Skip to main content

lacework-global-76

info

This rule also encompasses lacework-global-497. See Adjusted Rules for CIS AWS 1.4.0 for further details.

3.5 Enable AWS Config in all regions (Automated)

Profile Applicability

• Level 2

Description

AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. Best practices recommend enabling AWS Config in all regions.

Rationale

The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing.

Impact

It is recommended AWS Config be enabled in all regions.

Audit

Process to evaluate AWS Config configuration per region

From Console

  1. Sign in to the AWS Management Console and open the AWS Config console at https://console.aws.amazon.com/config/.
  2. On the top right of the console select target Region.
  3. If presented with Setup AWS Config - follow remediation procedure:
  4. On the Resource inventory page, Click on edit (the gear icon). The Set Up AWS Config page appears.
  5. Ensure 1 or both check-boxes under "All Resources" is checked.
    • Include global resources related to IAM resources - which needs to be enabled in 1 region only
  6. Ensure the correct S3 bucket has been defined.
  7. Ensure the correct SNS topic has been defined.
  8. Repeat steps 2 to 7 for each region.

From Command Line

  1. Run this command to show all AWS Config recorders and their properties:
aws configservice describe-configuration-recorders

  1. Evaluate the output to ensure that there's at least one recorder for which recordingGroup object includes "allSupported": true AND "includeGlobalResourceTypes": true

    note

    There is one more parameter "ResourceTypes" in recordingGroup object. We don't need to check the same as whenever we set "allSupported": true, AWS enforces resource types to be empty ("ResourceTypes":[])

Sample Output:

{
 "ConfigurationRecorders": [
 {
 "recordingGroup": {
 "allSupported": true,
 "resourceTypes": [],
 "includeGlobalResourceTypes": true
 },
 "roleARN": "arn:aws:iam::<AWS_Account_ID>:role/service-role/<config-role-name>",
 "name": "default"
 }
 ]
}
  1. Run this command to show the status for all AWS Config recorders:
aws configservice describe-configuration-recorder-status
  1. In the output, find recorders with name key matching the recorders that met criteria in step 2. Ensure that at least one of them includes "recording": true and "lastStatus": "SUCCESS"

Remediation

To implement AWS Config configuration:

From Console

  1. Select the region you want to focus on in the top right of the console.
  2. Click Services.
  3. Click Config.
  4. For enabled Config recorders in this region, you should navigate to the Settings page from the navigation menu on the left hand side. If a Config recorder is not yet enabled in this region then you should select "Get Started".
  5. Select "Record all resources supported in this region".
  6. Choose to include global resources (Identity and Access Management (IAM) resources).
  7. Specify an S3 bucket in the same account or in another managed AWS account.
  8. Create a Simple Notification Service (SNS) Topic from the same AWS account or another managed AWS account.

From Command Line

  1. Ensure there is an appropriate S3 bucket, SNS topic, and IAM role per the AWS Config Service prerequisites.

  2. Run this command to create a new configuration recorder:

    aws configservice put-configuration-recorder --configuration-recorder name=default,roleARN=arn:aws:iam::012345678912:role/ConfigRole --recording-group allSupported=true,includeGlobalResourceTypes=true

  3. Create a delivery channel configuration file locally which specifies the channel attributes, populated from the prerequisites set up previously:

    {
       "name": "default",
       "s3BucketName": "config-bucket",
       "snsTopicARN": "arn:aws:sns:us-east-1:012345678912:config-notice",
       "configSnapshotDeliveryProperties": {
          "deliveryFrequency": "Twelve_Hours"
       }
    }

  4. Run this command to create a new delivery channel, referencing the json configuration file made in the previous step:

    aws configservice put-delivery-channel --delivery-channel file://deliveryChannel.json

  5. Start the configuration recorder by running the following command:

    aws configservice start-configuration-recorder --configuration-recorder-name default
note

You can utilize Lacework's remediation template to resolve violations of this policy. See Remediation Templates.

References

CCE-78917-2
https://docs.aws.amazon.com/cli/latest/reference/configservice/describe-configuration-recorder-status.html
https://docs.aws.amazon.com/config/latest/developerguide/gs-cli-prereq.html
https://docs.aws.amazon.com/config/latest/developerguide/gs-cli-subscribe.html

Last updated on