Triage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration of not having FMS Shield Resource Policy enabled for AWS CloudWatch using the AWS Management Console, follow these steps:
- Sign in to the AWS Management Console: Go to https://aws.amazon.com/ and sign in to your AWS account.
- Navigate to AWS CloudWatch: Click on the “Services” dropdown at the top of the page, then select “CloudWatch” under the Management & Governance section.
-
Enable FMS Shield Resource Policy:
- In the CloudWatch console, click on “Alarms” in the left-hand navigation pane.
- Click on the alarm that you want to enable FMS Shield Resource Policy for.
- In the alarm details page, click on the “Actions” dropdown and select “Edit”.
- Scroll down to the “FMS Shield Resource Policy” section.
- Click on the toggle button to enable the FMS Shield Resource Policy.
- Click on the “Save” button to apply the changes.
-
Verify the FMS Shield Resource Policy is enabled:
- Once you have enabled the FMS Shield Resource Policy for the alarm, you can verify that it is enabled by checking the alarm details and ensuring that the FMS Shield Resource Policy toggle is set to enabled.
Using CLI
Using CLI
To enable FMS Shield Resource Policy for AWS CloudWatch using AWS CLI, follow these steps:Replace You should see the newly created policy in the list of policies returned by this command.By following these steps, you should be able to remediate the misconfiguration and enable FMS Shield Resource Policy for AWS CloudWatch using AWS CLI.
- Open your terminal and ensure that you have the AWS CLI installed and configured with the necessary permissions to make changes to AWS resources.
- Run the following AWS CLI command to enable FMS Shield Resource Policy for AWS CloudWatch:
RESOURCE_TYPE with the type of AWS resource you want to protect (e.g., AWS::CloudWatch::Alarm) and RESOURCE_ID with the specific resource ID you want to apply the policy to.- Verify that the FMS Shield Resource Policy has been successfully enabled for AWS CloudWatch by running the following command:
Using Python
Using Python
To remediate the misconfiguration of FMS Shield Resource Policy not being enabled for AWS CloudWatch using Python, you can use the AWS SDK for Python (Boto3) to update the resource policy. Here are the step-by-step instructions:
-
Install Boto3:
If you haven’t already installed Boto3, you can install it using pip:
- Create a Python script with the following code to enable the FMS Shield Resource Policy for CloudWatch:
-
Run the Python script:
Save the Python script with a
.pyextension and run it using the Python interpreter. Make sure your AWS credentials are properly configured on your system. -
Verify the policy:
After running the script, verify that the FMS Shield Resource Policy has been successfully enabled for CloudWatch by checking the CloudWatch console or by listing the CloudWatch resource policies using the AWS CLI: