Showing results for 
Search instead for 
Did you mean: 

CSPM security violation findings' Auto-Remediation for AWS


In this article we’ll demonstrate how you can implement automatic remediation for security posture violation findings discovered by Netskope Cloud Security Posture Management (CSPM).


Netskope CSPM continuously assess public cloud deployments to mitigate risk, detect threats, scan and protect sensitive data and monitor for regulatory compliance. Netskope simplifies the discovery of security misconfigurations across your clouds. Netskope Auto-Remediation framework for AWS enables you to automatically mitigate the risk associated with these misconfigurations in your AWS cloud environment.


Netskope CSPM security assessment results for such security benchmark standards as NIST, CIS, PCI DSS, as well as for your custom rules are available via the View Security Assessment Violations Netskope API.

Netskope auto-Remediation solution for AWS deploys the set of AWS Lambda functions that query the above Netskope API on the scheduled intervals and mitigates supported violations automatically.

You can deploy the framework as is or customize it to mitigate other security violations and to meet your specific organization’s security requirements.


The source code and deployment instructions are available at GitHub repository.


Note, that you need to deploy this solution in each AWS region you opted in for. It’s recommended to deploy the remediation functions on the delegated security management account. You can choose to deploy them on the same account that’s been used as delegated administrator for Amazon GuardDuty, AWS Security Hub, or another delegated AWS account. Following AWS best security practices, it’s not recommended to deploy the solution on the AWS Organization Management account. Deployment of the remediation functions done using AWS-autoremediation CloudFormation template.

To remediate security violations findings across all your organization’s accounts, you need to deploy the cross-account AWS IAM roles on all accounts, including the delegated security management account. Cross-account roles deployed using AWS-autoremediation-target CloudFormation template. You can deploy it using AWS CloudFormation StackSet or using your cloud orchestration tools.

As a pre-requisite, you need to enable AWS Systems Manager (AWS SSM) on all your accounts and AWS regions. AWS SSM Automation used to remediate violations for such compliance rules as rule 4.1 of the CIS AWS Foundations standard “Ensure no security groups allow ingress from to port 22“.






While this framework can be used to mitigate multiple violations, we’ll show you how to automatically mitigate violation 2.9 of the CIS AWS Foundations standard – Ensure VPC flow logging is enabled in all VPCs.


Below we assume you already configured Netskope CSPM Continuous Security Assessment for Amazon Web Services for your AWS accounts and included AWS CIS Foundations Benchmark in your Security Assessment Policy


Setting Up


Follow the deployment steps in the GitHub repository and deploy the solution in your AWS delegated security management account and deploy cross-account AWS IAM roles on all AWS accounts.


The solution deploys GetNetskopeCSPMResults Lambda function and corresponding AWS CloudWatch scheduled rule to query Netskope View Security Assessment Violations Netskope API.

When violations of the CIS rule 2.9 in the current AWS region found in the API response, GetNetskopeCSPMResults Lambda function stores them in the AssesmentResultsS3Bucket, which has Amazon S3 Trigger configured to call CIS12029VPCFlowLogsLambda Lambda function. This Lambda function reads the violations from the file, verifies if the resource is still not compliant and configures VPC flow logs if required. Cross-account IAM roles used to remediate violations across the organizations’ accounts.  

See it in action.


Let’s take a look at the non-compliant AWS VPC that doesn’t have VPC Flow Logs provisioned:





GetNetskopeCSPMResults Lambda function has been triggered by the CloudWatch scheduled rule and retrieved corresponding violation from the Netskope API:





GetNetskopeCSPMResults saves the violation file in the S3 bucket:






Which triggers CIS12029VPCFlowLogsLambda Lambda function that provisions VPC Flow Logs for the corresponding VPC:






Now let’s take a look at the VPC and you can see that now VPC has Flow Logs provisioned:






You’ve just seen how you can use Netskope Auto-Remediation Framework to automatically mitigate security violations findings discovered by Netskope SCPM. You can easily deploy other supported remediations or to develop your own remediation functions based on this example.