karthikeayan · December 5, 2018 12:50
diff --git a/custodian-security-group-remediate.yaml b/custodian-security-group-remediate.yaml
 policies:
  - name: high-risk-security-groups-remediate
    resource: security-group
    description: |
      Remove any rule from a security group that allows 0.0.0.0/0 or ::/0 (IPv6) ingress
      and notify the user  who added the violating rule.
    mode:
        type: cloudtrail
        role: arn:aws:iam::<account_number>:role/<role_name>
        events:
          - source: ec2.amazonaws.com
            event: AuthorizeSecurityGroupIngress
            ids: "requestParameters.groupId"
          - source: ec2.amazonaws.com
            event: AuthorizeSecurityGroupEgress
            ids: "requestParameters.groupId"
          - source: ec2.amazonaws.com
            event: RevokeSecurityGroupEgress
            ids: "requestParameters.groupId"
          - source: ec2.amazonaws.com
            event: RevokeSecurityGroupIngress
            ids: "requestParameters.groupId"
    filters:
      - or:
            - type: ingress
              Cidr:
                value: "0.0.0.0/0"
              OnlyPorts: [80, 443]
            - type: ingress
              CidrV6:
                value: "::/0"
              OnlyPorts: [80, 443]
    actions:
        - type: remove-permissions
          ingress: matched
        - type: notify
          template: default.html
          priority_header: 1
          subject: "Open Security Group Rule Created-[custodian {{ account }} - {{ region }}]"
          violation_desc: "Security Group(s) Which Had Rules Open To The World:"
          action_desc: |
              "Actions Taken:  The Violating Security Group Rule Has Been Removed As It Typically
              Allows Direct Incoming Public Internet Traffic Access To Your Resource Which Violates Our
              Company's Cloud Security Policy.  Please Refer To Our Company's Cloud Security Best
              Practices Documentation.  If This Ingress Rule Is Required You May Contact The Security
              Team To Request An Exception."
          to:
              - <email>@<domain>.com
              - event-owner
          transport:
              type: sqs
              queue: https://sqs.us-east-1.amazonaws.com/<account_number>/cloud-custodian-mailer
              region: us-east-1
	policies:
	- name: high-risk-security-groups-remediate
	resource: security-group
	description: \|
	Remove any rule from a security group that allows 0.0.0.0/0 or ::/0 (IPv6) ingress
	and notify the user who added the violating rule.
	mode:
	type: cloudtrail
	role: arn:aws:iam::<account_number>:role/<role_name>
	events:
	- source: ec2.amazonaws.com
	event: AuthorizeSecurityGroupIngress
	ids: "requestParameters.groupId"
	- source: ec2.amazonaws.com
	event: AuthorizeSecurityGroupEgress
	ids: "requestParameters.groupId"
	- source: ec2.amazonaws.com
	event: RevokeSecurityGroupEgress
	ids: "requestParameters.groupId"
	- source: ec2.amazonaws.com
	event: RevokeSecurityGroupIngress
	ids: "requestParameters.groupId"
	filters:
	- or:
	- type: ingress
	Cidr:
	value: "0.0.0.0/0"
	OnlyPorts: [80, 443]
	- type: ingress
	CidrV6:
	value: "::/0"
	OnlyPorts: [80, 443]
	actions:
	- type: remove-permissions
	ingress: matched
	- type: notify
	template: default.html
	priority_header: 1
	subject: "Open Security Group Rule Created-[custodian {{ account }} - {{ region }}]"
	violation_desc: "Security Group(s) Which Had Rules Open To The World:"
	action_desc: \|
	"Actions Taken: The Violating Security Group Rule Has Been Removed As It Typically
	Allows Direct Incoming Public Internet Traffic Access To Your Resource Which Violates Our
	Company's Cloud Security Policy. Please Refer To Our Company's Cloud Security Best
	Practices Documentation. If This Ingress Rule Is Required You May Contact The Security
	Team To Request An Exception."
	to:
	- <email>@<domain>.com
	- event-owner
	transport:
	type: sqs
	queue: https://sqs.us-east-1.amazonaws.com/<account_number>/cloud-custodian-mailer
	region: us-east-1