is also a queue. The bot doesn't create a DLQ if the queue is a DLQ itself.
Limitations: None

sns_topic_delete

What it does: Deletes sns topic and all its subscriptions.
Usage: AUTO: sns_topic_delete
Limitations: None

tag_ec2_resource

What it does: Tags an ec2 instance
Usage: tag_ec2_resource "key" "value"
Note: Tags with spaces can be added if they are surrounded by quotes: ex: tag_ec2_resource "this is my key" "this is a value"
Limitations: none

THIS WORKS ACROSS ALL EC2 RELATED SERVICES:

  • Image
  • Instance
  • InternetGateway
  • NetworkAcl
  • NetworkInterface
  • PlacementGroup
  • RouteTable
  • SecurityGroup
  • Snapshot
  • Subnet
  • Volume
  • Vpc
  • VpcPeeringConnection

vpc_delete

What it does: deletes vpc

Usage: AUTO: vpc_delete

vpc_isolate

What it does: turn off dns resource,
change network acl to new empty one with deny all,
add iam policy, to all users in the account, which limits vpc use: ec2 and sg use in the vpc

Usage: AUTO: vpc_isolate
Limitation: None

vpc_turn_on_flow_logs

What it does: Turns on flow logs for a VPC Settings: Log Group Name: vpcFlowLogs If traffic type to be logged isn't specified, it defaults to all. Usage: vpc_turn_on_flow_logs traffic_type=<all|accept|reject> destination=<logs|s3> s3_arn=arn:aws:s3:::my-bucket/my-logs/ Example: vpc_turn_on_flow_logs traffic_type=all destination=logs Example: vpc_turn_on_flow_logs traffic_type=all destination=s3 s3_arn=arn:aws:s3:::my-bucket/my-logs/

Limitations: none Sample GSL: VPC should have hasFlowLogs=true

To specify a subfolder in the bucket, use the following ARN format: bucket_ARN/subfolder_name/ . For example, to specify a subfolder named my-logs in a bucket named my-bucket , use the following ARN: arn:aws:s3:::my-bucket/my-logs/

log delivery policy name is set as: vpcFlowLogDelivery log delivery role is set as: vpcFlowLogDelivery

Optional Bots

These bots are not packaged with the core Lambda function because they're extremely impactful or edge-case bots that won't be normally used.
If you want to use these bots, they will need to be manually added to the function. All of the code is in the optional_bots directory.

ec2_tag_instance_from_vpc

This bot was created for a customer and most likely won't be used outside of that edge case

What it does: If an instance is missing a specific tag, try to pull it from the VPC. Usage: ec2_tag_instance_from_vpc
Limitations: none

s3_delete_bucket

What it does: Deletes an S3 bucket
Usage: s3_delete_bucket
Limitations: none