To write a new remediation, follow the steps below.
Currently custom automatic remediations are only possible with "from source" deployments. If you have a pre-packaged deployment, you may deploy on top of it with a "from-source" deployment.
In the ./internal/compliance/remediation_aws/src/app/remediations
folder inside the Panther repo, add a Python file called aws_<service>_name_of_remediation
with the following structure:
from typing import Any, Dict​from boto3 import Session​from .remediation import Remediationfrom .remediation_base import RemediationBase​@Remediationclass AwsNameOfRemediation(RemediationBase):"""Remediation that does something to help with your security!"""​# The unique identifier to be referenced in Policies@classmethoddef _id(cls) -> str:return 'Service.NameOfRemediation'​# Any custom parameters needed to set the resource in the correct state@classmethoddef _parameters(cls) -> Dict[str, str]:return {}​# The API call to fix the resource@classmethoddef _fix(cls, session: Session, resource: Dict[str, Any], parameters: Dict[str, str]) -> None:session.client('<service>').action(Some='Parameters')
After the code is written, make sure to update the PantherRemediationRole
role Policy in both CloudFormation and Terraform:
RemediationRole:Type: AWS::IAM::RoleProperties:RoleName: !Sub PantherRemediationRole-${MasterAccountRegion} # DO NOT CHANGE! backend.yml CF depends on this nameDescription: The Panther master account assumes this role for automatic remediation of policy violationsPolicies:- PolicyName: AllowRemediativeActionsPolicyDocument:Version: 2012-10-17Statement:- Effect: AllowAction:- cloudtrail:CreateTrail- cloudtrail:StartLogging- cloudtrail:UpdateTrail- dynamodb:UpdateTable- ec2:CreateFlowLogs- ec2:StopInstances- ec2:TerminateInstances- ec2:ModifyImageAttribute- guardduty:CreateDetector- iam:CreateAccessKey- iam:CreateServiceLinkedRole- iam:DeleteAccessKey- iam:UpdateAccessKey- iam:UpdateAccountPasswordPolicy- kms:EnableKeyRotation- logs:CreateLogDelivery- rds:ModifyDBInstance- rds:ModifyDBSnapshotAttribute- s3:PutBucketAcl- s3:PutBucketPublicAccessBlock- s3:PutBucketVersioning- s3:PutBucketLogging- s3:PutEncryptionConfigurationResource: '*'
Deploy your branch
Add your new Remediation to an existing or new Policy
Click the Remediate button on a Resource
Check the /aws/lambda/panther-aws-remediation
group in CloudWatch if errors occurred.