Total Pageviews


September 4, 2019

AWS Security Automation - Public Ingress Compliance Auto-Remediation (AWS Config and Lambda) - Part 2

by 4hathacker  |  in AWS SecOps at  11:00 AM

Hi folks!!!

In the previous post, we discussed about SSH Compliance in EC2 Security Groups. Feel free to have a look at it here.

We saw, there were some limitations like, AWS Managed Rule is for SSH only, no sync between AWS Config and AWS Lambda and many more. In this post, we will try to resolve them  while implementing a setup for Custom Config Rule and few tweaks around AWS Lambda for Public Ingress remediation to all the ports instead of SSH only.
Public Ingress Compliance: If the access to instance via any port/protocol is restricted to public IP's of organization behind the firewall/proxy, this is COMPLIANT, else NON-COMPLAINT. 

Using AWS Config Custom Rules with AWS Lambda fucntion, we can check for the Public Ingress associated to the Security Groups in a regional aspect. Here the compliance check will be triggered only when there is a configuration change occurred. So, no need to configure AWS CloudWatch Scheduled Rule. The rule allowing "" or "::/0" for any port/protocol for ingress via EC2 Security Groups must be removed.


1. From "Services" drop down, select "Config" and go to AWS Config Console. Select "Rules" from the left pane.

2. From the Rules panel, select "Add rule" and then click on "Add custom rule".

3. In the panel appeared, add the "Name" and "Description" and then Click on "Create AWS Lambda function" with CTRL Key, which is present below the AWS Lambda function ARN* field.

4. Here, we will be following the same approach as earlier to create a Lambda function as "PublicIngressRemovalSecopsSGLambda" provided some basic information like, Name, Runtime, Execution role,  etc.

5. For execution role, we will be creating a new role with name as - "PIRSecOpsSGLambdaRole" with two policy templates viz. AWS Config Rules permissions and Amazon SNS publish policy. 

6. When the function is created, copy the ARN from the top left and go to the Config Console window. Paste the Lambda function here. Add trigger type as "Configuration changes", Scope as "Resources" and Resources as "EC2:SecurityGroup". Click "Save" at the bottom and proceed.

7. You can see the new rule with compliance as "Evaluating".

8. Now, go back to Lambda console, Click on SNS policy and select "Manage these permissions".

9. We will be adding an inline policy to our "PIRSecOpsSGLambdaRole" so click on add inline policy and write the policy as below. Click "Review" policy.

10. Add the name as "PIRSecopsLambdaSGPolicy" and hit "CreatePolicy".

11. You can see your policy is attached here.

"Lambda Core Logic (LCL)"

LCL-1. This is our "evaluate_compliance" function which will check around three cases:
a. If the resource is in APPLICABLE_RESOURCES, for example if you are monitoring a lot of resources via your custom config rules and you specifically want to filter "EC2:SecurityGroups" resources.
b. Check if the resource is present or deleted.
c. If not deleted, get the security group details and proceed to evaluate and remediate as we have done previously for both IPv4 and IPv6 check.

LCL-2. This is our "sns_publish" function which will report the security team about the remediation activity.

LCL-3. This is our main function - "lambda_handler" which acts as a controller here. The interesting part to note here is we will be putting the result after config evaluation to inform AWS Config. So, this Lambda function on its own is evaluating the compliance and then updating the AWS Config about the same.

Compliance Check:

1. To check if its working fine, create two security groups, 4hathackerSecOpsSG and 4hathackerSecOpsSG2 as below.

2. Post 5-6 mins, the Lambda will be automatically triggered by AWS Config, evaluate the compliance and update the security groups.

3. To analyze what happened in due course of time, check for the AWS CloudWatch Logs Log Group. It will show you how the modifications have been made by Lambda.


1. As compared to our previous, blog post where Lambda is being triggered every 2 mins this is much more efficient.

2. The sync of Lambda and AWS Config is functional here.

3. No dependency over AWS Config Managed rules. Write your own custom rule, do evaluation and update the AWS Config.

Scope Of Improvement:

1. Can use CloudFormation Templates to have an easy deployment approach.

2. Filter the ports/protocol as per your requirement. Here it is rigid for every port not allowing public ingress at all.

This is all about Security Groups and compliance management. There are a lot of things, one can try and learn for security groups compliance management. I found a visual guide for best practices from Internet2 Confluence site which is available here.

Feel free to have a look and Stay tuned for more exciting things related to AWS, Security,  and Automation...

Wondering if I will start writing with Python and Core Security... Please share your views about it in comments section...


Like Our Facebook Page

Nitin Sharma's DEV Profile
Proudly Designed by 4hathacker.