AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
FMS Shield Resource Policy Should Be Enabled
More Info:
Checks whether an Application Load Balancer, Amazon CloudFront distributions, Elastic Load Balancer or Elastic IP has AWS Shield protection. It also checks if they have web ACL associated for Application Load Balancer and Amazon CloudFront distributions.
Risk Level
Medium
Address
Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the misconfiguration of not having FMS Shield Resource Policy enabled for AWS CloudWatch using the AWS Management Console, follow these steps:
-
Sign in to the AWS Management Console: Go to https://aws.amazon.com/ and sign in to your AWS account.
-
Navigate to AWS CloudWatch: Click on the “Services” dropdown at the top of the page, then select “CloudWatch” under the Management & Governance section.
-
Enable FMS Shield Resource Policy:
- In the CloudWatch console, click on “Alarms” in the left-hand navigation pane.
- Click on the alarm that you want to enable FMS Shield Resource Policy for.
- In the alarm details page, click on the “Actions” dropdown and select “Edit”.
- Scroll down to the “FMS Shield Resource Policy” section.
- Click on the toggle button to enable the FMS Shield Resource Policy.
- Click on the “Save” button to apply the changes.
-
Verify the FMS Shield Resource Policy is enabled:
- Once you have enabled the FMS Shield Resource Policy for the alarm, you can verify that it is enabled by checking the alarm details and ensuring that the FMS Shield Resource Policy toggle is set to enabled.
By following these steps, you should be able to remediate the misconfiguration of not having FMS Shield Resource Policy enabled for AWS CloudWatch using the AWS Management Console.
To enable FMS Shield Resource Policy for AWS CloudWatch using AWS CLI, follow these steps:
-
Open your terminal and ensure that you have the AWS CLI installed and configured with the necessary permissions to make changes to AWS resources.
-
Run the following AWS CLI command to enable FMS Shield Resource Policy for AWS CloudWatch:
aws fms put-policy --policy-id AWSManagedRulesCommonFWRuleSet --resource-type RESOURCE_TYPE --resource-id RESOURCE_ID
Replace RESOURCE_TYPE with the type of AWS resource you want to protect (e.g., AWS::CloudWatch::Alarm) and RESOURCE_ID with the specific resource ID you want to apply the policy to.
- Verify that the FMS Shield Resource Policy has been successfully enabled for AWS CloudWatch by running the following command:
aws fms list-policies
You should see the newly created policy in the list of policies returned by this command.
By following these steps, you should be able to remediate the misconfiguration and enable FMS Shield Resource Policy for AWS CloudWatch using AWS CLI.
To remediate the misconfiguration of FMS Shield Resource Policy not being enabled for AWS CloudWatch using Python, you can use the AWS SDK for Python (Boto3) to update the resource policy. Here are the step-by-step instructions:
-
Install Boto3: If you haven’t already installed Boto3, you can install it using pip:
pip install boto3 -
Create a Python script with the following code to enable the FMS Shield Resource Policy for CloudWatch:
import boto3
def enable_fms_shield_policy():
# Create a CloudWatch client
cloudwatch_client = boto3.client('cloudwatch')
# Enable the FMS Shield Resource Policy for CloudWatch
response = cloudwatch_client.put_metric_policy(
PolicyName='FMS-Shield-Policy',
PolicyDocument='{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": {"Service": "shield.amazonaws.com"},"Action": "cloudwatch:PutMetricData","Resource": "*"}]}'
)
print('FMS Shield Resource Policy has been enabled for CloudWatch.')
if __name__ == '__main__':
enable_fms_shield_policy()
-
Run the Python script: Save the Python script with a
.pyextension and run it using the Python interpreter. Make sure your AWS credentials are properly configured on your system.python enable_fms_shield_policy.py -
Verify the policy: After running the script, verify that the FMS Shield Resource Policy has been successfully enabled for CloudWatch by checking the CloudWatch console or by listing the CloudWatch resource policies using the AWS CLI:
aws cloudwatch list-metric-policies
By following these steps, you can remediate the misconfiguration of the FMS Shield Resource Policy not being enabled for AWS CloudWatch using Python and Boto3.