Click on a runbook to see the code as well as the IAM permissions required to run it.
- CloudFormation Runbooks
- CloudTrail Runbooks
- Config Runbooks
- EC2 Runbooks
- EBS snapshot doesn't exist or older than 15 days
- AWS Security Groups allow internet traffic to SSH port (22)
- AWS Security Groups allow internet traffic from internet to Telnet port (23)
- AWS Security Groups allow internet traffic from internet to RDP port (3389)
- AWS Security Groups allow internet traffic from internet to MYSQL port (3306)
- AWS Security Groups allow internet traffic from internet to PostgreSQL port (5432)
- AWS Security Groups allow internet traffic from internet to SQLServer port (1433)
- AWS Security Groups allow internet traffic from internet to MSQL port (4333)
- AWS Security Groups allow internet traffic from internet to VNC Listener port (5500)
- AWS Security Groups allow internet traffic from internet to VNC Server port (5900)
- AWS Security Groups allow internet traffic from internet to FTP port (21)
- AWS Security Groups allow internet traffic from internet to FTP-Data port (20)
- AWS Security Groups allow internet traffic from internet to SMTP port (25)
- AWS Security Groups allow internet traffic from internet to DNS port (53)
- AWS delete unused EC2 Security Groups
- AWS Amazon Machine Image (AMI) is publicly accessible
- AWS Default Security Group does not restrict all traffic
- AWS Security Groups with Inbound rule overly permissive to All Traffic
- AWS EBS snapshots are accessible to public
- ELB Runbooks
- AWS Elastic Load Balancer (Classic) with connection draining disabled
- AWS Elastic Load Balancer (Classic) with cross-zone load balancing disabled
- AWS Elastic Load Balancer (Classic) with access log disabled
- AWS Elastic Load Balancer v2 (ELBv2) Application Load Balancer (ALB) with access log disabled
- IAM Runbooks
- KMS Runbooks
- RDS Runbooks
- Redshift Runbooks
- S3 Runbooks
- VPC Runbooks
- Misc Runbooks
- Script name:
AWS-CFM-003.py - Prisma Cloud policy descriptor: N/A
- Runbook summary: Enables CloudFormation Stack termination protection.
- Required IAM permissions:
cloudformation:DescribeStackscloudformation:UpdateTerminationProtection
- CIS section: N/A
- Caveats: N/A
- Script name:
AWS-CLT-002.py - Prisma Cloud policy descriptor:
PC-AWS-CT-5 - Runbook summary: Encrypts CloudTrail S3 logs with a KMS Customer Managed Key (CMK).
- Required IAM permissions:
cloudtrail:DescribeTrailscloudtrail:UpdateTrails3:GetBucketLocationkms:CreateAliaskms:CreateKey
- CIS section: 2.7
- Caveats: N/A
- Script name:
AWS-CLT-004.py - Prisma Cloud policy descriptor:
PC-AWS-CT-50 - Runbook summary: Integrates CloudTrail with CloudWatch Logs. Creates (if needed) the necessary IAM Policy and CloudWatch Logs group.
- Required IAM permissions:
iam:CreateRoleiam:GetRoleiam:PutRolePolicylogs:CreateLogGrouplogs:DescribeLogGroupslogs:PutRetentionPolicycloudtrail:UpdateTrail
- CIS section: 2.4
- Caveats: N/A
- Script name:
AWS-CLT-005.py - Prisma Cloud policy descriptor:
PC-AWS-CT-4 - Runbook summary: Enables CloudTrail log file validation.
- Required IAM permissions:
cloudtrail:DescribeTrailscloudtrail:UpdateTrail
- CIS section: 2.2
- Caveats: N/A
- Script name:
AWS-CLT-006.py - Prisma Cloud policy descriptor:
PC-AWS-S3-1 - Runbook summary: Removes CloudTrail S3 bucket ACL Public policy.
- Required IAM permissions:
s3:GetBucketAcls3:PutBucketAcl
- CIS section: 2.3
- Caveats: N/A
- Script name:
AWS-CONFIG-001.py - Prisma Cloud policy descriptor: N/A
- Runbook summary: Enables AWS Config. Creates (if needed) the necessary IAM Role and S3 bucket/policy.
