Lab: Implementing Automated Security Remediation and Secrets Management
Determine a strategy to improve security
Lab: Implementing Automated Security Remediation and Secrets Management
This hands-on lab focuses on the practical application of Task 3.2 from the AWS SAP-C02 exam guide: Determining a strategy to improve security. You will practice auditing for least privilege, managing secrets, and implementing automated remediation using AWS Config and AWS Security Hub.
[!WARNING] Always run the commands in the Clean-Up / Teardown section at the end of this lab to avoid ongoing charges in your AWS account.
Prerequisites
- An AWS Account with
AdministratorAccesspermissions. - AWS CLI installed and configured with credentials:
aws configure. - Basic knowledge of IAM policies and JSON syntax.
- A preferred terminal (Bash or Zsh recommended).
Learning Objectives
By the end of this lab, you will be able to:
- Centralize Security Visibility: Enable and configure AWS Security Hub and AWS Config.
- Secure Credentials: Implement secrets management using AWS Secrets Manager to replace hardcoded credentials.
- Automate Compliance: Create an AWS Config Rule to detect and automatically remediate non-compliant S3 buckets.
- Audit for Least Privilege: Review and implement IAM policies that follow the principle of least privilege.
Architecture Overview
The following diagram illustrates the flow of automated security auditing and remediation you will build today.
Step-by-Step Instructions
Step 1: Enable AWS Config Recording
AWS Config is required to track resource changes and evaluate them against security rules.
# Replace <YOUR_BUCKET_NAME> with a unique name like brainybee-config-log-123
aws s3 mb s3://<YOUR_BUCKET_NAME>
# Create a configuration recorder
aws configservice subscribe --s3-bucket <YOUR_BUCKET_NAME> --iam-role arn:aws:iam::<YOUR_ACCOUNT_ID>:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig▶Console alternative
- Navigate to AWS Config > Settings.
- Click Turn on.
- Under Recording strategy, choose Record all resources supported in this region.
- For Data management, create an S3 bucket for logs and use the default service-linked role.
Step 2: Enable AWS Security Hub
Security Hub aggregates findings from multiple AWS services.
aws securityhub enable-security-hub --enable-default-standards▶Console alternative
- Navigate to Security Hub.
- Click Go to Security Hub.
- Ensure AWS Foundational Security Best Practices is checked and click Enable Security Hub.
Step 3: Implement Secure Secrets Management
Instead of using hardcoded API keys, we will store a dummy API key in Secrets Manager.
aws secretsmanager create-secret --name "brainybee/app/api-key" \
--description "API Key for external service" \
--secret-string "{\"api_key\":\"AKIA-EXAMPLE-12345\"}"▶Console alternative
- Navigate to Secrets Manager > Store a new secret.
- Select Other type of secret.
- Add key:
api_keyand value:AKIA-EXAMPLE-12345. - Name the secret
brainybee/app/api-keyand click Store.
Step 4: Deploy Automated Remediation Rule
We will deploy a rule that checks if S3 buckets have public read access and triggers an AWS Systems Manager (SSM) automation to set the bucket to private.
# Note: This command assumes the s3-bucket-public-read-prohibited managed rule
aws configservice put-config-rule \
--config-rule '{"ConfigRuleName": "s3-bucket-public-read-prohibited", "Source": {"Owner": "AWS", "SourceIdentifier": "S3_BUCKET_PUBLIC_READ_PROHIBITED"}}'[!TIP] In a production environment, you would use
PutRemediationConfigurationsto link this rule to an SSM document likeAWS-ConfigureS3BucketPublicAccessBlock.
Checkpoints
| Verification Step | Expected Result |
|---|---|
Run aws configservice describe-configuration-recorder-status | recording: true |
Run aws secretsmanager get-secret-value --secret-id brainybee/app/api-key | JSON payload containing the dummy key |
| Check Security Hub Findings | You should see initial findings appearing within 5-10 minutes |
Clean-Up / Teardown
To prevent ongoing costs, delete the resources created in this lab:
- Delete Secret:
bash
aws secretsmanager delete-secret --secret-id "brainybee/app/api-key" --force-deletion-without-recovery - Delete Config Rule:
bash
aws configservice delete-config-rule --config-rule-name s3-bucket-public-read-prohibited - Disable Security Hub:
bash
aws securityhub disable-security-hub - Delete S3 Bucket:
bash
aws s3 rb s3://<YOUR_BUCKET_NAME> --force
Troubleshooting
| Issue | Possible Cause | Fix |
|---|---|---|
AccessDenied when enabling Config | Missing IAM permissions | Ensure your user has IAMFullAccess or AdministratorAccess. |
| Config rule stays in "Evaluating" | Resource hasn't changed | Create a dummy S3 bucket to trigger an evaluation. |
| Secret not found | Region mismatch | Ensure your CLI region matches where you created the secret. |
Stretch Challenge
Goal: Implement an automated response for a GuardDuty finding.
- Enable Amazon GuardDuty via CLI:
aws guardduty create-detector --enable. - Create an Amazon EventBridge rule that triggers a Lambda function when GuardDuty detects a "CryptoCurrency:EC2/BitcoinTool.B!DNS" finding.
- The Lambda function should stop the affected EC2 instance automatically.
Cost Estimate
Total estimated cost for running this lab for 1 hour:
- AWS Config: ~$0.003 per configuration item (negligible for this lab).
- AWS Security Hub: Free for the first 30 days.
- AWS Secrets Manager: $0.40 per secret/month (pro-rated to ~$0.0006 for 1 hour).
- S3 Standard: ~$0.023/GB (negligible for empty buckets).
- Total: < $0.05 (well within Free Tier limits).
Concept Review
Security improvement is a continuous cycle. As specified in the SAP-C02 guide, a robust strategy involves layers of defense.
The Layered Security Model
\begin{tikzpicture}[node distance=1.5cm] \draw[thick] (0,0) circle (3cm); \node at (0,2.5) {\textbf{Network Security (WAF/Shield)}}; \draw[thick] (0,0) circle (2cm); \node at (0,1.5) {\textbf{IAM & Secrets}}; \draw[thick] (0,0) circle (1cm); \node at (0,0) {\textbf{Data (KMS)}}; \end{tikzpicture}
Key Concepts Comparison
| Strategy | Tooling | Focus |
|---|---|---|
| Detection | GuardDuty / Security Hub | Finding threats after they happen |
| Prevention | IAM / SCPs | Preventing threats before they happen |
| Remediation | Config Rules / Lambda | Fixing threats automatically when detected |
| Auditability | CloudTrail / Config | Recording what happened and when |