runbooks 0.9.2__py3-none-any.whl → 0.9.5__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (49) hide show
  1. runbooks/__init__.py +15 -6
  2. runbooks/cfat/__init__.py +3 -1
  3. runbooks/cloudops/__init__.py +3 -1
  4. runbooks/common/aws_utils.py +367 -0
  5. runbooks/common/enhanced_logging_example.py +239 -0
  6. runbooks/common/enhanced_logging_integration_example.py +257 -0
  7. runbooks/common/logging_integration_helper.py +344 -0
  8. runbooks/common/profile_utils.py +8 -6
  9. runbooks/common/rich_utils.py +347 -3
  10. runbooks/enterprise/logging.py +400 -38
  11. runbooks/finops/README.md +262 -406
  12. runbooks/finops/__init__.py +44 -1
  13. runbooks/finops/accuracy_cross_validator.py +12 -3
  14. runbooks/finops/business_cases.py +552 -0
  15. runbooks/finops/commvault_ec2_analysis.py +415 -0
  16. runbooks/finops/cost_processor.py +718 -42
  17. runbooks/finops/dashboard_router.py +44 -22
  18. runbooks/finops/dashboard_runner.py +302 -39
  19. runbooks/finops/embedded_mcp_validator.py +358 -48
  20. runbooks/finops/finops_scenarios.py +1122 -0
  21. runbooks/finops/helpers.py +182 -0
  22. runbooks/finops/multi_dashboard.py +30 -15
  23. runbooks/finops/scenarios.py +789 -0
  24. runbooks/finops/single_dashboard.py +386 -58
  25. runbooks/finops/types.py +29 -4
  26. runbooks/inventory/__init__.py +2 -1
  27. runbooks/main.py +522 -29
  28. runbooks/operate/__init__.py +3 -1
  29. runbooks/remediation/__init__.py +3 -1
  30. runbooks/remediation/commons.py +55 -16
  31. runbooks/remediation/commvault_ec2_analysis.py +259 -0
  32. runbooks/remediation/rds_snapshot_list.py +267 -102
  33. runbooks/remediation/workspaces_list.py +182 -31
  34. runbooks/security/__init__.py +3 -1
  35. runbooks/sre/__init__.py +2 -1
  36. runbooks/utils/__init__.py +81 -6
  37. runbooks/utils/version_validator.py +241 -0
  38. runbooks/vpc/__init__.py +2 -1
  39. {runbooks-0.9.2.dist-info → runbooks-0.9.5.dist-info}/METADATA +98 -60
  40. {runbooks-0.9.2.dist-info → runbooks-0.9.5.dist-info}/RECORD +44 -39
  41. {runbooks-0.9.2.dist-info → runbooks-0.9.5.dist-info}/entry_points.txt +1 -0
  42. runbooks/inventory/cloudtrail.md +0 -727
  43. runbooks/inventory/discovery.md +0 -81
  44. runbooks/remediation/CLAUDE.md +0 -100
  45. runbooks/remediation/DOME9.md +0 -218
  46. runbooks/security/ENTERPRISE_SECURITY_FRAMEWORK.md +0 -506
  47. {runbooks-0.9.2.dist-info → runbooks-0.9.5.dist-info}/WHEEL +0 -0
  48. {runbooks-0.9.2.dist-info → runbooks-0.9.5.dist-info}/licenses/LICENSE +0 -0
  49. {runbooks-0.9.2.dist-info → runbooks-0.9.5.dist-info}/top_level.txt +0 -0
runbooks/inventory/discovery.md DELETED
@@ -1,81 +0,0 @@
1
- # Using these Inventory Scripts as Discovery
2
-
3
- ## AWS Cloud Foundations boto3-Aligned Scripts
4
-
5
- All scripts have been updated to follow boto3 API naming conventions for better AWS professional compatibility.
6
-
7
- The following script runs for all accounts within either your specified profile, or (if no profile is used) your default credentials (could be environment variables). This will assess whether ALL of your accounts are suitable to be migrated to Control Tower or not, and if not - what the issues preventing their adoption would be. The "-r global" specifies that ALL regions (even those you have not opted into) should be looked at. The script will (because of the "-v") inform you of the failure to connect to an account in the excluded region, but won't fail because of it. This script executes 10 commands for every account in every region, so it will take a **long** time to run.
8
-
9
- ```sh
10
- controltower_check_account_readiness.py -v -r global --timing [-p <profile of Org Account>]
11
- ```
12
-
13
- This script will go through your Org and find all members accounts and their statuses - thereby showing you which accounts should - perhaps - be moved to a "SUSPENDED" OU or otherwise treated specially. It's useful because the output is very purposeful and it's pretty fast.
14
-
15
- ```sh
16
- org_list_accounts.py -v
17
- ```
18
-
19
- This next script will find the status of all of your accounts and regions and whether you have CloudTrail enabled in each.
20
-
21
- ```sh
22
- cloudtrail_describe_trails_compliance.py -v -r global --timing --filename cloudtrail_check.out [-p <profile of Org Account>]
23
- ```
24
-
25
- The following script can draw out the Organization. The output will be a file in the current directory called "aws_organization.png" - please either get that file, or a screenshot of it. Assuming the user has the graphviz tool installed within their environment, running this tool should end with the diagram itself being shown. The parameter "--policy" can also be mitigated by "--aws" to include those policies which AWS owns (like the AWSFullAccess policy assigned by default to every OU and account). The default (below) excludes that AWS-managed policy for diagram clarity's sake.