- Required IAM permissions:
iam:AttachRolePolicyiam:CreateRoleiam:GetRoles3:CreateBuckets3:PutBucketPolicyconfig:PutConfigurationRecorderconfig:PutDeliveryChannelconfig:StartConfigurationRecorder
- CIS section: 2.5
- Caveats: N/A
- Script name:
AWS-EC2-001.py - Prisma Cloud policy descriptor: N/A
- Runbook summary: Creates an EBS snapshot if a snapshot doesn't exist, or is older than 15 days.
- Required IAM permissions:
ec2:CreateSnapshotec2:DescribeSnapshots
- CIS section: N/A
- Caveats: N/A
- Script name:
AWS-EC2-002.py - Prisma Cloud policy descriptor:
PC-AWS-VPC-23 - Runbook summary: Removes EC2 security group rules containing global access to TCP port 22 (SSH).
- Required IAM permissions:
ec2:DescribeSecurityGroupsec2:RevokeSecurityGroupIngress
- CIS section: 4.1
- Caveats: N/A
- Script name:
AWS-EC2-003.py - Prisma Cloud policy descriptor:
PC-AWS-VPC-236 - Runbook summary: Removes EC2 security group rules containing global access to TCP port 23 (Telnet).
- Required IAM permissions:
ec2:DescribeSecurityGroupsec2:RevokeSecurityGroupIngress
- CIS section: N/A
- Caveats: N/A
- Script name:
AWS-EC2-004.py - Prisma Cloud policy descriptor:
PC-AWS-VPC-24 - Runbook summary: Removes EC2 security group rules containing global access to TCP port 3389 (RDP).
- Required IAM permissions:
ec2:DescribeSecurityGroupsec2:RevokeSecurityGroupIngress
- CIS section: 4.2
- Caveats: N/A
- Script name:
AWS-EC2-010.py - Prisma Cloud policy descriptor:
PC-AWS-VPC-229 - Runbook summary: Removes EC2 security group rules containing global access to TCP port 3306 (MySQL).
- Required IAM permissions:
ec2:DescribeSecurityGroupsec2:RevokeSecurityGroupIngress
- CIS section: N/A
- Caveats: N/A
- Script name:
AWS-EC2-010.py - Prisma Cloud policy descriptor:
PC-AWS-VPC-230 - Runbook summary: Removes EC2 security group rules containing global access to TCP port 5432 (PostgreSQL).
- Required IAM permissions:
ec2:DescribeSecurityGroupsec2:RevokeSecurityGroupIngress
- CIS section: N/A
- Caveats: N/A
- Script name:
AWS-EC2-010.py - Prisma Cloud policy descriptor:
PC-AWS-VPC-233 - Runbook summary: Removes EC2 security group rules containing global access to TCP port 1433 (SQLServer).
- Required IAM permissions:
ec2:DescribeSecurityGroupsec2:RevokeSecurityGroupIngress
- CIS section: N/A
- Caveats: N/A
- Script name:
AWS-EC2-010.py - Prisma Cloud policy descriptor:
PC-AWS-VPC-247 - Runbook summary: Removes EC2 security group rules containing global access to TCP port 4333 (MYSQL).
- Required IAM permissions:
ec2:DescribeSecurityGroupsec2:RevokeSecurityGroupIngress
- CIS section: N/A
- Caveats: N/A
- Script name:
AWS-EC2-010.py - Prisma Cloud policy descriptor:
PC-AWS-VPC-238 - Runbook summary: Removes EC2 security group rules containing global access to TCP port 5500 (VNC Listener).
- Required IAM permissions:
ec2:DescribeSecurityGroupsec2:RevokeSecurityGroupIngress
- CIS section: N/A
- Caveats: N/A
- Script name:
AWS-EC2-010.py - Prisma Cloud policy descriptor:
PC-AWS-VPC-232 - Runbook summary: Removes EC2 security group rules containing global access to TCP port 5900 (VNC Server).
