6pillars AUTOMATE Plus.png

Knowledge Base

6pillars cog favi.png

How to connect your AWS Accounts and deploy AUTOMATE+

How to integrate your tools to receive events and alert notifications from AUTOMATE+

Understanding and working with Security Controls, Automated Remediation and Reporting

Auto-Create, Auto-Discover, Auto-Fill and Auto-Update your Well-Architected Review

Managing your AUTOMATE+ account

Where to find help and support

Account Setup and Deployment

 

Getting started

  1. Navigate to https://app.6pillars.io or click on the Get AUTOMATE+ button displayed in the header of this webpage.

  2. When presented with the AUTOMATE+ landing page, click on Sign-up, complete the sign-up form before clicking Submit.

  3. Once submitted, you will be prompted to enter a Confirmation code. The code is emailed to the email address entered during sign-up. ​

    1. Please check your junk folder if this email doesn't appear to arrive promptly. ​

  4. The next step is to add your Company Name.​​

  5. Once you've setup your Company, you will land on the AUTOMATE+ Accounts page. Here you can connect your AWS accounts. Please review the next section for more information.

  6. The deployment process occurs in 2x steps:

    1. Create Cross-Account Role​

    2. Deploy AUTOMATE / AUTOMATE+

  7. AUTOMATE and AUTOMATE+ can be deployed to multiple AWS accounts within the one 6pillars dashboard user account. Users can switch between AWS accounts using the account selector in the header of the application. 

Select Deployment Type & Connect an Account

  • Navigate the Accounts page in AUTOMATE+.

  • Before adding an account, we recommend that you log into the AWS account you wish to connect to AUTOMATE+ within the same browser.

  • Go to the Create a cross account role section as shown below:

  • Select which product you would like to deploy.

  • ​6pillars' AUTOMATE comes in two different varieties:

    • AUTOMATE Provides Read-only access without Automated Remediation​

    • AUTOMATE+ Includes all Automated Remediation Functionality

      • Please note that AUTOMATE and AUTOMATE+ require a specific set of permissions in order to complete the deployment. Once the deployment has completed however, these permissions are reduced to least privilege (as per best practice).

      • Details of the deployment and post deployment IAM permissions can be found here.

  • Once you have selected your preferred deployment type, enter your account name (which is simply an alias used associate the target AWS account within the AUTOMATE+ dashboard). The alias can be set to any name of your choosing. 

    • Many users opt for alias' such as:

      • Dev​

      • Prod 

      • Application Name etc.

  • Ensure you select the correct  AWS Region from the drop-down selector. 

    • Selecting the correct region is critically important to the success of the deployment.

    • If your region is not shown, please contact us at support@6pillars.io ​

  • Once all fields and selections have been made, click Deploy Role.

  • A new tab will open in your browser showing a pre-filled AWS CloudFormation Stack, Please ensure you deploy this stack fully before progressing with your deployment.

Role Deployment in AWS CloudFormation Console

  • Once you've clicked Deploy Role, you will be presented with a pre-filled stack deployment page within your AWS CloudFormation console. 

    • If you have not logged into your AWS account, you will need to do this now before progressing. 

    • Please ensure you are logging into the same AWS Account ID as the one you entered at the previous step. Failure to do so will mean the deployment will fail.

  • Please review the pre-fill data however, Do not make any changes to the pre-filled information. making changes to any pre-filled data could cause the deployment to fail.

  • Check the acknowledgement check-box at the bottom of the page and click Create Stack.

    • As noted above, while the deployment of AUTOMATE and AUTOMATE+ requires additional access, this access is removed at the final step of the automated deployment to ensure only minimum permissions are retained by the cross account role.​ These remaining permissions allow for automated Remediation triggering within Security Hub and the ability to complete Well-Architected reviews.

    • Details of the during Deployment and post Deployment IAM permissions can be found here.

    • If you wish to discuss these permissions in more detail, please contact us at support@6pillars.io

  • The Cross-account role stack will take approximately 2mins to deploy.

    • You can follow the progress via the AWS CloudFormation Console.​

  • Once the stack has completed successfully, you can progress to the setup of AUTOMATE.

Complete Setup of AUTOMATE / AUTOMATE+

  • Return to the AUTOMATE+ dashboard and click on the Setup link, or navigate to the Setup page within the AUTOMATE+ dashboard.

  • As shown in the screenshot below, you will need to select the Account name of the account you wish to deploy to, then click Deploy.

