A client with U.S. Government contracts that fall under classified and national security had implemented Prisma, a third-party security scanning tool for its AWS environment. Due to the client’s structure, two separate teams configured and maintained Prisma and the AWS environment. This led to a disconnect of the data shared, synced, and documented between the teams, Prisma, and the environment.
The security scanning tool’s method was desired by the client due to its ability to auto-remediate issues discovered in AWS accounts. However, it required administrative-level access to those accounts, which was not feasible due to some of the higher security requirements for certain highly regulated accounts.
For the client to realize the business value and achieve ROI for the security scanning tool, the Trility team bridged the gap with AWS Lambda – an event-driven, serverless computing platform.
Prisma’s recommended processes were identified as the best approach for the client. The tool generates and sends alerts and even auto-remediates the discovered issues.
The chosen solution was to build a Lambda function inside AWS that receives and reads the alerts and then takes corrective action inside the account. For the client’s lower-level accounts, it was decided to allow Lambda to fix issues such as user accounts and security groups. For the higher-level accounts, it was restricted to a specific set of functions.
This solution allowed the client to leverage the third-party processes without giving it administrative access to meet existing and future security requirements.
It also allowed the team to:
Auto remediate issues as much as possible.
Receive alerts when “human review and action” is needed.
Leverage a targeted way to address each AWS account based on security level.