- Required IAM permissions:
ec2:DescribeSecurityGroupsec2:RevokeSecurityGroupIngress
- CIS section: N/A
- Caveats: N/A
- Script name:
AWS-EC2-010.py - Prisma Cloud policy descriptor:
PC-AWS-VPC-245 - Runbook summary: Removes EC2 security group rules containing global access to TCP port 21 (FTP).
- Required IAM permissions:
ec2:DescribeSecurityGroupsec2:RevokeSecurityGroupIngress
- CIS section: N/A
- Caveats: N/A
- Script name:
AWS-EC2-010.py - Prisma Cloud policy descriptor:
PC-AWS-VPC-248 - Runbook summary: Removes EC2 security group rules containing global access to TCP port 20 (FTP-Data).
- Required IAM permissions:
ec2:DescribeSecurityGroupsec2:RevokeSecurityGroupIngress
- CIS section: N/A
- Caveats: N/A
- Script name:
AWS-EC2-010.py - Prisma Cloud policy descriptor:
PC-AWS-VPC-227 - Runbook summary: Removes EC2 security group rules containing global access to TCP port 25 (SMTP).
- Required IAM permissions:
ec2:DescribeSecurityGroupsec2:RevokeSecurityGroupIngress
- CIS section: N/A
- Caveats: N/A
- Script name:
AWS-EC2-010.py - Prisma Cloud policy descriptor:
PC-AWS-VPC-228 - Runbook summary: Removes EC2 security group rules containing global access to TCP port 53 (DNS).
- Required IAM permissions:
ec2:DescribeSecurityGroupsec2:RevokeSecurityGroupIngress
- CIS section: N/A
- Caveats: N/A
- Script name:
AWS-EC2-031.py - Prisma Cloud policy descriptor:
N/A - Runbook summary: Deletes unused EC2 security groups.
- Required IAM permissions:
ec2:DeleteSecurityGroupec2:DescribeSecurityGroupslambda:ListFunctions
- CIS section: N/A
- Caveats: N/A
- Script name:
AWS-EC2-036.py - Prisma Cloud policy descriptor:
PC-AWS-EC2-35 - Runbook summary: Sets Public AMIs to Private.
- Required IAM permissions:
ec2:DescribeImageAttributeec2:ModifyImageAttribute
- CIS section: N/A
- Caveats: N/A
- Script name:
AWS-EC2-038.py - Prisma Cloud policy descriptor:
PC-AWS-VPC-22 - Runbook summary: Removes all rules from the default EC2 security group.
- Required IAM permissions:
ec2:DescribeSecurityGroupsec2:RevokeSecurityGroupIngressec2:RevokeSecurityGroupEgress
- CIS section: 4.3
- Caveats: N/A
- Script name:
AWS-EC2-039.py - Prisma Cloud policy descriptor:
PC-AWS-VPC-222 - Runbook summary: Removes EC2 security group rules with Global access on all ports.
- Required IAM permissions:
ec2:DescribeSecurityGroupsec2:RevokeSecurityGroupIngress
- CIS section: N/A
- Caveats: N/A
- Script name:
AWS-EC2-042.py - Prisma Cloud policy descriptor:
PC-AWS-EC2-31 - Runbook summary: Sets Public EBS snapshots to Private.
- Required IAM permissions:
ec2:DescribeSnapshotAttributeec2:ModifySnapshotAttribute
- CIS section: N/A
- Caveats: N/A
- Script name:
AWS-ELB-009.py - Prisma Cloud policy descriptor:
PC-AWS-ELB-267 - Runbook summary: Enables ELB (Classic) Connection Draining.
- Required IAM permissions:
elasticloadbalancing:DescribeLoadBalancerAttributeselasticloadbalancing:ModifyLoadBalancerAttributes
- CIS section: N/A
- Caveats: N/A
- Script name:
AWS-ELB-012.py - Prisma Cloud policy descriptor:
PC-AWS-ELB-266 - Runbook summary: Enables ELB (Classic) Cross-Zone Load Balancing.