  • Note that the region and product type deployment fields have already been chosen when the cross-account role was added. These cannot be changed at this stage.

    • If you need to change either the product type or region at this stage, please refer to  the Trouble-Shooting Deployment ​section below before proceeding with your new deployment.

    • Alternatively, feel free to contact the 6pillars team at any time for assistance. support@6pillars.io 

 

 

 

 

 

 

 

 

 

 

 

 

  • Once the Deployment starts, feel free to follow the progress in your AWS CloudFormation console.

  • Deployment will take approximately 20 minutes to complete for AUTOMATE+ and <10minutes for AUTOMATE (Read-Only).

  • The deployment will:

    • Enable AWS Config - if this is already enabled, our deployment process will simply amend the configuration to allow AUTOMATE / AUTOMATE+ to function. These changes will not affect any existing AWS Config settings.​

    • Enable Security Hub and all available Compliance Standards - if you already have Security Hub running, the deployment will simply ensure all standards are enabled.

    • Deploy SHARR and all currently available Automation Playbooks (AUTOMATE+)

    • Configure Events to come to AUTOMATE / AUTOMATE+ and allow for Slack integration of alerting.

Troubleshooting Deployment

  • Common issues that could occur during deployment:

    • I created a role with the incorrect AWS Region selected

      • If you have selected the wrong region when creating the cross account role, we recommend following these steps before progressing with your deployment:

        • DO NOT deploy the Setup stacks from the Setup page of AUTOMATE+ Dashboard.​

        • Go to your AWS CloudFormation Console and delete the Role stack that was created in the prior step.

          • Do this by selecting the radial icon next to the stack and clicking Delete.

        • Within the AUTOMATE+ Dashboard, navigate to the Accounts page. 

        • In the Connected Accounts section, locate the account you wish to remove and click the Trash icon, while confirming Yes in the Are you sure pop-up. 

        • You may now re-commence deployment from the Connect an Account process noted above. Please ensure the correct Region is selected when re-deploying.

    • A 6pillars deployed stack fails and rolls back​

      • there are many reasons why this may occur, please contact us for assistance and we can help you through the process. support@6pillars.io 

6pl-deploy-role-cf.png
6pl-setup-automate.png
 
6pl-add-aws-account.png
 

Integrations, events and Alert Notifications

Events and Notifications

  • AUTOMATE and AUTOMATE+ provide users with various types of Events and Notifications both within the dashboard and via integrations. This section provides you with an overview of the types of events and notifications, plus how to integrate for best results.

  • Events

    • An Event in AUTOMATE+ is created based on any one of the following triggers:

      • AWS Security Hub Finding updates​

        • On a rolling (approx. 12hourly) basis, AWS Security Hub checks and updates findings on a control-by-control basis. Each time this happens for each control, an event is captured within the AUTOMATE+ dashboard. ​

      • AWS Security Hub Finding Changes of state

        • Where a Security Hub Finding has changed state when compared with the previous finding result, an event is generated.
          • Failed to Passed

          • Passed to Failed​

      • Automated Remediation Completed events

        • Where Automated Remediation is enabled and enacted, an event is recorded.​

      • AUTOMATE+ platform deployment events​​

  • Alert Notifications via Integration

    • To ensure only the most critical and informative alerts are provided via integrations, the above Events have been filtered so as to minimise noise. Types of Notifications provided via Integrations:​

      • AWS Security Hub Finding Changes of state

        • ​Where a Security Hub Finding has changed state when compared with the previous finding result, an alert is generated.
          • Failed to Passed

          • Passed to Failed​

      • Automated Remediation Completed events

        • Where Automated Remediation is enabled and enacted, an alert is generated.

Integrations

  • AUTOMATE and AUTOMATE+ provide users with the ability to integrate event and alert notifications into their internal systems and tools. Below you will find step-by-step guides for how to integrate AUTOMATE

Slack Integration

  • Log into Slack via your browser.

  • Navigate to https://api.slack.com/apps

  • Click on Create New App.

    • Select the From Scratch option.

    • Choose a name for your app.

    • Select the preferred Workspace.

    • Click Create App.

  • This brings you to the Basic Information page.

    • Scroll down to “Add Features and Functionality” section and select Bots.

  • Now on the App Home page, click on “Review Scopes to Add” button.

  • Once on the OAuth & Permissions page.

