How To Remediate Non-Compliant S3 Buckets/RDS Instances Using Lambda and SSM

Ensuring compliance with the Payment Card Industry Data Security Standard (PCI-DSS) is a critical requirement for organizations that handle credit card transactions. AWS provides a suite of tools that can help automate and enforce compliance, including AWS Config, AWS Security Hub, AWS Lambda, and AWS Systems Manager (SSM). In this article, we will explore how to automate PCI-DSS compliance by identifying and remediating non-compliant S3 buckets and RDS instances using these services.

Introduction to PCI-DSS Compliance on AWS

PCI-DSS is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. AWS provides a range of services that can help you achieve and maintain PCI-DSS compliance, including AWS Config, which allows you to assess, audit, and evaluate the configurations of your AWS resources, and AWS Security Hub, which provides a comprehensive view of your security posture across your AWS accounts.

In this article, we will focus on automating the remediation of non-compliant S3 buckets and RDS instances, which are common areas of concern for PCI-DSS compliance. We will use AWS Config to identify non-compliant resources, AWS Security Hub to aggregate and prioritize findings, AWS Lambda to automate remediation, and AWS Systems Manager (SSM) to execute remediation actions.

Prerequisites

Before we dive into the implementation, ensure that you have the following prerequisites in place:

• An AWS account with the necessary permissions to create and manage AWS Config, AWS Security Hub, AWS Lambda, and AWS Systems Manager resources.
• AWS CLI installed and configured on your local machine.
• Basic knowledge of AWS services, including S3, RDS, Lambda, and SSM.
• Familiarity with Python programming language, as we will be using it for our Lambda functions.

Step 1: Setting Up AWS Config

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. It continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.

Enabling AWS Config

To enable AWS Config, follow these steps:

1. Open the AWS Management Console and navigate to the AWS Config service.
2. Click on "Get started" if you are setting up AWS Config for the first time.
3. Choose the resources you want AWS Config to record. For this article, select "Record all resources supported in this region."
4. Choose an Amazon S3 bucket to store your configuration snapshots. You can create a new bucket or use an existing one.
5. Choose an Amazon SNS topic to receive notifications about configuration changes. You can create a new topic or use an existing one.
6. Click on "Next" and review your settings. If everything looks good, click on "Confirm."

Creating AWS Config Rules

AWS Config rules represent your desired configuration settings for specific AWS resources. AWS Config provides managed rules that you can use to evaluate the configuration settings of your resources.

To create a new AWS Config rule, follow these steps:

1. Open the AWS Management Console and navigate to the AWS Config service.
2. In the left-hand navigation pane, click on "Rules."
3. Click on "Add rule."
4. In the "Add rule" page, you can search for managed rules. For this article, we will use the following managed rules:

• s3-bucket-public-read-prohibited: This rule checks that your S3 buckets do not allow public read access.
• rds-instance-public-access-check: This rule checks that your RDS instances are not publicly accessible.

1. Select the rule and click on "Next."
2. Specify the rule parameters if necessary. For example, for the s3-bucket-public-read-prohibited rule, you can specify the maximum number of days that a bucket can be non-compliant before triggering an alert.
3. Click on "Next" and review your rule settings. If everything looks good, click on "Add rule."

Evaluating Compliance with AWS Config

Once you have created your AWS Config rules, AWS Config will automatically evaluate the compliance of your resources against these rules. You can view the compliance status of your resources in the AWS Config dashboard.

To view the compliance status, follow these steps:

1. Open the AWS Management Console and navigate to the AWS Config service.
2. In the left-hand navigation pane, click on "Resources."
3. In the "Resources" page, you can filter by resource type (e.g., S3 bucket, RDS instance) and compliance status (e.g., compliant, non-compliant).
4. Click on a resource to view its detailed configuration and compliance history.

Step 2: Aggregating Findings with AWS Security Hub

AWS Security Hub provides a comprehensive view of your security posture across your AWS accounts. It aggregates and prioritizes findings from multiple AWS services, including AWS Config, Amazon GuardDuty, and AWS IAM Access Analyzer.

Enabling AWS Security Hub

To enable AWS Security Hub, follow these steps:

1. Open the AWS Management Console and navigate to the AWS Security Hub service.
2. Click on "Enable AWS Security Hub."
3. Choose the standards you want to enable. For this article, enable the "AWS Foundational Security Best Practices" standard, which includes PCI-DSS compliance checks.
4. Click on "Enable."

Viewing Findings in AWS Security Hub

Once AWS Security Hub is enabled, it will automatically start aggregating findings from AWS Config and other AWS services. You can view these findings in the AWS Security Hub dashboard.

