1

If I enable ssh-restricted rule in AWSConfig with remediation.

Can I close the ports with auto remediation and also send a email to the owner of the resource based on the tag information?

Dixon Joseph Dalmeida
  • 302
  • 3
  • 23

1 Answers1

1

When an AWS Config rule is determined as non compliant you can have CloudWatch Events/EventBridge perform an action such as trigger an SNS topic or invoke a Lambda.

If you have it trigger a Lambda, you will receive an event containing the resource(s) that are no longer compliant.

The Lambda function could access these resources tags via the AWS SDK which would grant the meta data over whom the email should be sent to. You could then take this information and send an email using a SMTP library to an external service (such as Amazon SES).

This Lambda could also remediate any issues via the AWS SDK.

Take a look at the How can I be notified when an AWS resource is non-compliant using AWS Config? page for some guidance on setting up the event part of this flow.

Chris Williams
  • 32,215
  • 4
  • 30
  • 68
  • Will this work from centralized AWS Config? Do I need to configure lambda functions only in main account? – Dixon Joseph Dalmeida Aug 30 '20 at 08:47
  • 1
    So the first thing is you can indeed share CloudWatch events between accounts to centralise them: https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html. From here the SNS and Lambda would remain in that account. To interact with the EC2 API I believe your Lambda would need to assume a role in the account of the EC2 instance and then interact with the API using the temporary credentials. More information on this here: https://aws.amazon.com/premiumsupport/knowledge-center/lambda-function-assume-iam-role/ – Chris Williams Aug 30 '20 at 08:55
  • Do I need centralized cloudwatch event ? As AWS config will be centralized to the main account. Also AWS config can trigger a remediation action for a non compliant alert, which will trigger lambda or SNS – Dixon Joseph Dalmeida Aug 30 '20 at 09:01
  • 1
    Ah in which case no you do not need to worry about centralising that :) If it can trigger the Lambda within then that will also work :) – Chris Williams Aug 30 '20 at 09:03