Total Pageviews


September 2, 2019

AWS Security Automation - SSH Compliance Auto-Remediation (AWS Config and Lambda) - Part 1

by 4hathacker  |  in AWS SecOps at  11:54 AM

Hi folks!!!

In the previous series of 3 posts about MFA Compliance, we went through a set of meaningful aspects related to security compliance, how to follow along with compliance documents and how to setup a compliance for MFA in AWS. Feel free to have a look at them here

In this post, we will be looking at compliance management for access via SSH to the EC2 instances using control implementation and enforcement over Security Groups.

SSH Compliance: If the access to instance via SSH is restricted to public IP's of organization behind the firewall/proxy, this is COMPLIANT, else NON-COMPLIANT. 

Using AWS Config Managed Config Rules with AWS Lambda function, we can check for the compliance. This compliance check will be triggered within a specified interval with the help of AWS CloudWatch Scheduled Rule. 


A. Configure an AWS Managed Config Rule for EC2:SecurityGroup resources using Config Management Console. For the first time, you need to setup AWS Config service as below. Otherwise, create a Config Rule directly.

1. Click on "Services" drop down, type "Config" and select "AWS Config" . This will provide you with a screen to setup AWS Config. In case if below image appears, then AWS Config setup is already there. If not, follow from below steps.

2. From the left panel, select "Settings" and select resources in "Specific types" as   "EC2:SecurityGroup". Please note that AWS Config is a regional construct, and this will consider only the Security Groups present in this region. Select "Create a bucket" option and fill the desired bucket name you want. Also select AWS Config Service linked role and move forward.

3. In the rules tab, search for restricted-ssh rule  and select it. Move forward then.

4. Click on "Confirm" in the bottom of Review panel.

B. Write a Lambda function with a CloudWatch Events Scheduled Rule to trigger the Lambda Function which will check the compliance in a specified interval.

"Core Logic for SecOpsRemediateSGLambda function" 

1. Go to AWS Lambda from "Services" drop down and select "Create Function". Select the following as mentioned in the below images.

 Note: Remember to select the policy templates attached to role as: AWS Config Rules permissions and AWS SNS Publish policy.

2. After selecting, "Create Function" you can see the following "SecOpsRemediateSGLambda".

3. For remediation action, we need to attach an inline policy with permissions as below.

Note: Do not attach the AWS Managed Policy for EC2FullAccess to the Lambda function. Its always best practice to attach only those permissions to the policy which are required to perform an action.

4. Now, we need to add a CloudWatch Scheduled Rule trigger to this Lambda. Click on "Add Trigger" option from the Lambda function console for "SecOpsRemediateSGLambda". Fill the details as mentioned below in the image and move forward.

Keep the state of trigger disabled for now and enable it while testing.

C. Setup an SNS Topic for SecOps Team to notify SecOps team about Lambda Remediation in case

of NON-COMPLIANCE. We already have created this with previous blog posts. Feel free to take a look back.

D. Setup a demo Security Group (4hathackerSecOpsSG) to test if the flow and remediation action to remove the SG Rules is working.


1. Add 4 rules to the demo security group - 4hathackerSecOpsSG

 2. The rules attached as below have 3 non compliant and one compliant rule.

3. After sometime, you can see in the AWS Config Rules that this resource has been evaluated as NON-COMPLIANT. Upon checking this our, Lambda will take remediation action.

4. You can see the log events to analyze the actions taken by Lambda function for maintaining the compliance. Please note that the notification will only be sent whenever Lambda will do any remediation action.

5. Post Lambda Remediation, come back to Security Group and observe that non-compliant rules have been removed.


No manual action required by SecOps/Security team to check for non compliant security groups having SSH open to world. The remediation action will take only 3-5 minutes to process.

Scope of Improvement:

1. There is no synchronization between Lambda and Config rule to detect for changes in the Security Group configuration. Both are acting like separate entities. There could be a case, when Lambda will automatically detect for AWS Config changes for Security Group and take remediation action.

2. There is only remediation for IPv4 viz. "" and not for IPv6 i.e. "::/0".

3. There is a dependency over AWS Managed Config Rule for restricted-ssh which is fine in this case. But what about other admin ports for protocols like, FTP, SMTP, RDP, etc. There is no rule present in AWS Config for all these ports. So, the use case needs to be generic.

4. Being a regional construct, we are monitoring the Security Group resources for only a single AWS region. So, we need to deploy this Lambda function to all the regions where our applications are present and this require a generic CloudFormation Template like what we did for MFA Compliance. Feel free to create your own template for the same.

In the next post, we will see how we can generalize this compliance management for other admin ports. Till then, stay tuned!!!

1 comment:

  1. Looking for a pipe cutting machine in your area ? Then we are the best for you, who suit your expectations. We have huge experience in this field. We are 100% dedicated to finding you a high quality pipe cutting machine.
    If you want to know more, Please check out Cheers Electronic Technical Co.LTD:


Like Our Facebook Page

Nitin Sharma's DEV Profile
Proudly Designed by 4hathacker.