    • In the Scopes section, under “Bot Token Scopes” click on “Add an OAuth Scope” and add the following scopes from the dropdown menu:

      • chat:write

      • channels:read

  • Scroll back up and click on Install to Workspace.

    • On the secondary confirmation page, please review and confirm the details of your new app and click Allow.

  • Once confirmed, you will be returned to the OAuth & Permissions page. a. copy the Bot User OAuth token with the button provided.

  • Navigate to app.6pillars.io/integrations. a. paste the Bot User OAuth Token into the Slack Bot Token field.

  • Go to your local Slack application

    • Select your preferred Slack channel for notifications, or create a new channel.

    • Once you have your channel selected, click on the channel name in the left hand channel browser.

    • Now click on the channel name dropdown at the top of the chat window.

    • Scroll to the bottom and copy the Channel ID.

    • Return to app.6pillars.io/integrations and paste the channel ID into the “Channel ID” field.

    • click Save.

    • Return to your local Slack application.

    • Select the channel where you want to present AUTOMATE+ event notifications.

    • Click on the channel name dropdown, then select the Integrations tab.

    • Click on Add apps.

    • Search for the App name you created at step 3b and click Add App.

    • This completes your integration and AUTOMATE+ event notifications will be presented in your chosen Slack channel.

Security Controls and Reporting

 

Security Controls Overview

AUTOMATE and AUTOMATE+ provide users with comprehensive functionality of all available Compliance standards via the Security Controls page.

  • At the top of the page you will find some quick filter options for drilling into:

    • Preferred compliance standards

    • Current Compliance levels against available standards

    • Review Intrusive and Non-Intrusive control Automated Remediation

  • Below the filter section, you will find all currently available compliance controls. These are based on your AWS Security Hub configuration.

  • As shown below, the Security Controls list provides the user with the following information:

    • Current Compliance Level​

      • Compliance or Non-Compliance 

    • Security Hub Severity Rating

      • As identified in AWS Security Hub​

    • Control ID

      • Control name as noted in AWS Security Hub​

    • Description of the Control

      • An outline of what the control is for​.

    • Custom Standards

      • Custom Standards are outlined below in more detail. These currently include​

        • Well-Architected​

        • Well-Architected Foundational Technical Review Lens

        • Security OnRamp

    • Control Status

      • This toggle switch allows you to enable / disable controls in AWS Security Hub​

    • Automated Remediation (if available)

      • This toggle ​switches Automated Remediation on or off for the selected control

Security Controls Detailed View

By clicking on the chevron icon next to each Security Control, the user is provided with an expanded view of control information. This section displays:

  • Latest Security Hub Finding IDs

  • Current Finding Status

  • Service ID information to assist with troubleshooting and manual remediation

  • Where automated remediation is available, the ability to trigger automated remediation on one AWS service only. 

  • AWS Manual Remediation documentation link

  • AWS Security Hub control link - which takes you directly to the control within AWS allowing quick trouble-shooting and management of compliance

 

 

 

 

 

 

Compliance Standards

AUTOMATE and AUTOMATE+ currently offer all of the Compliance Standards available in Security Hub as well as an array of other industry standards.

AWS Security Hub:

  • Amazon Foundational Security Best PRactice (AFSBP)

  • Payment Card Industry Data Security Standard (PCI DSS v3.2.1)

  • Centre for Internet Security (CIS)

Additional Standards mapped by 6pillars:

  • ISO 27001

  • CDR

  • SOC2

Additional Custom Standards are also available:

  • AWS Well-Architected Review 

  • AWS Well-Architected Review - Foundational Technical Review Lens (FTR)

  • AWS Security OnRamp

More information on custom standards can be found below

Custom Compliance Standards

AUTOMATE and AUTOMATE+ provide an array of Custom Compliance Standards which have been adapted from AWS (and other sources) to assist AWS users to have visibility on, and the ability to maintain continuous compliance with cloud security best practices.

AUTOMATE and AUTOMATE+ provide the following Custom Compliance Standards:

  • AWS Well-Architected​ Review

    • The AWS Well-Architected Review (WA) service allows AWS users to ensure they're adhering to best practices in the AWS cloud.​

    • While WA has been traditionally seen as a 'once-off' review process / task, the concept of continuous compliance with WA has become more important to ensure user environments maintain the recommended levels of security on an ongoing basis. 

    • To leverage WA continuous compliance, please refer to the Well-Architected section of the knowledge-base.

