How can we help?
Table of Contents
< All Topics
Print

AutoFix In Paladin Cloud

PostedJune 28, 2023
UpdatedJune 29, 2023

AutoFix

AutoFix remediates cloud resources violation detected by Paladin Cloud. PaladinCloud provides an AutoFix feature that reduces the response time to/repair a policy violation. PaladinCloud provides auto-fixes to correct resource misconfiguration and the email notification on auto-fix done on cloud resources.
By default AutoFix for a policy is disabled, Use How to enable Autofix

List of Policies provided with AutoFix

Policy-specific configuration for AutoFix

  • Delete Unused Security Groups

    Policy definition link

    Configuration changes:

    UI changes

    DB changes:
    Update the following properties in the pac_config_properties table

     autofix.allowlist.accounts.Unused-Security-group_version-1_UnusedSecurityGroup_sg = Accounts for applying autofix for unused security 
 group policy
 pacman.autofix.waittime.Unused-Security-group_version-1_UnusedSecurityGroup_sg = Enter the number of hours to wait before auto fix EX:24
 pacman.auto.fix.max.email.notifications.Unused-Security-group_version-1_UnusedSecurityGroup_sg =  Enter the number of auto generated 
 notification email you want to send before autofix to the owner/user Ex:5

    IAM Role Changes

    The account where PaladinCloud is installed is called the base account. The accounts that are monitored by PaladinCloud is called client account.

    Client Account Change:
  Create an IAM role named paladincloud and attach an Inline policy to delete the security group. Allow paladincloud from the base account to 
   assume this role. Sample Inline policy and trust configuration for the Paladin Cloud role is here:

   Inline Policy: 
           `{
               "Version": "2012-10-17",
               "Statement": [
                {
                 "Sid": "",
                 "Effect": "Allow",
                 "Action": "ec2:DeleteSecurityGroup",
                 "Resource": "*"
               }
             ]

           }`

   Trust configuration: 
      `{
        "Version":"2012-10-17",
        "Statement":[
          {"Effect":"Allow",
           "Principal":{
             "AWS":["arn:aws:iam::Base_Account_ID:role/paladincloud"]
            },
          "Action":"sts:AssumeRole"
         }]
      }`

Base Account Change: Fetch client account Paladin Cloud role arn and update/add Paladin Cloud policy associated with paladincloud role in Base account. Sample Paladin Cloud policy

 `{
   "Version":"2012-10-17",
    "Statement":[
    {"Sid":"",
      "Effect":"Allow",
       "Action":"sts:AssumeRole",
       "Resource":["arn:aws:iam::Client_Account_ID_1:role/paladincloud","arn:aws:iam::Client_Account_ID_2:role/paladincloud"]
    }]
 }`