To view findings, follow these steps:

1. Open the AWS Management Console and navigate to the AWS Security Hub service.
2. In the left-hand navigation pane, click on "Findings."
3. In the "Findings" page, you can filter by severity, status, and resource type. For this article, filter by resource type (e.g., S3 bucket, RDS instance) and status (e.g., failed).
4. Click on a finding to view its detailed information, including the resource ID, compliance status, and remediation steps.

Step 3: Automating Remediation with AWS Lambda and SSM

Now that we have identified non-compliant S3 buckets and RDS instances using AWS Config and Security Hub, the next step is to automate the remediation process using AWS Lambda and AWS Systems Manager (SSM).

Creating a Lambda Function for S3 Bucket Remediation

AWS Lambda allows you to run code without provisioning or managing servers. We will create a Lambda function that automatically remediates non-compliant S3 buckets by removing public read access.

To create a Lambda function, follow these steps:

1. Open the AWS Management Console and navigate to the AWS Lambda service.
2. Click on "Create function."
3. Choose "Author from scratch."
4. Enter a name for your function (e.g., s3-bucket-remediation).
5. Choose the runtime (e.g., Python 3.8).
6. Under "Permissions," choose an existing role with the necessary permissions to access S3 and CloudWatch Logs, or create a new role.
7. Click on "Create function."

Once the function is created, you can add the following Python code to remediate non-compliant S3 buckets:

import boto3

def lambda_handler(event, context):
    s3 = boto3.client('s3')

    # Get the non-compliant bucket name from the event
    bucket_name = event['detail']['resourceId']

    # Remove public read access
    s3.put_public_access_block(
        Bucket=bucket_name,
        PublicAccessBlockConfiguration={
            'BlockPublicAcls': True,
            'IgnorePublicAcls': True,
            'BlockPublicPolicy': True,
            'RestrictPublicBuckets': True
        }
    )

    return {
        'statusCode': 200,
        'body': f'Remediated S3 bucket: {bucket_name}'
    }

Creating a Lambda Function for RDS Instance Remediation

Next, we will create a Lambda function that automatically remediates non-compliant RDS instances by making them private.

To create a Lambda function, follow these steps:

1. Open the AWS Management Console and navigate to the AWS Lambda service.
2. Click on "Create function."
3. Choose "Author from scratch."
4. Enter a name for your function (e.g., rds-instance-remediation).
5. Choose the runtime (e.g., Python 3.8).
6. Under "Permissions," choose an existing role with the necessary permissions to access RDS and CloudWatch Logs, or create a new role.
7. Click on "Create function."

Once the function is created, you can add the following Python code to remediate non-compliant RDS instances:

import boto3

def lambda_handler(event, context):
    rds = boto3.client('rds')

    # Get the non-compliant RDS instance identifier from the event
    instance_identifier = event['detail']['resourceId']

    # Modify the RDS instance to make it private
    rds.modify_db_instance(
        DBInstanceIdentifier=instance_identifier,
        PubliclyAccessible=False
    )

    return {
        'statusCode': 200,
        'body': f'Remediated RDS instance: {instance_identifier}'
    }

Triggering Lambda Functions with AWS Config Rules

To automatically trigger the Lambda functions when a non-compliant resource is detected, we need to set up AWS Config rules to invoke the Lambda functions.

To set up the trigger, follow these steps:

1. Open the AWS Management Console and navigate to the AWS Config service.
2. In the left-hand navigation pane, click on "Rules."
3. Click on the rule you want to modify (e.g., s3-bucket-public-read-prohibited or rds-instance-public-access-check).
4. Click on "Actions" and select "Add remediation action."
5. Choose "AWS Lambda function" as the remediation action.
6. Select the Lambda function you created earlier (e.g., s3-bucket-remediation or rds-instance-remediation).
7. Click on "Save."

Using AWS Systems Manager (SSM) for Advanced Remediation

In some cases, you may need to perform more advanced remediation actions that cannot be handled by a simple Lambda function. For example, you may need to apply a specific security patch to an RDS instance or update the bucket policy of an S3 bucket.

AWS Systems Manager (SSM) allows you to automate these advanced remediation actions using SSM documents. SSM documents define the actions that Systems Manager performs on your managed instances.

To create an SSM document, follow these steps:

1. Open the AWS Management Console and navigate to the AWS Systems Manager service.
2. In the left-hand navigation pane, click on "Documents."
3. Click on "Create document."
4. Choose "Command or Session document."
5. Enter a name for your document (e.g., s3-bucket-policy-update or rds-instance-patch).
6. In the "Content" section, enter the YAML or JSON content that defines the actions to be performed. For example, the following YAML content defines an SSM document that updates the bucket policy of an S3 bucket:

schemaVersion: '2.2'
description: Update S3 bucket policy to remove public access
parameters:
  BucketName:
    type: String
    description: The name of the S3 bucket
mainSteps:
  - action: aws:runShellScript
    name: UpdateBucketPolicy
    inputs:
      runCommand:
        - aws s3api put-bucket-policy --bucket {{ BucketName }} --policy '{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Principal":"*","Action":"s3:GetObject","Resource":"arn:aws:s3:::{{ BucketName }}/*"}]}'

7. Click on "Create document."

Once the SSM document is created, you can invoke it from a Lambda function or directly from the AWS Systems Manager console.