  • AWS Well-Architected Foundational Technical Review Lens (WA-FTR)

    • The FTR lens of WA is designed specifically for AWS ISV partners.​

    • As noted above, AUTOMATE+ provides users with the ability to maintain visibility and continuous compliance with AWS WA-FTR on an ongoing basis.

    • To leverage WA continuous compliance, please refer to the Well-Architected section of the knowledge-base.

  • Security OnRamp

    • A recent addition to the AWS best practice security and compliance services, AWS Security OnRamp provides newer users of AWS with the guidance they need to ensure security in the cloud. ​

    • As per all other Custom Compliance Standards note above, AUTOMATE+ provides users with the ability to maintain visibility and continuous compliance with AWS Security OnRamp.

    • AWS Security OnRamp compliance is automatically included within AUTOMATE+

6pl-sc-table-1.png
6pl-security-controls-header.png
6pl-expanded-sec-control-sample.png

Well-Architected

 


Well-Architected Overview

AUTOMATE and AUTOMATE+ provides users with the ability to Auto-Create, Auto-Discover, Auto-Fill, Auto-Remediate, and Auto-Update their AWS Well-Architected workload(s). 


























 

6pillars_wat_graphic.png

User Administration


User Admin

By clicking on the profile icon in the top right of the AUTOMATE+ header, users can make various adjustments to their account. 

 

  • Add additional AUTOMATE+ Dashboard User

  • Configure MFA

  • Reset / Change password

 

Help and Support


How to get help and Support

You can contact the 6pillars team at support@6pillars.io 



 

 


Deployment & Post Deployment Permissions Policy
 
As mentioned in the deployment and account setup documentation above, AUTOMATE and AUTOMATE+ require a specific set of permissions in order to be deployed. These permissions are configured when you connect a new account to AUTOMATE. 

Note that the last step of Account Setup is to reduce the permissions to the absolute minimum required for AUTOMATE and AUTOMATE+ to operate on an ongoing basis. 

Should you have any questions, please contact the 6pillars team at secure@6pillars.io.



 

1 - "securityhub:*"

2- "wellarchitected:GetLensReview"

3- "wellarchitected:CreateWorkload"

4- "wellarchitected:ListWorkloads"

5- "wellarchitected:UpdateAnswer"

6- "wellarchitected:CreateMilestone"

7- "wellarchitected:ListMilestones"

8- "wellarchitected:GetLensReviewReport"

9- "events:*"

10- "states:StartExecution"

 

During Deployment six-pillars IAM Cross Account Role Policy:

 

The below policy is only in place during the Deployment process. Once deployment has been completed, the role is reduced to the above policy where privileges are reduced to the minimum.

 

1 - "s3:GetObject"

2- "iam:CreateGroup"

3- "iam:CreatePolicy"

4- "iam:CreateRole"

5- "iam:CreateServiceLinkedRole"

6- "kms:CreateAlias"

7- "kms:CreateKey"

8- "logs:CreateLogGroup"

9- "lambda:CreateFunction"

10- "s3:CreateBucket"

11- "config:*"

12- "sns:CreateTopic"

13- "sns:DeleteTopic"

14- "states:CreateStateMachine"

15- "servicecatalog:AssociatePrincipalWithPortfolio"

16- "servicecatalog:AssociateProductWithPortfolio"

17- "servicecatalog:CreatePortfolio"

18- "servicecatalog:CreateProduct"

19- "servicecatalog:DeletePortfolio"

20- "servicecatalog:DeleteProduct"

21- "servicecatalog:Describe*"

22- "servicecatalog:DisassociateProductFromPortfolio"

23- "servicecatalog:ListLaunchPaths"

24- "servicecatalog:ListPortfolios"

25- "servicecatalog:ListProvisioningArtifacts"

26- "servicecatalog:ProvisionProduct"

27- "servicecatalog:SearchProducts"

28- "servicecatalog:DescribeProvisionedProduct"

29- "servicecatalog:DescribeRecord"

30- "servicecatalog:ListRecordHistory"

31- "servicecatalog:ListStackInstancesForProvisionedProduct"

32- "servicecatalog:ScanProvisionedProducts"

33- "servicecatalog:TerminateProvisionedProduct"

34- "servicecatalog:UpdateProvisionedProduct"

35- "servicecatalog:SearchProvisionedProducts"

36- "servicecatalog:CreateProvisionedProductPlan"

37- "servicecatalog:DescribeProvisionedProductPlan"