- Required IAM permissions:
elasticloadbalancing:DescribeLoadBalancerAttributeselasticloadbalancing:ModifyLoadBalancerAttributes
- CIS section: N/A
- Caveats: N/A
- Script name:
AWS-ELB-013.py - Prisma Cloud policy descriptor:
PC-AWS-ELB-265 - Runbook summary: Enables ELB (Classic) Access Logs. Creates (if needed) an ELB logs S3 bucket for the region.
- Required IAM permissions:
elasticloadbalancing:DescribeLoadBalancerAttributeselasticloadbalancing:ModifyLoadBalancerAttributess3:CreateBuckets3:PutBucketPolicys3:PutObjectsts:GetCallerIdentity
- CIS section: N/A
- Caveats: N/A
- Script name:
AWS-ELB-015.py - Prisma Cloud policy descriptor:
PC-AWS-ELB-242 - Runbook summary: Enables Application ELB (elbv2) Access Logs. Creates (if needed) an ELB logs S3 bucket for the region.
- Required IAM permissions:
elasticloadbalancing:DescribeLoadBalancerAttributeselasticloadbalancing:DescribeLoadBalancerselasticloadbalancing:ModifyLoadBalancerAttributess3:CreateBuckets3:PutBucketPolicys3:PutObject
- CIS section: N/A
- Caveats: N/A
- Script name:
AWS-IAM-002.py - Prisma Cloud policy descriptor: N/A
- Runbook summary: Enforces AWS account best practices password policy.
- Required IAM permissions:
iam:UpdateAccountPasswordPolicy
- CIS section: 1.5 - 1.11
- Caveats: N/A
- Script name:
AWS-IAM-015.py - Prisma Cloud policy descriptor:
PC-AWS-IAM-48 - Runbook summary: Deactivates unused IAM access keys.
- Required IAM permissions:
iam:GetAccessKeyLastUsediam:UpdateAccessKey
- CIS section: 1.3
- Caveats: N/A
- Script name:
AWS-IAM-016.py - Prisma Cloud policy descriptor:
PC-AWS-IAM-46 - Runbook summary: Removes IAM policies that allow full administrative privileges.
- Required IAM permissions:
iam:CreatePolicyVersion
- CIS section: 1.22
- Caveats: N/A
- Script name:
AWS-IAM-018.py - Prisma Cloud policy descriptor: N/A
- Runbook summary: Creates an IAM Support Role to manage incidents with AWS Support.
- Required IAM permissions:
iam:AttachRolePolicyiam:CreateRoleiam:CreateUseriam:GetPolicy
- CIS section: 1.20
- Caveats: N/A
- Script name:
AWS-KMS-001.py - Prisma Cloud policy descriptor:
PC-AWS-KMS-20 - Runbook summary: Enables KMS rotation of a Customer Master Key (CMK).
- Required IAM permissions:
kms:EnableKeyRotation
- CIS section: 2.8
- Caveats: N/A
- Script name:
AWS-RDS-005.py - Prisma Cloud policy descriptor:
PC-AWS-RDS-99 - Runbook summary: Sets Public RDS DB instances to Private.
- Required IAM permissions:
rds:DescribeDBInstancesrds:ModifyDBInstance
- CIS section: N/A
- Caveats: N/A
- Script name:
AWS-RDS-007.py - Prisma Cloud policy descriptor:
PC-AWS-RDS-32 - Runbook summary: Sets Public RDS snapshots to Private.
- Required IAM permissions:
rds:DescribeDBSnapshotAttributesrds:ModifyDBSnapshotAttribute
- CIS section: N/A
- Caveats: N/A
- Script name:
AWS-RDS-010.py - Prisma Cloud policy descriptor:
PC-AWS-RDS-218 - Runbook summary: Enables RDS DB instance Multi-AZ.
- Required IAM permissions:
rds:DescribeDBInstancesrds:ModifyDBInstance
- CIS section: N/A
- Caveats: N/A
- Script name:
AWS-RDS-011.py - Prisma Cloud policy descriptor:
PC-AWS-RDS-260 - Runbook summary: Enables RDS DB instance Auto Minor Version Upgrade.
