Cloud Detection & Response (CDR)¶
Quick Links
- Onboarding: CDR Onboarding for AWS, GCP & Azure
- Remediation Setup: CDR Remediation Steps
The Problem¶
Cloud infrastructure is dynamic. Despite rigorous provisioning checks, assets often drift from their secure state due to manual changes or misconfigurations during runtime. Common critical risks include:
- Storage buckets (e.g., S3, GCS) accidentally exposed to the public
- Virtual Machines (VMs) launched with public IPs or unsecured ports
- Access requests originating from unauthorized or unknown geographic regions
Manual Monitoring is Insufficient
Manual monitoring is insufficient for these real-time threats. You need automated detection and response.
The Solution¶
AccuKnox CDR provides an automated, closed-loop security system. It ingests cloud logs (CloudTrail, Audit Logs), detects policy violations in real-time, and triggers immediate automated remediation workflows (via CI/CD or Webhooks) to revert the infrastructure to a secure state.
High-Level Architecture¶
The solution operates on an event-driven architecture connecting your Cloud Environment, the AccuKnox SIEM/CNAPP Control Plane, and your Remediation Pipelines.
Architecture Overview
The architecture captures cloud events, analyzes them against security policies, and triggers remediation actions.
Integration Workflow¶
| Stage | Description | Example/Method |
|---|---|---|
| Ingest & Detect | Capture cloud events (CloudTrail, Audit Logs) and analyze for policy violations | PutBucketPublicAccessBlock |
| Alert Trigger | Generate alert, check for response policy, notify via Slack/Jira/Email | Dashboard alert, notification |
| Automated Response | Invoke remediation workflow via webhook or CI/CD pipeline | GitHub Actions, Jenkins |
| Remediation & Verification | Execute fix (e.g., remove public IP), update dashboard status | Remediation script, status |
Primary Use Cases¶
Below are the three standard implementation scenarios for CDR.
Enforcing Private S3 Buckets¶
Goal
Automatically revoke public access if a user inadvertently exposes an S3 bucket.
- Trigger Event: A user performs an action that enables public access on a bucket
- Detection: CloudTrail logs the API event. AccuKnox detects a violation of the
Public S3 Bucket Detectedpolicy - Action: The system triggers the CDR-Remediation Workflow
- Remediation: The workflow executes
remove-bucket-public-access, reverting the bucket permissions to private
Restricting Public IPs on VMs¶
Goal
Ensure no Compute Engine/EC2 instance is reachable via a public IP address.
- Trigger Event: A VM is launched or modified to have a Public IP
- Detection: The system flags the
VM-pubip policyviolation - Action: The CDR-Remediation Workflow is invoked
- Remediation: The workflow executes the
remove-public-ipaction, detaching the public network interface while keeping the instance running
Geo-Fencing Access¶
Goal
Detect and notify if cloud resources are accessed from an unapproved region.
- Trigger Event: API access detected from a region not on the allow-list
- Detection: The
unk-access policyis triggered - Action: Unlike remediation, this triggers a Notification Workflow
- Outcome: The Security Team receives an immediate high-priority email/Slack alert to investigate potential credential compromise
Prerequisites for Remediation¶
To enable the "Response" component of CDR, ensure your remediation pipeline (CI/CD) has the necessary permissions.
Required Cloud Permissions (Expand for Details)
AWS Permissions¶
| Action | Required Permissions | Policy Name |
|---|---|---|
| Make S3 Private | s3:PutBucketPublicAccessBlock, s3:ListBucket |
s3_make_bucket_private.yaml |
| Shutdown EC2 | ec2:TerminateInstances, ec2:DescribeInstances |
ec2_shutdown_public_instance.yaml |
| Enable CloudTrail | cloudtrail:StartLogging |
cloudtrail_ensure_enabled.yaml |
GCP Permissions¶
| Action | Required Permissions | Policy Name |
|---|---|---|
| Revert Firewall | compute.firewalls.update, compute.firewalls.get |
revert_firewall_ports.yaml |
| Shutdown Instance | compute.instances.delete |
instance_delete_public_ip.yaml |
Azure Permissions¶
| Action | Required Permissions | Policy Name |
|---|---|---|
| Block Blob Public Access | Microsoft.Storage/.../write |
storage_container_block_public_access.yaml |
| Terminate Public VM | Microsoft.Compute/virtualMachines/delete |
vm_terminate_public_ip.yaml |
Visualizing Alerts¶
Track the effectiveness of your policies in the Alerts Dashboard.
- Navigate to CDR → Alerts
- Filter by Severity: Critical
- Locate the specific alert (e.g., "GCP Storage Bucket Open to Public")
- Check the status to confirm if the Auto-Remediation action was successfully triggered and the issue is resolved.