26
-
27
- ```sh
28
- org_describe_structure.py --policy --timing
29
- ```
30
-
31
- The following script can do soooo much _(Yeah - I'm pretty proud of this one)_. As it's shown here, it doesn't yet support the "--filename" parameter, since I haven't decided how to write out the data. The goal of using this output in Discovery, is to find those accounts which have been closed (and may no longer be in the Org at all), but are still represented in the stacksets of the Org - and therefore may (eventually) cause stacksets to slow down or fail. Best to find these issues ahead of time, rather than after the fact. For instance - I found a customer with 4multi-account in their Org, but their largest stackset had over 100 closed (and already dropped out) accounts, so while the stackset was still considered "CURRENT", more than 20% of the time spent on that stackset was spent attempting to connect to previously closed accounts.
32
- ```sh
33
- cfn_update_stack_sets.py -v -r <home region> --timing [-p <profile of Org Account>] -check
34
- ```
35
-
36
- The following script shows whether the "Public S3 block" has been enabled on all accounts within the Org. While Control Tower has a control that can enable this on new accounts, it doesn't mean that it hasn't been removed somewhere. It's a good idea to run this, and you can use the same script to re-enable the block if it's been removed.
37
-
38
- ```sh
39
- s3_put_public_access_block.py -v
40
- ```
41
-
42
- The following script finds any and all config recorders and delivery channels in your environment - again, this is a tool that is used when trying to determine what blockers exist before moving to Control Tower. It's also a good tool (if you don't need the full complement of checks in the controltower_check_account_readiness.py above) to find any accounts where Config isn't running at all. This tool also can be used to **delete** the config recorders and delivery channels - if needed.
43
-
44
- ```sh
45
- config_describe_configuration_recorders.py -v -r global --timing
46
- ```
47
-
48
- These scripts will find those IAM/ IDC users, local directories, or SAML providers in your child accounts which can be exposures to unwanted access, without you realizing it. It's always a good idea to look for these - since these can represent a significant threat vector to protect from.
49
-
50
- ```sh
51
- org_list_account_users.py -v
52
- iam_list_saml_providers.py -v
53
- ds_describe_directories.py -v
54
- ```
55
-
56
- While it's normal for this script to find nothing, it's very illuminating if it *does* find something...
57
-
58
- ```sh
59
- cfn_find_orphaned_stacks.py --filename Drift_Detection -v
60
- ```
61
-
62
- The following scripts will just show very useful Inventory information that will help the Discovery process flesh out its understanding of the customer's environment.
63
-
64
- ```sh
65
- ec2_describe_vpcs.py -v
66
- route53_list_hosted_zones.py -v
67
- ```
68
-
69
- Whenever we do Discovery, we always want to find possible money-savings areas for the customer as well. The script below will find any Log Groups and their retention settings. This gives the customer the opportunity (perhaps) to update those retention settings (from their default of "NEVER") to something that will purge data after a specific time. The bottom of the script gives an *idea* of how much you're spending on Log Groups anyway, so you have an idea if taking action is worthwhile.
70
-
71
- ```sh
72
- logs_put_retention_policy.py -v
73
- ```
74
-
75
- ALZ used Service Catalog to create and manage accounts. It's important that these Service Catalog products are properly terminated when ALZ is decommissioned, so this tool will report on the accounts in the Org reconciled with the Service Catalog Products that were created and point out if there are products for already closed accounts, or whether there are more than one product for a given account (or no products for a given account).
76
-
77
- > **Note:** Control Tower use Service Catalog as well. Please ensure you do not terminate Control Tower provisioned products.
78
-
79
- ```sh
80
- servicecatalog_list_provisioned_products.py -v --timing
81
- ```
runbooks/remediation/CLAUDE.md DELETED
@@ -1,100 +0,0 @@
1
- # CLAUDE.md
2
-
3
- This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
4
-
5
- ## Project Overview
6
-
7
- This is a Python-based security remediation tool for resolving Dome9 (now Check Point CloudGuard) compliance issues across AWS accounts. The tool provides both individual command execution and bulk operations across multiple AWS accounts.
8
-
9
- ## Development Setup
10
-
11
- ### Prerequisites
12
- - Conda environment
13
- - AWS credentials configured (either via credentials file or AWS SSO)
14
-
15
- ### Installation
16
- ```bash
17
- pip install -r requirements.txt
18
- ```
19
-
20
- ## Commands and Usage
21
-
22
- ### Individual Command Execution
23
- Use the CLI interface for single-account operations:
24
- ```bash
25
- python src/cli.py s3 list
26
- python src/cli.py s3 block_public_access
27
- python src/cli.py api_gateway list
28
- python src/cli.py lambda list
29
- python src/cli.py cognito list_active_users
30
- ```
31
-
32
- ### Bulk Operations Across Multiple Accounts
33
- Use `bulk_run.py` for multi-account operations:
34
- ```bash
35
- python src/bulk_run.py --function enable_public_access_block_on_all_buckets --credentials-path ../credentials
36
- python src/bulk_run.py --function list_lambda_functions --credentials-path ../credentials
37
- python src/bulk_run.py --function kms_operations_enable_key_rotation --credentials-path ../credentials
38
- python src/bulk_run.py --function find_object_in_s3 --kwargs 'object_to_find:my-object' --credentials-path ../credentials
39
- ```
40
-
41
- ### Testing
42
- Run unit tests using:
43
- ```bash
44
- python -m unittest Tests.update_policy
45
- ```
46
-
47
- ## Architecture
48
-
49
- ### Core Components
50
-
51
- **CLI Interface (`src/cli.py`)**
52
- - Main entry point for single-account operations
53
- - Uses Click framework for command grouping
54
- - Groups commands by AWS service (s3, api_gateway, lambda, cognito)
55
-
56
- **Bulk Operations (`src/bulk_run.py`)**
57
- - Handles multi-account remediation across AWS organizations
58
- - Supports both file-based credentials and AWS SSO authentication
59
- - Contains a registry of all available functions for bulk execution
60
- - Implements comprehensive logging to both console and files
61
-
62
- **AWS Commons (`src/aws/commons.py`)**
63
- - Central utilities for AWS client/resource creation
64
- - AWS SSO authentication flow with browser-based device authorization
65
- - Credentials management for both static files and SSO tokens
66
- - Common helper functions for AWS API operations (pricing, CloudWatch metrics, etc.)
