lacework-global-76
info
This rule also encompasses lacework-global-497. See Adjusted Rules for CIS AWS 1.4.0 for further details.
3.5 Ensure AWS Config is enabled in all regions (Automated)
Profile Applicability
• Level 2
Description
AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended AWS Config be enabled in all regions.
Rationale
The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing.
Impact
It is recommended AWS Config be enabled in all regions.
Audit
Process to evaluate AWS Config configuration per region
From Console
- Sign in to the AWS Management Console and open the AWS Config console at https://console.aws.amazon.com/config/.
- On the top right of the console select target Region.
- If presented with Setup AWS Config - follow remediation procedure:
- On the Resource inventory page, Click on edit (the gear icon). The Set Up AWS Config page appears.
- Ensure 1 or both check-boxes under "All Resources" is checked.
- Include global resources related to IAM resources - which needs to be enabled in 1 region only
- Ensure the correct S3 bucket has been defined.
- Ensure the correct SNS topic has been defined.
- Repeat steps 2 to 7 for each region.
From Command Line
- Run this command to show all AWS Config recorders and their properties:
aws configservice describe-configuration-recorders
Evaluate the output to ensure that there's at least one recorder for which
recordingGroup
object includes"allSupported": true
AND"includeGlobalResourceTypes": true
note
There is one more parameter "ResourceTypes" in recordingGroup object. We don't need to check the same as whenever we set "allSupported": true, AWS enforces resource types to be empty (
"ResourceTypes":[]
)
Sample Output:
{
"ConfigurationRecorders": [
{
"recordingGroup": {
"allSupported": true,
"resourceTypes": [],
"includeGlobalResourceTypes": true
},
"roleARN": "arn:aws:iam::<AWS_Account_ID>:role/service-role/<config-role-name>",
"name": "default"
}
]
}
- Run this command to show the status for all AWS Config recorders:
aws configservice describe-configuration-recorder-status
- In the output, find recorders with
name
key matching the recorders that met criteria in step 2. Ensure that at least one of them includes"recording": true
and"lastStatus": "SUCCESS"
Remediation
To implement AWS Config configuration:
From Console
- Select the region you want to focus on in the top right of the console
- Click
Services
- Click
Config
- If a Config recorder is enabled in this region, you should navigate to the Settings page from the navigation menu on the left hand side. If a Config recorder is not yet enabled in this region then you should select "Get Started".
- Select "Record all resources supported in this region"
- Choose to include global resources (IAM resources)
- Specify an S3 bucket in the same account or in another managed AWS account
- Create an SNS Topic from the same AWS account or another managed AWS account
From Command Line
Ensure there is an appropriate S3 bucket, SNS topic, and IAM role per the AWS Config Service prerequisites.
Run this command to create a new configuration recorder:
aws configservice put-configuration-recorder --configuration-recorder name=default,roleARN=arn:aws:iam::012345678912:role/myConfigRole --recording-group allSupported=true,includeGlobalResourceTypes=true
Create a delivery channel configuration file locally which specifies the channel attributes, populated from the prerequisites set up previously:
{
"name": "default",
"s3BucketName": "my-config-bucket",
"snsTopicARN": "arn:aws:sns:us-east-1:012345678912:my-config-notice",
"configSnapshotDeliveryProperties": {
"deliveryFrequency": "Twelve_Hours"
}
}Run this command to create a new delivery channel, referencing the json configuration file made in the previous step:
aws configservice put-delivery-channel --delivery-channel file://deliveryChannel.json
Start the configuration recorder by running the following command:
aws configservice start-configuration-recorder --configuration-recorder-name default
References
CCE-78917-2
https://docs.aws.amazon.com/cli/latest/reference/configservice/describe-configuration-recorder-status.html