BattleBots tent - Seen in Las Vegas, December 2024

Farris's Three Laws of Auto Remediation

AWS , CloudSecurity , Technology

I’ve finally settled on the wording for Farris’s Three Laws of Cloud Security Auto Remediation:

  • A bot must never harm stateful data or allow stateful data to come to harm.
  • A bot must act with utmost haste so functionality doesn’t become dependent on a misconfiguration.
  • A bot must announce its existence and tell a carbon-based life form what it did and why.

I think these reflect the key tenants of auto-remediation while staying true to the original source of the Three Laws.

I Robot - Can a bot secure a cloud environment? Can you?

A bot must never harm stateful data or allow stateful data to come to harm.

This law is intended to be obvious. Don’t risk a catastrophic, unrecoverable event to fix a potential security issue. There is no misconfiguration so dire that you should ever allow a bot to have rds:TerminateInstance. But you must also consider downstream effects, which I reference in "…or allow stateful data to come to harm”. Even deleting an IAM User/Role could have a horrible impact if that principal’s unique identifier is tied to a KMS Key or EKS Cluster permission.

A bot must act with utmost haste so functionality doesn’t become dependent on a misconfiguration.

Law 2 is about the speed at which the bot responds. This should almost always be measured in seconds. The longer a misconfiguration exists, the greater the chance that functionality depends on the misconfiguration. It’s why I’d never run a script to enable S3 Block Public Access on all my buckets.

A bot must announce its existence and tell a carbon-based life form what it did and why.

Law 3 is related to Law 2 - Bots can’t operate in secrecy. If the user expects X and a bot changes the state to Y, the human will be confused (and probably change the state back to X). Or, if you have deployment automation, the deployment will make the state X, and the bot will change state to Y, and on the next iteration of the deployment, revert the state back to X. This BattleBots will go on till the end of time (or someone notices). It is best to notify a human so they can fix the deployment rather than relying on the bot to keep things secure.