67
- - Caching decorators for performance optimization
68
-
69
- ### AWS Service Modules Structure
70
- All AWS-specific functionality is organized under `src/aws/` with individual modules for each service and operation:
71
-
72
- - **S3 Operations**: Bucket management, public access blocking, encryption, SSL policies
73
- - **EC2 Operations**: Security group management, EBS volume cleanup, public IP management
74
- - **IAM/Security**: KMS key rotation, certificate management
75
- - **Serverless**: Lambda function management, API Gateway operations
76
- - **Data Services**: DynamoDB encryption and optimization, RDS management
77
- - **Monitoring**: CloudTrail modifications, CloudWatch integration
78
- - **Identity**: Cognito user management and operations
79
-
80
- ### Authentication Patterns
81
-
82
- The tool supports two authentication methods:
83
-
84
- 1. **File-based Credentials**: Traditional AWS credentials file with access keys
85
- 2. **AWS SSO**: Modern SSO flow with device authorization and browser-based authentication
86
-
87
- The commons module automatically handles credential refresh and multi-account iteration, making it transparent to individual remediation functions.
88
-
89
- ### Logging and Output
90
-
91
- - Dual logging to console and file (configurable via `DOME9_REMEDIATION_FILE_LOG` environment variable)
92
- - CSV output generation for analysis and reporting
93
- - CloudWatch metrics integration for cost and usage analysis
94
-
95
- ## Environment Variables
96
-
97
- - `ACCESS_PORTAL_URL`: AWS SSO start URL (default: "https://d-976752e8d5.awsapps.com/start")
98
- - `DOME9_REMEDIATION_FILE_LOG`: Custom log file path
99
- - `AWS_REGION`: Default AWS region for operations
100
- - Standard AWS environment variables (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`)
runbooks/remediation/DOME9.md DELETED
@@ -1,218 +0,0 @@
1
- # rule‑by‑rule mapping for Dome9 findings
2
-
3
- > Each row links the finding to the **closest AWS‑managed Systems Manager Automation runbook** available today; where no managed runbook exists, I note **`Custom‑…`** so you can supply your own document (usually a short YAML wrapper that calls `aws:executeAwsApi`).
4
-
5
- ---
6
-
7
- ### How to read the table
8
-
9
- * **Severity / Compliance** – taken verbatim from your CSV.
10
- * **AWS SSM Runbook** – the document to launch. All Amazon‑owned runbooks are in the official reference ([AWS Documentation][1]).
11
-
12
- * If you prefer AWS Config integration, many of these also have an **`AWSConfigRemediation‑…`** variant.
13
- * **Notes** – one‑line remediation intent plus the security pillar or control the rule supports.
14
-
15
- ---
16
-
17
- ## Failed Tests by Rule report with *working* URLs from **AWS Systems Manager Automation Runbook Reference**.
18
- Custom gaps remain **Custom‑…** (no AWS‑managed equivalent).
19
-
20
- | # | Dome9 Rule Name | Sev. | Compliance Section | **Mapped Runbook (clickable)** | CIS / NIST Control | Notes |
21
- | --- | ------------------------------- | ---- | ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------ | ----------------------------------- |
22
- |  1 | S3 buckets must enforce SSL | H | SEC 7 & 10 | [AWSConfigRemediation‑ConfigureS3BucketPublicAccessBlock](https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-aws-block-public-s3-bucket.html) ([AWS Documentation][1]) | CIS 3.8 / SC‑13 | Denies non‑TLS requests |
23
- |  2 | Encrypt S3 PUT actions | H | SEC 7 & 9 | [AWS‑EnableS3BucketEncryption](https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-aws-enableS3bucketencryption.html) ([AWS Documentation][2]) | CIS 3.3 / SC‑28 | Forces SSE‑KMS |
24
- |  3 | Subnets auto‑assign public IP | H | SEC 6 | [AWSConfigRemediation‑DisableSubnetAutoAssignPublicIP](https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-aws-disable-subnet-auto-public-ip.html) ([AWS Documentation][3]) | CIS 4.3 / AC‑4 | Sets `MapPublicIpOnLaunch=false` |
25
- |  4 | SGs expose admin ports | H | SEC 6 | [AWS‑DisablePublicAccessForSecurityGroup](https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-aws-disablepublicaccessforsecuritygroup.html) ([AWS Documentation][4]) | CIS 4.1 / SC‑7 | Removes 0.0.0.0/0 on 22/3389 |
26
- |  5 | RDS publicly accessible | H | SEC 6 | [AWSConfigRemediation‑DisablePublicAccessToRDSInstance](https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-aws-disable-rds-instance-public-access.html) ([AWS Documentation][5]) | CIS 4.1 / SC‑7 | Switches `PubliclyAccessible=false` |
27
- |  6 | CMK rotation disabled | H | SEC 4 & REL 4 | [AWSConfigRemediation‑EnableKeyRotation](https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-aws-enable-key-rotation.html) ([AWS Documentation][6]) | CIS 2.9 / SC‑12 | Enables annual rotation |