- Required IAM permissions:
rds:DescribeDBInstancesrds:ModifyDBInstance
- CIS section: N/A
- Caveats: N/A
- Script name:
AWS-REDSHIFT-001.py - Prisma Cloud policy descriptor:
PC-AWS-RED-79 - Runbook summary: Sets Public Redshift clusters to Private.
- Required IAM permissions:
redshift:DescribeClustersredshift:ModifyCluster
- CIS section: N/A
- Caveats: N/A
- Script name:
AWS-SSS-001.py - Prisma Cloud policy descriptor:
PC-AWS-S3-259 - Runbook summary: Enables S3 bucket Object Versioning.
- Required IAM permissions:
s3:PutBucketVersioning
- CIS section: N/A
- Caveats: N/A
- Script name:
AWS-SSS-008.py - Prisma Cloud policy descriptor:
PC-AWS-S3-251 - Runbook summary: Removes S3 bucket ACL Global policy.
- Required IAM permissions:
s3:GetBucketAcls3:PutBucketAcl
- CIS section: N/A
- Caveats: N/A
- Script name:
AWS-SSS-009.py - Prisma Cloud policy descriptor:
PC-AWS-S3-30 - Runbook summary: Enables S3 bucket logging. Creates (if needed) a target logging bucket for the region.
- Required IAM permissions:
sts:GetCallerIdentitys3:CreateBuckets3:GetBucketLoggings3:PutBucketLogging
- CIS section: 2.6
- Caveats: N/A
- Script name:
AWS-SSS-014.py - Prisma Cloud policy descriptor:
PC-AWS-S3-64 - Runbook summary: Enables S3 Server-Side Encryption.
- Required IAM permissions:
s3:PutEncryptionConfiguration
- CIS section: N/A
- Caveats: N/A
- Script name:
PC-AWS-S3-29.py - Prisma Cloud policy descriptor:
PC-AWS-S3-29 - Runbook summary: Removes S3 bucket public access at the bucket level.
- Required IAM permissions:
s3:PutBucketPublicAccessBlock
- CIS section: N/A
- Caveats: N/A
- Script name:
AWS-VPC-013.py - Prisma Cloud policy descriptor: N/A
- Runbook summary: Releases unassociated (unused) Elastic IP addresses.
- Required IAM permissions:
ec2:DescribeAddressesec2:ReleaseAddress
- CIS section: N/A
- Caveats: N/A
- Script name:
AWS-VPC-020.py - Prisma Cloud policy descriptor:
PC-AWS-VPC-25 - Runbook summary: Enables VPC flow logs. Creates (if needed) the necessary IAM Policy and CloudWatch Logs group.
- Required IAM permissions:
iam:PutRolePolicyiam:CreateRoleiam:GetRoleiam:PassRolelogs:CreateLogGrouplogs:PutRetentionPolicyec2:CreateFlowLogs
- CIS section: 2.9
- Caveats: N/A
- Script name:
AWS-VPC-Default.py - Prisma Cloud policy descriptor: N/A
- Runbook summary: Deletes the AWS default VPC.
- Required IAM permissions:
ec2:DeleteInternetGatewayec2:DeleteNetworkAclec2:DeleteRouteTableec2:DeleteSecurityGroupec2:DeleteSubnetec2:DeleteVpcec2:DescribeInternetGatewaysec2:DescribeNetworkAclsec2:DescribeNetworkInterfacesec2:DescribeRouteTablesec2:DescribeSecurityGroupsec2:DescribeSubnetsec2:DescribeVpcsec2:DetachInternetGateway
- CIS section: N/A
- Caveats: N/A
- Script name:
AWS-TEST-001.py - Prisma Cloud policy descriptor: N/A
- Runbook summary: Example runbook which can be used to test your Lambda. Check out the setup guide for more info.
- Required IAM permissions: N/A
- CIS section: N/A
- Caveats: N/A