Install FortiCNAPP Remediate CLI Component

FortiCNAPP Remediate CLI is a tool for interacting with and resolving security alerts associated with resource compliance policy violations in your AWS infrastructure. It offers pre-built remediation templates that assess each alert and provide command-line remediation guidance for addressing specific issues.

Prerequisites

• FortiCNAPP CLI

• AWS CLI

We recommend using the latest CLI versions for both FortiCNAPP and AWS.

To access AWS resources, you need an AWS account, IAM credentials, and an IAM access key pair.

Compatibility - The FortiCNAPP remediate component does not support Windows operating system.

Install the FortiCNAPP Remediate CLI Component

To install the FortiCNAPP Remediate CLI component, run the following command:

lacework component install remediate

Upon successful completion, you should see the following text:

❯ lacework component install remediate
 [✓] Component remediate found
 [✓] Component remediate installed
 [✓] Component signature verified
 [✓] Component configured

Installation completed.

Having installed the 'remediate' component you unlocked a new command:

lacework remediate alert <alert_id>

You have also unlocked a new flag for existing commands like:

lacework alert list --fixable

Try running one of these commands!

Create an IAM Role with Least Privileges (Optional)

As a best practive, we recommend creating a dedicated IAM role that you assume whenever you run remediations. This role can be assigned the least set of permissions needed to carry out remediations.

To get the least-privilege policy, run the following command:

lacework remediate show-policy aws-iam

This prints out an AWS IAM policy with the smallest set of privileges necessary to carry out remediations.

The output of this command is likely to change as FortiCNAPP adds more remediations. Make sure that you use the latest output of the show-policy subcommand whenever you update the FortiCNAPP CLI or lacework remediate CLI component.

Next, create an AWS policy from the output:

lacework remediate show-policy aws-iam > remediation-policy.json
aws iam create-policy --policy-name lw_remediation --policy-document file://remediation-policy.json

Create a role for remediation using the AWS CLI:

aws iam create-role --role-name lacework-remediation --assume-role-policy-document file://trust-policy.json

where trust-policy.json is the policy that determines who can assume that role, for example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:group/devops"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Attach the least privilege policy above to the role as follows:

aws iam attach-role-policy --role-name lacework-remediation --policy-arn arn:aws:iam::123456789012:policy/lw_remediation

Configure the FortiCNAPP CLI to Assume a Role

You can specify which AWS profile to use and which role to assume when running lacework remediate by using the following command:

lacework remediate configure

Step through the questions as they appear:

Existing settings will be loaded as defaults.  To clear the value, simply input a space.
? AWS Profile: my-aws-profile
? AWS Role Name: lacework-remediation