28
- |  7 | CloudTrail log validation off | L | SEC 4 & REL 4 | [AWS‑EnableCloudTrailLogFileValidation](https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/enable-cloudtrail-log-validation.html) ([AWS Documentation][7]) | CIS 2.4 / AU‑10 | Turns on digest validation |
29
- |  8 | CloudTrail not KMS‑encrypted | M | SEC 4 & REL 4 | [AWS‑EnableCloudTrailKmsEncryption](https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/enable-cloudtrail-kms-encryption.html) ([AWS Documentation][8]) | CIS 2.3 / SC‑13 | Adds CMK |
30
- |  9 | CloudTrail bucket lacks logging | M | SEC 4 & REL 4 | [AWS‑ConfigureS3BucketLogging](https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-aws-configures3bucketlogging.html) ([AWS Documentation][9]) | CIS 2.8 / AU‑9 | Enables server‑access logs |
31
- |  10 | Public S3 GET/LIST/PUT/DEL | H | SEC 3 | *same as #1* | CIS 3.1‑3.7 / SC‑7 | Blocks public principals |
32
- |  11 | S3 bucket lacks SSE | H | SEC 9 | *same as #2* | CIS 3.3 / SC‑28 | Default encryption |
33
- |  12 | No HTTPS‑only policy | H | SEC 7 | **Custom‑ConfigureS3BucketSecureTransport** | CIS 3.8 / SC‑13 | Deny non‑SSL (custom) |
34
- |  13 | Unused ACM certs | M | SEC 7 | **Custom‑RemoveUnusedACMCerts** | CIS 1.23 / CM‑6 | Certificate hygiene |
35
- |  14 | Expired ACM certs | M | SEC 7 | **Custom‑RemoveExpiredACMCerts** | CIS 1.23 / CM‑6 | Remove/renew |
36
- |  15 | Certs expiring ≤ 7 days | H | SEC 7 | **Custom‑RenewACMCertificate** | CIS 1.23 / CM‑6 | Renew immediately |
37
- |  16 | CloudFront default SSL cert | H | SEC 6 | **Custom‑AssociateCloudFrontCustomCert** | CIS 3.8 / SC‑13 | Attach ACM cert |
38
- |  17 | CloudFront weak TLS | H | SEC 7 | **Custom‑ConfigureCloudFrontTLSCipher** | CIS 3.9 / SC‑13 | Enforce modern policy |
39
- |  18 | Geo restriction off | L | SEC 6 | **Custom‑EnableCloudFrontGeoRestriction** | CIS 1.21 / AC‑6 | Apply geo limits |
40
- |  19 | CloudFront logging off | M | SEC 6 | **Custom‑EnableCloudFrontLogging** | CIS 3.11 / AU‑12 | Enable CF logs |
41
- |  20 | Container health checks missing | M | OPS 8 & 9 | **Custom‑EnableECSHealthCheck** | NIST SI‑4 | Add `HEALTHCHECK` |
42
- |  21 | Idle ECS services | M | SEC 6 | **Custom‑ScaleDownIdleECSService** | NIST CM‑2 | Remove idle |
43
- |  22 | ECS cluster empty | M | SEC 6 | **Custom‑RegisterInstanceWithECSCluster** | NIST CM‑2 | Register capacity |
44
- |  23 | RDS not CMK‑encrypted | M | SEC 7 | **Custom‑EnableRDSCMKEncryption** | CIS 7.1 / SC‑28 | Encrypt storage |
45
- |  24 | RDS backup retention < 7d | M | SEC 11 & REL 6 | [AWSConfigRemediation‑EnableRDSInstanceBackup](https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-aws-enable-rds-instance-backup.html) ([AWS Documentation][10]) | CIS 7.4 / CP‑9 | Sets retention ≥ 7 days |
46
- |  25 | RDS unencrypted | H | SEC 7 | **Custom‑EnableRDSEncryption** | CIS 7.1 / SC‑28 | Encrypt DB |
47
- |  26 | DynamoDB not CMK‑SSE | M | SEC 7 | **Custom‑EnableDynamoDBSSE** | CIS 3.3 / SC‑28 | Enable KMS |
48
- |  27 | Kinesis stream unencrypted | H | SEC 7 & 9 | [AWS‑EnableKinesisStreamEncryption](https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/aws-enablekinesisstreamencryption.html) ([AWS Documentation][11]) | CIS 3.3 / SC‑28 | Turn on CMK |
49
- |  28 | Unused security groups | M | SEC 6 | [AWSConfigRemediation‑DeleteUnusedSecurityGroup](https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-aws-delete-ec2-security-group.html) ([AWS Documentation][12]) | CIS 4.2 / CM‑6 | Delete unattached SGs |
50
- |  29 | SG open 0–65535 0.0.0.0/0 | H | SEC 6 | *same as #4* | CIS 4.1 / SC‑7 | Blanket ingress removal |
51
- |  30 | Unattached EBS volume | M | COST 3 | [AWS‑AttachEBSVolume](https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-aws-attachebsvolume.html) ([AWS Documentation][13]) | CM‑8 | Attach or snapshot & delete |
52
- |  31 | Unused customer CMKs | M | SEC 1 | **Custom‑DisableUnusedCMK** | CM‑5 | Schedule deletion |
53
- |  32 | Lambda admin privileges | H | SEC 3 | **Custom‑RestrictLambdaRolePolicy** | CIS 1.13 / AC‑6 | Least‑privilege role |
54
- |  33 | ALB listener HTTP open | M | SEC 6 | **Custom‑RedirectALBHTTPToHTTPS** | CIS 3.8 / SC‑13 | Force HTTPS |
55
- |  34 | ECS service w/o LB | M | SEC 6 | **Custom‑AttachLoadBalancerToService** | SC‑7 | Add ALB |
56
- |  35 | CloudFront WAF absent | M | SEC 6 | **Custom‑ConfigureCloudFrontWAF** | SI‑10 | Attach WAFv2 WebACL |
57
-
58
- **✔ All AWS‑managed rows link directly to the official Runbook Reference pages (verified July 2025).**
59
- Use this table as the definitive source for your CrewAI pipeline, compliance dashboards, and audit artefacts.
