Install Lacework Remediate CLI Component
Lacework Remediate CLI is a tool for interacting with and resolving security alerts associated with resource compliance policy violations in your AWS infrastructure. It offers pre-built remediation templates that assess each alert and provide command-line remediation guidance for addressing specific issues.
Prerequisites
We recommend using the latest CLI versions for both Lacework and AWS.
To access AWS resources, you need an AWS account, IAM credentials, and an IAM access key pair.
The Lacework remediate component does not support Windows operating system.
Install the Lacework Remediate CLI Component
To install the Lacework Remediate CLI component, run the following command:
lacework component install remediate
Upon successful completion, you should see the following text:
❯ lacework component install remediate
[✓] Component remediate found
[✓] Component remediate installed
[✓] Component signature verified
[✓] Component configured
Installation completed.
Having installed the 'remediate' component you unlocked a new command:
lacework remediate alert <alert_id>
You have also unlocked a new flag for existing commands like:
lacework alert list --fixable
Try running one of these commands!
Create an IAM Role with Least Privileges (Optional)
As a best practive, we recommend creating a dedicated IAM role that you assume whenever you run remediations. This role can be assigned the least set of permissions needed to carry out remediations.
To get the least-privilege policy, run the following command:
lacework remediate show-policy aws-iam
This prints out an AWS IAM policy with the smallest set of privileges necessary to carry out remediations.
The output of this command is likely to change as Lacework adds more remediations. Make sure
you use the latest output of the show-policy subcommand whenever you update the Lacework CLI or lacework remediate CLI component.
Next, create an AWS policy from the output:
lacework remediate show-policy aws-iam > remediation-policy.json
aws iam create-policy --policy-name lw_remediation --policy-document file://remediation-policy.json
Create a role for remediation using the AWS CLI:
aws iam create-role --role-name lacework-remediation --assume-role-policy-document file://trust-policy.json
where trust-policy.json is the policy that determines who can assume that role, for example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:group/devops"
},
"Action": "sts:AssumeRole"
}
]
}
Attach the least privilege policy above to the role as follows:
aws iam attach-role-policy --role-name lacework-remediation --policy-arn arn:aws:iam::123456789012:policy/lw_remediation
Configure the Lacework CLI to Assume a Role
You can specify which AWS profile to use and which role to assume when running lacework remediate
by using the following command:
lacework remediate configure
Step through the questions as they appear:
Existing settings will be loaded as defaults. To clear the value, simply input a space.
? AWS Profile: my-aws-profile
? AWS Role Name: lacework-remediation