You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* feat: apply principle of least privilege and only grant the minimum permissions require to operate neccessary operations
* feat: upgrade node and terraform version
* feat: allow the use of notification
* feat: remediatete every last day of the month
* feat: allow remediation in multiple regions and settings
* feat: allow remediation fixes multiple times in a month
* chore: update docs with added variables
* chore: updates exmaple usage
* Remediation gomboc-d3ebfda5-c25d-4122-8500-59825ed9bf27 (#6)
Co-authored-by: gomboc-ai-community[bot] <215871000+gomboc-ai-community[bot]@users.noreply.github.com>
* chore: add v2 video to docs and update docs
* chore: update demo to picture and link
---------
Co-authored-by: gomboc-ai-community[bot] <215871000+gomboc-ai-community[bot]@users.noreply.github.com>
Copy file name to clipboardExpand all lines: README.md
+23-3Lines changed: 23 additions & 3 deletions
Original file line number
Diff line number
Diff line change
@@ -6,6 +6,12 @@
6
6
7
7
This Terraform module consists of the configuration for automating the remediation of AWS EC2 vulnerabilities using AWS Inspector findings. It provisions essential resources such as an SSM document, Lambda function, and CloudWatch event rules for automated vulnerability management.
8
8
9
+
## Prerequisites
10
+
11
+
> **Important**
12
+
>
13
+
> The AWS Systems Manager (SSM) agent **must be installed and running** on all EC2 instances you wish to remediate. Without SSM, this module cannot trigger remediation actions on your instances.
14
+
9
15
## Description
10
16
11
17
This Terraform module sets up an automated vulnerability remediation environment optimized for production use. By creating an SSM document to define the remediation steps, setting up a Lambda function to execute the remediation, and establishing CloudWatch event rules to trigger the process based on AWS Inspector findings, the module offers a straightforward approach to managing EC2 vulnerabilities on AWS.
remediation_schedule_days = ["15", "L"] # Schedule remediation on the 15th and last day of each month
68
+
ssm_notification_topic_arn = null # Optional: Specify an SNS topic ARN to receive notifications for remediation events
61
69
}
62
70
63
71
provider "aws" {
@@ -70,6 +78,16 @@ provider "aws" {
70
78
On successful deployment, navigate to the AWS Systems Manager console and search for the SSM document created by the module (vulne-soldier-compliance-remediate-inspector-findings) or similar. You can trigger the remediation process by running the document on the affected EC2 instances. You can also create an AWS CloudWatch event rule to automate the process based on AWS Inspector findings.
71
79
72
80
81
+
## What's New in v2
82
+
83
+
- Remediation is now **automated** using EventBridge rules, running by default with the `NoReboot` option for minimal disruption. You can update this option as needed in your configuration.
> Watch the [v2 walkthrough video](https://vimeo.com/1098910908?share=copy#t=3.684) for a step-by-step demonstration of setup and usage.
90
+
73
91
## Inputs
74
92
75
93
| Name | Description | Type | Default | Required |
@@ -79,14 +97,16 @@ On successful deployment, navigate to the AWS Systems Manager console and search
79
97
|`aws_region`| AWS region where the resources will be created |`string`| n/a | yes |
80
98
|`account_id`| AWS account ID |`string`| n/a | yes |
81
99
|`lambda_log_group`| Name of the CloudWatch Log Group for the Lambda function |`string`| n/a | yes |
82
-
|`lambda_zip`| File location of the lambda zip file for remediation |`string`|`lambda.zip`| yes |
83
-
|`remediation_options`| Options for the remediation document |`object`| n/a | yes |
100
+
|`path_to_lambda_zip`| File location of the lambda zip file for remediation |`string`|`lambda.zip`| yes |
101
+
|`remediation_options`| Options for the remediation document |`object list`| n/a | yes |
84
102
|`remediation_options.region`| The region to use |`string`|`us-east-1`| no |
85
103
|`remediation_options.reboot_option`| Reboot option for patching |`string`|`NoReboot`| no |
86
104
|`remediation_options.target_ec2_tag_name`| The tag name to filter EC2 instances |`string`|`AmazonECSManaged`| no |
87
105
|`remediation_options.target_ec2_tag_value`| The tag value to filter EC2 instances |`string`|`true`| no |
88
106
|`remediation_options.vulnerability_severities`| Comma separated list of vulnerability severities to filter findings |`string`|`"CRITICAL, HIGH"`| no |
89
107
|`remediation_options.override_findings_for_target_instances_ids`| Comma separated list of instance IDs to override findings for target instances |`string`|`""`| no |
108
+
|`remediation_schedule_days`| Days of the month to schedule remediation (e.g., ["15", "L"]) |`list(string)`|`["15", "L"]`| no |
109
+
|`ssm_notification_topic_arn`| SNS topic ARN to receive notifications for remediation events (optional) |`string`|`null`| no |
"description": "(Optional) Comma separated list of vulnerability severities to filter findings. Allowed values are comma separated list of : CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL",
"description": "(Optional) Comma separated list of instance IDs to override findings for target instances. If not provided, all matched findings will be remediated. Values are in comma separated list of instance IDs.",
0 commit comments