60
-
61
- [1]: https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-aws-block-public-s3-bucket.html "AWSConfigRemediation-ConfigureS3BucketPublicAccessBlock - AWS Systems Manager Automation runbook reference"
62
- [2]: https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-aws-enableS3bucketencryption.html?utm_source=chatgpt.com "AWS-EnableS3BucketEncryption - AWS Systems Manager ..."
63
- [3]: https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-aws-disable-subnet-auto-public-ip.html?utm_source=chatgpt.com "AWSConfigRemediation-DisableSubnetAutoAssignPublicIP"
64
- [4]: https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-aws-disablepublicaccessforsecuritygroup.html?utm_source=chatgpt.com "AWS-DisablePublicAccessForSecurityGroup - AWS Documentation"
65
- [5]: https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-aws-disable-rds-instance-public-access.html?utm_source=chatgpt.com "AWSConfigRemediation-DisablePublicAccessToRDSInstance"
66
- [6]: https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-aws-enable-key-rotation.html?utm_source=chatgpt.com "AWSConfigRemediation-EnableKeyRotation - AWS Documentation"
67
- [7]: https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/enable-cloudtrail-log-validation.html?utm_source=chatgpt.com "AWS-EnableCloudTrailLogFileValidation - AWS Systems Manager ..."
68
- [8]: https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/enable-cloudtrail-kms-encryption.html?utm_source=chatgpt.com "AWS-EnableCloudTrailKmsEncryption - AWS Systems Manager ..."
69
- [9]: https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-aws-configures3bucketlogging.html?utm_source=chatgpt.com "AWS-ConfigureS3BucketLogging - AWS Systems Manager ..."
70
- [10]: https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-aws-enable-rds-instance-backup.html?utm_source=chatgpt.com "AWSConfigRemediation-EnableRDSInstanceBackup"
71
- [11]: https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/aws-enablekinesisstreamencryption.html?utm_source=chatgpt.com "AWS-EnableKinesisStreamEncryption - AWS Systems Manager ..."
72
- [12]: https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-aws-delete-ec2-security-group.html?utm_source=chatgpt.com "AWSConfigRemediation-DeleteUnusedSecurityGroup"
73
- [13]: https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-aws-attachebsvolume.html?utm_source=chatgpt.com "AWS-AttachEBSVolume - AWS Systems Manager Automation ..."
74
-
75
-
76
- ---
77
-
78
- ## Failed Tests by Rule Dome9 Mapping - OLD
79
-
80
- > Each row aligns with an AWS‑managed SSM Automation runbook (or an explicit *Custom‑…* placeholder) and cites the exact rule lines from the HTML report.
81
-
82
- | # | Dome9 Rule Name | Severity | Compliance Section | **Mapped AWS SSM Runbook** | Primary Standard / Control | Notes |
83
- | --- | ----------------------------------------------------- | -------- | ------------------ | -------------------------------------------------------- | ----------------------------------- | ------------------------------------------- |
84
- |  1 | S3 Buckets Secure Transport (SSL) | High | SEC 7, SEC 10 | **AWS‑ConfigureS3BucketPublicAccessBlock** | WA Security #7 (Encrypt in Transit) | Adds bucket policy denying non‑TLS requests |
85
- |  2 | Use encryption for S3 Bucket write actions | High | SEC 7, SEC 9 | **AWS‑EnableS3BucketEncryption** | WA Security #9 (Encrypt at Rest) | Forces SSE‑KMS on PUT actions |
86
- |  3 | VPC subnets auto‑assign public IP enabled | High | SEC 6 | **AWSConfigRemediation‑DisableSubnetAutoAssignPublicIP** | WA Network #6 | Sets `MapPublicIpOnLaunch=false` |
87
- |  4 | Security groups expose admin ports | High | SEC 6 | **AWS‑DisablePublicAccessForSecurityGroup** | CIS AWS 1.3 | Restricts 0.0.0.0/0 on 22/3389 |
88
- |  5 | RDS open to large CIDR scope | High | SEC 6 | **AWS‑RestrictRDSPublicAccess** | WA Reliability #6 | Removes public SG rules |
89
- |  6 | CMK rotation disabled | High | SEC 4, REL 4 | **AWS‑RotateKMSKey** | CIS AWS 2.3 | Enables annual key rotation |
90
- |  7 | CloudTrail log validation disabled | Low | SEC 4, REL 4 | **AWS‑ConfigureCloudTrailValidation** | CIS AWS 2.4 | Turns on file‑integrity validation |
91
- |  8 | CloudTrail logs not KMS‑encrypted | Medium | SEC 4, REL 4 | **AWS‑ConfigureCloudTrailKMS** | WA Security #4 | Adds KMS key to trails |
92
- |  9 | CloudTrail bucket lacks access logging | Medium | SEC 4, REL 4 | **AWS‑ConfigureS3BucketLogging** | CIS AWS 2.8 | Enables S3 access logs |
93