To invoke the SSM document from a Lambda function, modify the Lambda function code as follows:

import boto3

def lambda_handler(event, context):
    ssm = boto3.client('ssm')

    # Get the non-compliant bucket name from the event
    bucket_name = event['detail']['resourceId']

    # Invoke the SSM document to update the bucket policy
    response = ssm.start_automation_execution(
        DocumentName='s3-bucket-policy-update',
        Parameters={
            'BucketName': [bucket_name]
        }
    )

    return {
        'statusCode': 200,
        'body': f'Started SSM automation execution for S3 bucket: {bucket_name}'
    }

Step 4: Testing and Validation

After setting up the AWS Config rules, Lambda functions, and SSM documents, it is important to test and validate the remediation process to ensure that it works as expected.

Testing S3 Bucket Remediation

To test the S3 bucket remediation process, follow these steps:

1. Create an S3 bucket and make it publicly readable.
2. Wait for AWS Config to detect the non-compliant bucket and trigger the Lambda function.
3. Verify that the Lambda function removes public read access from the bucket.
4. Check the AWS Config dashboard to confirm that the bucket is now compliant.

Testing RDS Instance Remediation

To test the RDS instance remediation process, follow these steps:

1. Create an RDS instance and make it publicly accessible.
2. Wait for AWS Config to detect the non-compliant RDS instance and trigger the Lambda function.
3. Verify that the Lambda function makes the RDS instance private.
4. Check the AWS Config dashboard to confirm that the RDS instance is now compliant.

Testing Advanced Remediation with SSM

To test the advanced remediation process using SSM, follow these steps:

1. Create an S3 bucket and apply a bucket policy that allows public read access.
2. Wait for AWS Config to detect the non-compliant bucket and trigger the Lambda function.
3. Verify that the Lambda function invokes the SSM document to update the bucket policy.
4. Check the AWS Config dashboard to confirm that the bucket is now compliant.

Step 5: Monitoring and Reporting

Once the remediation process is in place, it is important to continuously monitor and report on the compliance status of your resources. AWS Config and AWS Security Hub provide several features that can help you with this.

Monitoring Compliance with AWS Config

AWS Config provides a dashboard that shows the compliance status of your resources. You can use this dashboard to monitor the compliance status of your S3 buckets and RDS instances in real-time.

To monitor compliance, follow these steps:

1. Open the AWS Management Console and navigate to the AWS Config service.
2. In the left-hand navigation pane, click on "Dashboard."
3. In the "Dashboard" page, you can view the overall compliance status of your resources, as well as the compliance status of individual rules.

Aggregating Findings with AWS Security Hub

AWS Security Hub aggregates findings from multiple AWS services, including AWS Config. You can use the Security Hub dashboard to view and prioritize findings related to PCI-DSS compliance.

To view findings, follow these steps:

1. Open the AWS Management Console and navigate to the AWS Security Hub service.
2. In the left-hand navigation pane, click on "Findings."
3. In the "Findings" page, you can filter by severity, status, and resource type. For PCI-DSS compliance, filter by the "AWS Foundational Security Best Practices" standard.

Generating Compliance Reports

AWS Config and AWS Security Hub allow you to generate compliance reports that can be shared with auditors and stakeholders. These reports provide a detailed view of the compliance status of your resources and the actions taken to remediate non-compliant resources.

To generate a compliance report, follow these steps:

1. Open the AWS Management Console and navigate to the AWS Config service.
2. In the left-hand navigation pane, click on "Reports."
3. In the "Reports" page, you can generate a compliance report for a specific time period and resource type.
4. Download the report and share it with the relevant stakeholders.

Conclusion

Automating PCI-DSS compliance with AWS Config and Security Hub, and remediating non-compliant S3 buckets and RDS instances using Lambda and SSM, is a powerful way to ensure that your AWS environment remains secure and compliant. By following the steps outlined in this article, you can set up a robust compliance automation framework that continuously monitors your resources, identifies non-compliant configurations, and automatically remediates them.

This approach not only reduces the risk of security breaches but also saves time and effort by automating repetitive tasks. With the right tools and processes in place, you can achieve and maintain PCI-DSS compliance with confidence.