38- "servicecatalog:ExecuteProvisionedProductPlan"

39- "servicecatalog:DeleteProvisionedProductPlan"

40- "servicecatalog:ListProvisionedProductPlans"

41- "servicecatalog:ListServiceActionsForProvisioningArtifact"

42- "servicecatalog:ExecuteProvisionedProductServiceAction"

43- "servicecatalog:DescribeServiceActionExecutionParameters"

44- "acm:Describe*"

45- "acm:List*"

46- "apigateway:GET"

47- "autoscaling:Describe*"

48- "cloudformation:*"

49- "cloudfront:List*"

50- "cloudtrail:Describe*"

51- "cloudtrail:List*"

52- "cloudwatch:Describe*"

53- "cloudwatch:List*"

54- "dynamodb:Describe*"

55- "dynamodb:List*"

56- "ec2:DeleteDhcpOptions"

57- "ec2:DeleteInternetGateway"

58- "ec2:DeleteSubnet"

59- "ec2:DeleteVpc"

60- "ec2:Describe*"

61- "ec2:DetachInternetGateway"

62- "elasticache:Describe*"

63- "elasticache:List*"

64- "elasticbeanstalk:Describe*"

65- "elasticbeanstalk:List*"

66- "elasticloadbalancing:Describe*"

67- "es:Describe*"

68- "es:List*"

69- "firehose:Describe*"

70- "firehose:List*"

71- "iam:AttachGroupPolicy"

72- "iam:AttachRolePolicy"

73- "iam:DeleteGroup"

74- "iam:DeletePolicy"

75- "iam:DeleteRole"

76- "iam:DeleteRolePolicy"

77- "iam:DetachGroupPolicy"

78- "iam:DetachRolePolicy"

79- "iam:GetGroup"

80- "iam:GetPolicy"

81- "iam:GetRole"

82- "iam:GetRolePolicy"

83- "iam:GetUser"

84- "iam:List*"

85- "iam:PassRole"

86- "iam:PutRolePolicy"

87- "kinesis:List*"

88- "kms:DeleteAlias"

89- "kms:DescribeKey"

90- "kms:EnableKeyRotation"

91- "kms:ListAliases"

92- "kms:ListKeys"

93- "kms:PutKeyPolicy"

94- "lambda:AddPermission"

95- "lambda:DeleteFunction"

96- "lambda:DeleteLayerVersion"

97- "lambda:GetFunction"

98- "lambda:GetLayerVersion"

99- "lambda:InvokeFunction"

100- "lambda:List*"

101- "lambda:PublishLayerVersion"

102- "lambda:UpdateFunctionConfiguration"

103- "logs:DeleteLogGroup"

104- "logs:Describe*"

105- "logs:PutRetentionPolicy"

106- "rds:Describe*"

107- "rds:List*"

108- "redshift:Describe*"

109- "route53:GetHealthCheck"

110- "route53:GetHostedZone"

111- "route53:List*"

112- "s3:GetBucketTagging"

113- "s3:GetObject"

114- "s3:List*"

115- "s3:GetEncryptionConfiguration"

116- "s3:PutEncryptionConfiguration"

117- "s3:PutBucketPolicy"

118- "s3:GetBucketPolicy"

119- "s3:PutBucketPublicAccessBlock"

120- "sns:AddPermission"

121- "sns:ConfirmSubscription"

122- "sns:GetSubscriptionAttributes"

123- "sns:GetTopicAttributes"

124- "sns:List*"

125- "sns:SetSubscriptionAttributes"

126- "sns:SetTopicAttributes"

127- "sns:Subscribe"

128- "sqs:GetQueueAttributes"

129- "sqs:List*"

130- "ssm:CreateActivation"

131- "ssm:CreateAssociation"

132- "ssm:CreateDocument"

133- "ssm:DeleteActivation"

134- "ssm:DeleteAssociation"

135- "ssm:DeleteDocument"

136- "ssm:Describe*"

137- "ssm:Get*"

138- "ssm:List*"

139- "ssm:PutParameter"

140- "ssm:DeleteParameter"

141- "states:DeleteStateMachine"

142- "states:DescribeStateMachine"

143- "states:TagResource"

144- "states:UntagResource"

145- "sts:AssumeRole"

146- "sts:DecodeAuthorizationMessage"

147- "sts:GetCallerIdentity"

148- "sts:GetSessionToken"

149- "sts:SetSourceIdentity"

150- "sts:TagSession"