- |  10 | S3 bucket access logging disabled (CloudTrail bucket) | High | SEC 4, REL 4 | **same as 9** | Same control | — |
94
- |  11 | S3 bucket public GET/LIST/PUT/DELETE | High | SEC 3 | **AWS‑ConfigureS3BucketPublicAccessBlock** | CIS AWS 3.x | Blocks public IAM/principal actions |
95
- |  12 | S3 bucket lacks SSE | High | SEC 9 | **AWS‑EnableS3BucketEncryption** | WA Security #9 | Enables default encryption |
96
- |  13 | S3 bucket lacks HTTPS‑only policy | High | SEC 7 | **Custom‑ConfigureS3BucketSecureTransport** | WA Security #7 | Custom runbook to deny insecure transport |
97
- |  14 | ACM unused certificates | Medium | SEC 7 | **Custom‑RemoveUnusedACMCerts** | WA Security #7 | Deletes orphaned certs |
98
- |  15 | ACM expired certificates | Medium | SEC 7 | **Custom‑RemoveExpiredACMCerts** | WA Security #7 | Remove/renew expiring certs |
99
- |  16 | SSL/TLS certs expiring in 7 days | High | SEC 7 | **same as 15** | — | Renew immediately |
100
- |  17 | CloudFront default SSL cert | High | SEC 6 | **Custom‑AssociateCloudFrontCustomCert** | WA Security #6 | Attach ACM cert |
101
- |  18 | CloudFront weak cipher suite | High | SEC 7 | **Custom‑ConfigureCloudFrontTLSCipher** | WA Security #7 | Enforce modern TLS policy |
102
- |  19 | CloudFront geo restriction disabled | Low | SEC 6 | **Custom‑EnableCloudFrontGeoRestriction** | WA Security #6 | Apply geo whitelist/blacklist |
103
- |  20 | CloudFront access logging disabled | Medium | SEC 6 | **Custom‑EnableCloudFrontLogging** | CIS AWS 3.15 | Enable S3 logs |
104
- |  21 | Container health checks missing | Medium | OPS 8, OPS 9 | **Custom‑EnableECSHealthCheck** | WA Operational Excellence #8 | Add `HEALTHCHECK` to task def |
105
- |  22 | ECS services without running tasks | Medium | SEC 6 | **Custom‑ScaleDownIdleECSService** | WA Reliability #6 | Delete or scale to 0 |
106
- |  23 | ECS cluster empty | Medium | SEC 6 | **Custom‑RegisterInstanceWithECSCluster** | WA Reliability #6 | Register capacity provider |
107
- |  24 | RDS encryption lacks CMK | Medium | SEC 7, SEC 9 | **Custom‑EnableRDSCMKEncryption** | WA Security #9 | Convert storage encryption |
108
- |  25 | RDS retention < 7 days | Medium | SEC 11, REL 6 | **AWS‑ModifyRDSBackupRetention** | CIS AWS 3.1 | Set ≥ 7 days |
109
- |  26 | RDS not encrypted (general) | High | SEC 7 | **Custom‑EnableRDSEncryption** | WA Security #9 | Encrypt unencrypted DBs |
110
- |  27 | DynamoDB not SSE‑CMK | Medium | SEC 7 | **Custom‑EnableDynamoDBSSE** | WA Security #9 | Enable KMS encryption |
111
- |  28 | Kinesis stream not CMK‑encrypted | High | SEC 7, SEC 9 | **Custom‑EnableKinesisStreamEncryption** | WA Security #9 | Turn on KMS SSE |
112
- |  29 | Unused security groups | Medium | SEC 6 | **AWS‑DeleteUnusedSecurityGroups** | CIS AWS 4.1 | Remove unattached SGs |
113
- |  30 | SG open to all ports 0.0.0.0/0 | High | SEC 6 | **AWS‑DisablePublicAccessForSecurityGroup** | CIS AWS 4.1 | Blanket ingress removal |
114
- |  31 | EBS volume unattached | Medium | COST 3 | **AWS‑AttachEBSVolume** | WA Cost‑Optimisation #3 | Attach or snapshot & delete |
115
- |  32 | Customer CMKs unusable | Medium | SEC 1 | **Custom‑DisableUnusedCMK** | WA Security #1 | Schedule key deletion |
116
- |  33 | Lambda functions with Admin privileges | High | SEC 3 | **Custom‑RestrictLambdaRolePolicy** | CIS AWS 1.5 | Replace with least‑priv role |
117
- |  34 | ALB listener allows HTTP | Medium | SEC 6 | **Custom‑RedirectALBHTTPToHTTPS** | WA Security #6 | Force redirect 80 → 443 |
118
- |  35 | ALB no attached LB to ECS service | Medium | SEC 6 | **Custom‑AttachLoadBalancerToService** | WA Reliability #6 | Ensure LB front‑end exists |
119
-
120
- > **Legend**
121
- > *WA* = AWS Well‑Architected Framework.
122
- > *CIS AWS x.y* = CIS AWS Foundations Benchmark control.
123
-
124
- ---
125
-
126
- \### How this table was built 
127
-
128
- * **Source lines**: Each rule name, severity, and section is drawn from your HTML report lines – see citations.
129
- * **Runbook mapping**: Follows the hardened mapping catalogue; AWS‑managed where available, otherwise *Custom‑…* placeholders ready for YAML authoring.
130
- * **Standards alignment**: Every row references a primary security control (CIS or WA).
131
-
132
- This fully enriched matrix is **ready for CSV/HTML export** and can feed both your executive dashboards and the CrewAI pipeline (as static metadata for context injection). It meets enterprise reproducibility requirements and aligns with AWS security best practices.
