Announcement

Remediate AWS CIS v3.0 and v4.0 with Flowpipe's interactive wizard

Flowpipe's new AWS CIS mod finds misconfigurations and applies fixes, with step-by-step approval.

Turbot Team
5 min. read - Oct 23, 2024

The Center for Internet Security (CIS) benchmarks for AWS are widely used by cloud teams as guidance to configure their AWS accounts securely. With Flowpipe's new AWS CIS mod you can detect misconfigurations and apply fixes according to the v3.0.0 or v4.0.0 recommendations. Let's run v4.0.0's section 2 which focuses on storage.

$ flowpipe pipeline run cis_v400_2

Flowpipe walks you through each subsection, finds resources that don't comply with the recommendations, and offers you the choice to skip each resource or apply the recommendation. Here's how that looks in progress. We've arrived at section 2.1.4, and are running a control that checks whether an S3 bucket blocks public access as the recommendation says it should. Flowpipe has found two buckets that don't comply. We opted to skip the first one, and are ready to remediate the second.

Here we've chosen Block public access. Flowpipe takes the action, reports the outcome, and proceeds.

You can step through all of section 2 in this way. You could even step through the entire CIS benchmark, section by section and control by control.

Under the hood: AWS Compliance

The AWS CIS mod is actually a thin wrapper around another new mod, AWS Compliance, which provides a suite of pipelines that do the work of detecting misconfigurations and enabling human-supervised correction. AWS Compliance in turn relies on two helpers: Flowpipe's library mod for AWS and a helper mod that implements the detect-and-correct pattern.

Here's how things look from the perspective of the installed AWS CIS mod.

~/flowpipe-mod-aws-cis$ flowpipe mod list
aws_cis
└── github.com/turbot/flowpipe-mod-aws-compliance@v1.0.0
├── github.com/turbot/flowpipe-mod-aws@v1.0.0
└── github.com/turbot/flowpipe-mod-detect-correct@v1.0.0

You can list the top-level CIS pipelines like this.

~/flowpipe-mod-aws-cis$ flowpipe pipeline list | grep aws_cis
aws_cis cis_v300 The CIS Amazon Web Services Foundations Benchmark provides...
aws_cis cis_v300_1
aws_cis cis_v300_1_1
aws_cis cis_v300_1_10

You can also list the supporting detect-and-correct pipelines like this.

~/flowpipe-mod-aws-cis$ flowpipe pipeline list | grep detect_and_correct
aws_compliance detect_and_correct_accounts_without_alternate_contact_security_registered Detects account alternate ...
aws_compliance detect_and_correct_apigateway_rest_api_stage_if_xray_tracing_disabled Detects unattached EIPs ...
...

One of those, detect_and_correct_s3_buckets_if_publicly_accessible, is the pipeline that's used by CIS 2.1.4. You can also install AWS Compliance separately and use that pipeline directly in a standalone context.

~/flowpipe-mod-aws-compliance$ flowpipe pipeline run detect_and_correct_s3_buckets_with_block_public_access_disabled

By default this works just as we've already seen: you're prompted with each bucket that doesn't block access, and in each case you choose to skip or apply the action. But making all those decisions can get old. What if you want to apply the fix to all non-compliant buckets? You can do that by setting a mod variable, approvers, to the empty list. Flowpipe will then automatically apply the fix across all your buckets.

Now suppose you want to apply the same rule to new buckets as they're created? To do that, configure the pipeline to run on a schedule. Again it's just a matter of setting variables. To activate a scheduled run of the pipeline, set the variable s3_bucket_access_enabled_trigger_enabled to true. And if you want to run on a schedule other than the default, which is every 15 minutes, also set s3_bucket_access_enabled_trigger_schedule to use either a named interval or a custom cron expression.

Degrees of freedom: benchmarks, controls, and pipelines

If your priority is CIS, we've got you covered with the AWS CIS mod. It provides the flexibility to run the whole suite, or just one section, or even individual controls, with interactive supervision on a per-resource basis. If you need even more flexibility, the supporting AWS Compliance pipelines are available to be used in other ways, with or without human approval, on a one-time or scheduled basis. But there's even more flexibility than that. If you need to act on AWS resources in ways other than AWS Compliance does, the AWS library mod gives you the raw ingredients to run different kinds of queries and take different kinds of actions. Use these mods in whatever ways make sense to you, and let us know how it goes.

See it in action