ClearDATA has developed Automated Safeguards for Security Groups that allow customers to manage their own security groups and rules in AWS. Customers can still request ClearDATA to manage their Security Groups if they wish.
Customers are able to create new security group rules that use any RFC1918 space (10.0.0.0/8, 172.16.0.0/12, & 192.168.0.0/16) as the source. If customers wish to use a routable IP address in a Security Group rule they must request an exception. In order for ClearDATA to allow the rule, our Information Security team will review all exception requests against our policies and procedures and make a determination.
Users must be added to the appropriate IAM Group in order to create and modify Security Groups.
At this time IPv6 rules are not supported with the Automated Safeguards. If you require an IPv6 address please contact ClearDATA Support.
If a new rule is added to a Security Group, or if an existing rule is modified, that change will trigger a reevaluation of the Security Group. Additionally, there are certain events that will trigger an evaluation of existing rules but not a remediation. These events included underlying changes that AWS can make to load balancers, EC2 instances, or network interfaces that generate a change event. ClearDATA uses these change events to trigger an evaluation of the rules but it does not trigger a remediation, because there was not a change made to the rules themselves. You may receive an alert for a non-compliance security group as a result of these infrastructure changes.
If the new or modified rule is not allowed, and if there is not an existing exception, the rule will be removed from the Security Group. Please contact ClearDATA Support if you need any assistance with creating rules.
Fill the form and click submit
When submitting a request, please ensure each request only contains one source CIDR. If you have multiple CIDR ranges, each will require a separate request.
Security Group Rule Exception Requests are available in the ClearDATA customer portal.
Please note that its is all possible to view all requests by status as well. The status options are:
ClearDATA Automated Safeguards both alert and remediate when a compliance violation is detected. Customers can subscribe to the alerts by following the article Automated Safeguards - Subscribe to Compliance Alerts.