133
-
134
- ---
135
-
136
-
137
-
138
- ---
139
-
140
- > Old Version
141
-
142
- | # | Dome9 **Rule Name** | Severity | Compliance Section | **AWS SSM Runbook** | Notes / Security Standard |
143
- | --- | -------------------------------------------- | -------- | ------------------ | ----------------------------------------------------------------------------------- | --------------------------------------------------------- |
144
- |  1 | AWS Cloud Front – WAF Integration | Medium |  SEC\_6 | `Custom‑ConfigureCloudFrontWAF` | Attach WAF WebACL to distribution (Well‑Arch Security #6) |
145
- |  2 | AWS Kinesis data at rest lacks SSE | High |  SEC\_7 \| SEC\_9 | `Custom‑EnableKinesisStreamEncryption` | Turn on KMS CMK SSE (Encryption) |
146
- |  3 | Kinesis streams not using KMS CMK | High |  SEC\_7 \| SEC\_9 | `Custom‑EnableKinesisStreamEncryption` | Same as #2 |
147
- |  4 | Determine if CloudFront CDN is in use | Low |  SEC\_6 | *Advisory* | Informational only – no remediation |
148
- |  5 | ECS cluster should have active services only | Medium |  SEC\_6 | `Custom‑DeleteIdleECSCluster` | Remove empty/idle clusters |
149
- |  6 | ECS service task defs have empty roles | Medium |  SEC\_3 | `Custom‑ValidateECSTaskRoles` | Enforce least‑privilege IAM role |
150
- |  7 | ECS services without running tasks | Medium |  SEC\_6 | `Custom‑ScaleDownIdleECSService` | Delete or scale to 0 |
151
- |  8 | ELB – recommended TLS protocol | High |  SEC\_7 | `Custom‑ConfigureELBListenerTLS` | Apply ELB SecurityPolicy‑2023‑06 |
152
- |  9 | ELB not using SSL | High |  SEC\_7 | `Custom‑ConfigureELBHTTPS` | Add cert & force HTTPS |
153
- |  10 | Enable container health checks | Low |  OPS\_8 \| OPS\_9 | `Custom‑EnableECSHealthCheck` | Add `HEALTHCHECK` to task definitions |
154
- |  11 | ACM contains wildcard certs | Medium |  SEC\_7 | `Custom‑ValidateACMCerts` | Delete/replace wildcard certs |
155
- |  12 | ALB listener still allows HTTP | Medium |  SEC\_6 | `Custom‑RedirectALBHTTPToHTTPS` | Force‑redirect 80→443 |
156
- |  13 | CloudFront access logging disabled | Medium |  SEC\_6 | `Custom‑EnableCloudFrontLogging` | Enable S3 log bucket |
157
- |  14 | CloudFront geo‑restriction missing | Medium |  SEC\_6 | `Custom‑EnableCloudFrontGeoRestriction` | Apply whitelist/blacklist |
158
- |  15 | CloudFront uses default SSL cert | Medium |  SEC\_7 | `Custom‑AssociateCloudFrontCustomCert` | Attach ACM cert |
159
- |  16 | EBS volumes not attached | Medium |  REL\_5 | **`AWS-AttachEBSVolume`** | Attach or clean up orphaned EBS |
160
- |  17 | IAM policies overly permissive | High |  SEC\_1 | **`AWS-RestrictIAMPolicyPrivileges`** | Remove `*` actions |
161
- |  18 | RDS automatic minor upgrades off | Medium |  REL\_6 | `Custom‑EnableRDSAutoMinorUpgrade` | Set `AutoMinorVersionUpgrade=true` |
162
- |  19 | RDS not Multi‑AZ | Medium |  REL\_6 | `Custom‑ConvertRDSMultiAZ` | Modify instance to Multi‑AZ |
163
- |  20 | RDS backup retention < 7 days | Medium |  REL\_6 | **`AWS-ModifyRDSBackupRetention`** | Set ≥ 7 days |
164
- |  21 | Subnet auto‑assign public IP on | High |  SEC\_6 | **`AWSConfigRemediation‑DisableSubnetAutoAssignPublicIP`** ([AWS Documentation][2]) | Set `MapPublicIpOnLaunch=false` |
165
- |  22 | DynamoDB not using SSE (KMS) | Medium |  SEC\_7 | `Custom‑EnableDynamoDBSSE` | Turn on KMS encryption |
166
- |  23 | CloudTrail log validation disabled | Medium |  SEC\_4 | **`AWS-ConfigureCloudTrailValidation`** | Enable hash + sig checks |
167
- |  24 | CloudTrail not encrypted with KMS | Medium |  SEC\_4 | **`AWS-ConfigureCloudTrailKMS`** | Add KMS key |
168
- |  25 | CloudTrail bucket lacks access logging | Medium |  SEC\_6 | **`AWS-ConfigureS3BucketLogging`** | Enable access logs |
169
- |  26 | S3 bucket is public | High |  SEC\_3 | **`AWS-ConfigureS3BucketPublicAccessBlock`** | Block public ACLs |
170
- |  27 | Expired ACM certificates present | Medium |  SEC\_7 | `Custom‑RemoveExpiredACMCerts` | Delete expired certs |
171
- |  28 | SG allows 0.0.0.0/0 all ports | High |  SEC\_6 | **`AWS-DisablePublicAccessForSecurityGroup`** ([AWS Documentation][3]) | Remove open rules |
172
- |  29 | SG allows 0.0.0.0/0 RDP 3389 | High |  SEC\_6 | **same as 28** | Restrict RDP |
173
- |  30 | SG allows 0.0.0.0/0 SSH 22 | High |  SEC\_6 | **same as 28** | Restrict SSH |
174
- |  31 | Unused ACM certificates | Low |  SEC\_7 | `Custom‑RemoveUnusedACMCerts` | Clean up inventory |
175
- |  32 | Service deployment without RUNNING task | Medium |  OPS\_8 | `Custom‑ValidateECSTaskStatus` | Ensure at least one task |
176
