Quickstart Guide

Outside of Dome9

You can deploy this stack in us-east-1 via the link below. If you would like to deploy the stack in another region, please go to the "Deployment Links" tab.


Click the link and click Next

In the parameters section either choose if you want to deploy in single or multi mode

If you would like to set up an SNS subscriber for the output topic (recommended) then put an email in the EmailAddress field.

Click Next > Next

On the 4th page, you'll need to check the 2 boxes that allow this template to create IAM resources with custom names (This is for the role that is created for Lambda to perform the bots)

Next, click on the 'Create Change Set' button at the bottom of the page. Then click 'Execute'

From here, the stack will deploy. If there are no errors, go to the 'Outputs' tab and grab the two ARNs that were output. You'll need them later.

If you set up an SNS Subscriber Go to your email and confirm the subscription. SNS seems to have some odd behaviors if you leave the subscription for a while before confirming.

If you're running in multi-account mode

By default, the cross account roles will all need to be named "Dome9CloudBots". If you want a different name, add a new variable to the dome9AutoRemediations lambda function called "CROSS_ACCOUNT_ROLE_NAME" and set the value to the new name for the role.

Set up cross account roles for EACH account that will be remediated

cd cross_account_role_configs

Role creation needs to be done via something other than CloudFormation because CFTs don't output consistent role names

Update trust_policy.json with the account ID where the main function will live

There is a small bash script in this directory that you can run (create_role.sh) to create these roles.

./create_role.sh <aws profile>

In Dome9

Create a bundle that you want to use for auto remediation.

It's recommended but not required to break remediation bots into their own bundles. There is a sample bundle (sample_bundle.json) that can be used as a starting point. The rule in the sample bundle will remove rules from the default security group if the SG is empty.

For all rules that you want to add remediation to, add the remediation tag to the "Compliance Section" of the rule.

All available remediation bots are in the bots folder.

Tag Syntax: AUTO:

Ex: AUTO: ec2_stop_instance

Test this compliance bundle.

Make sure you're getting the results you want and expect

Set the Dome9 compliance bundle to run via continuous compliance.

If you're in single account mode, there needs to be a 1 Continuous Compliance bundle per account. If not, select all the accounts that you set up cross-account roles in. Set the output topic as the ARN from the InputTopicARN one we set up Set the format to be JSON - Full Entity

* NOTE: **

Currently Continuous Compliance sends a 'diff' for the SNS notifications. Because of this, if you have ran the bundle before, only new issues will be sent to SNS. If you want to have the first auto-remediation run to include all pre-existing issues, you'll need to use the "send all events" button to force a re-send.

For the compliance policy you have set up, look for a button on the right hand side with an arrow pointing up.
Send all events button

In this page, select SNS as the delivery method and your notification policy as the place to send the events.
This can also be useful for rolling out new bots and/or testing since you can re-send the same event more than once.
Send all events page

From here, you should be good to go!

Questions / Comments

Contact: Alex Corstorphine (alex@dome9.com)