- |  33 | RDS not encrypted with CMK | High |  SEC\_7 | `Custom‑EnableRDSCMKEncryption` | Convert storage encryption |
177
- |  34 | Lambda has Admin role | High |  SEC\_3 | `Custom‑RestrictLambdaRolePolicy` | Replace admin privileges |
178
- |  35 | RDS SG open to world | High |  SEC\_6 | **`AWS-RestrictRDSPublicAccess`** | Remove `0.0.0.0/0` |
179
- |  36 | Unused Security Groups | Medium |  SEC\_6 | **`AWS-DeleteUnusedSecurityGroups`** | Delete unattached SGs |
180
- |  37 | S3 bucket lacks HTTPS‑only policy | High |  SEC\_7 | `Custom‑ConfigureS3BucketSecureTransport` | Deny non‑SSL |
181
- |  38 | S3 bucket lacks SSE | High |  SEC\_9 | **`AWS-EnableS3BucketEncryption`** ([AWS Documentation][4]) | Enable SSE‑S3/KMS |
182
- |  39 | S3 bucket – public DELETE | High |  SEC\_3 | **`AWS-ConfigureS3BucketPublicAccessBlock`** | Block deletes |
183
- |  40 | S3 bucket – public GET | High |  SEC\_3 | **same as 39** | Block GET |
184
- |  41 | S3 bucket – public LIST | High |  SEC\_3 | **same as 39** | Block LIST |
185
- |  42 | S3 bucket – public PUT | High |  SEC\_3 | **same as 39** | Block PUT |
186
- |  43 | S3 bucket – public PUT/RESTORE | High |  SEC\_3 | **same as 39** | Block restore |
187
- |  44 | ACM cert expires in 1 month | Medium |  SEC\_7 | `Custom‑RenewACMCertificate` | Begin renewal workflow |
188
- |  45 | ACM cert expires in 1 week | High |  SEC\_7 | **same as 44** | Critical renewal |
189
- |  46 | SG exposes admin ports | High |  SEC\_6 | **same as 28** | Generic admin port exposure |
190
- |  47 | Use Encrypted RDS storage | High |  SEC\_7 | `Custom‑EnableRDSEncryption` | Encrypt unencrypted RDS |
191
- |  48 | Encrypt storage for DB EC2 hosts | High |  SEC\_7 | `Custom‑EnableEC2EBSVolumeEncryption` | Enable EBS default encryption |
192
- |  49 | Encrypt S3 PUT actions | High |  SEC\_7 | **`AWS-EnableS3BucketEncryption`** | Require encrypted PUT |
193
- |  50 | CloudFront weak cipher suite | High |  SEC\_7 | `Custom‑ConfigureCloudFrontTLSCipher` | Enforce modern ciphers |
194
- |  51 | Unusable customer CMKs present | Medium |  SEC\_4 | `Custom‑DisableUnusedCMK` | Schedule key deletion |
195
- |  52 | CMK rotation disabled | High |  SEC\_4 | **`AWS-RotateKMSKey`** | Turn on annual rotation |
196
- |  53 | DynamoDB encrypted with AWS‑owned CMK | Medium |  SEC\_7 | `Custom‑EnableDynamoDBKmsCMK` | Switch to AWS‑managed CMK |
197
- |  54 | ELB SG inbound rules too open | High |  SEC\_6 | **same as 28** | Tighter SG |
198
- |  55 | Service lacks attached LB | Medium |  SEC\_6 | `Custom‑AttachLoadBalancerToService` | Add ALB/NLB |
199
- |  56 | ECS cluster has zero instances | Medium |  SEC\_6 | `Custom‑RegisterInstanceWithECSCluster` | Register capacity provider |
200
- |  57 | EFS not encrypted with CMK | Medium |  SEC\_7 | `Custom‑EnableEFSKmsEncryption` | Enable EFS CMEK |
201
- |  58 | Lambda functions share execution role | Medium |  SEC\_3 | `Custom‑UniqueLambdaRoles` | Unique least‑privilege role |
202
-
203
- ---
204
-
205
- ### Next actions
206
-
207
- 1. **Import this table** into a DynamoDB “Remediation Catalogue”.
208
- 2. **Point the Step Functions Map state** at the catalogue so each finding selects the right runbook.
209
- 3. For every `Custom‑…` entry, author a 4‑step YAML document (Pre‑check → Action `aws:executeAwsApi` → Post‑check → Outputs) and store it in the delegated‑admin account.
210
- 4. Enable **cross‑account Automation** by creating an `AutomationAssumeRole` in every target account/Region.
211
- 5. Wire the pipeline to your Dome9 S3 drop‑zone and you’ll have **near‑real‑time, auditable, multi‑account remediation**.
212
-
213
- With this catalogue in place, your organisation moves from manual CSV triage to *automated, standards‑aligned security hygiene*—all backed by Systems Manager Automation’s immutable execution history.
214
-
215
- [1]: https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-runbook-reference.html?utm_source=chatgpt.com "AWS Systems Manager Automation Runbook Reference"
216
- [2]: https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-aws-disable-subnet-auto-public-ip.html?utm_source=chatgpt.com "AWSConfigRemediation-DisableSubnetAutoAssignPublicIP"
217
- [3]: https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-aws-disablepublicaccessforsecuritygroup.html?utm_source=chatgpt.com "AWS-DisablePublicAccessForSecurityGroup - AWS Documentation"
218
- [4]: https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-aws-enableS3bucketencryption.html?utm_source=chatgpt.com "AWS-EnableS3BucketEncryption - AWS Systems Manager ..."