Editing
AWS Config
Jump to navigation
Jump to search
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==Background== [https://docs.aws.amazon.com/config/latest/developerguide/WhatIsConfig.html AWS Config] is a service that enables the assessment, auditing, and evaluation of configurations for AWS resources. It provides: * Continuous monitoring of resource configurations against a desired state * A history of resource configurations * Event-driven alerts and actions when configurations drift from established baselines ==Conformance Packs== Conformance Packs are collections of AWS Config rules and remediation actions that simplify the deployment and maintenance of compliance checks across multiple AWS accounts or regions. AWS provides several sample conformance packs aligned with industry standards. It is also possible to create custom Conformance Packs that address organization-specific requirements or policies. ===Deployed Conformance Packs=== The following Conformance Packs have been deployed: * '''CloudWatch:''' <code>09xdfrysf</code> * '''DynamoDB:''' <code>bmmr6smbj</code> * '''EC2:''' <code>xprhrolal</code> * '''Lambda:''' <code>isyj6udvv</code> * '''[https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nzism.html NZISM]:''' <code>p7hhp48gg</code> * '''RDS:''' <code>axobqpdee</code> * '''S3:''' <code>nki5adnel</code> ==Rules, Resources, and Compliance Score== ===Rules=== Rules in AWS Config are predefined or custom logic that evaluates the configuration settings of AWS resources. These rules help ensure that resources adhere to the desired compliance standards and best practices. # '''Managed Rules''': AWS provides a library of predefined rules, such as checking whether S3 buckets are publicly accessible or whether IAM policies are overly permissive. # '''Custom Rules''': Custom rules can be created using AWS Lambda functions to evaluate configurations based on specific organizational policies. ('''NZISM''') ===Resources=== Resources are the AWS entities tracked and evaluated by AWS Config rules. These resources can include compute, storage, networking, and other AWS services. ===Compliance Score=== The Compliance Score is a metric in AWS Config that provides a summary of how well the environment adheres to the applied rules. It helps in assessing the overall compliance posture. The compliance score is expressed as a percentage of the total rules that are compliant. ===Compliance States=== * <span style="color:#33d17a; font-weight:bold;">{{#far:circle-check fa-xl}} Compliant</span> The resource configuration adheres to the rule. * <span style="color:#e01b24; font-weight:bold;">{{#far:circle-xmark fa-xl}} Noncompliant</span> The resource configuration does not meet the rule requirements. * <span style="color:#ff7800; font-weight:bold;">{{#fas:ban fa-xl}} Not Applicable</span> The rule does not apply to the current resource set or configuration. ==Rule Modifications== {| class="wikitable sortable" ! Conformance pack || Rule || State || Modification/Change || Remark |- | CloudWatch || cloudwatch-log-group-encrypted-conformance-pack-p7hhp48gg || <span style="color:#33d17a; font-weight:bold;">{{#far:circle-check fa-xl}} Compliant</span> || <ul><li>Created a KMS key:{{#spoiler:show=Show|hide=Hide|<code>CloudWatch-Key</code>}}</li><li>Update the CloudWatch log groups KMS key ID</li></ul> || All CloudWatch Log Groups are now encrypted using a KMS key, and the rule status is marked as '''Compliant'''. |- | Lambda || lambda-dlq-check-conformance-pack-isyj6udvv || <span style="color:#33d17a; font-weight:bold;">{{#far:circle-check fa-xl}} Compliant</span> || <ul><li>Updated the conformance pack and commented the LambdaDlqCheck rule</li><li>Updated the default Runtime values and added python3.12</li></ul> || We do not require handling retriable Lambda failures (all current Lambda errors are genuine and do not need reprocessing), we have commented out the LambdaDlqCheck rule. Additionally, we updated the default runtime values (including python3.12) to avoid false Noncompliant statuses. |- | CloudWatch || cloudwatch-alarm-action-check-conformance-pack-09xdfrysf || <span style="color:#33d17a; font-weight:bold;">{{#far:circle-check fa-xl}} Compliant</span> || Updated the conformance pack and commented the, InsufficientDataActionRequired and OkActionRequired || We do not currently require InsufficientData or OK state actions for our CloudWatch alarms, we commented out the InsufficientDataActionRequired and OkActionRequired parameters. This prevents false Noncompliant statuses and aligns the rule with our operational needs. |- | S3 || s3-default-encryption-kms-conformance-pack-p7hhp48gg || <span style="color:#e01b24; font-weight:bold;">{{#far:circle-xmark fa-xl}} Noncompliant</span> || Skipped || Currently, we are using server-side encryption with Amazon S3 managed keys (SSE-S3). We need to evaluate whether server-side encryption with AWS Key Management Service keys (SSE-KMS) would provide additional benefits for our environment. Note - This has been left as '''Noncompliant''' |- | Lambda || lambda-inside-vpc-conformance-pack-isyj6udvv || <span style="color:#33d17a; font-weight:bold;">{{#far:circle-check fa-xl}} Compliant</span> || Updated the Lambda function configurations and moved some functions to run inside the VPC. || Ignored the CopyImmsData lambda fucntion. Which connect via SFTP to pull the Imms data files. |- | NZISM || cmk-backing-key-rotation-enabled-conformance-pack-p7hhp48gg || <span style="color:#33d17a; font-weight:bold;">{{#far:circle-check fa-xl}} Compliant</span> || <ul><li>Removed the KMS keys which we aren't using: {{#spoiler:show=Show|hide=Hide|<code>solomon</code> and <code>solomon2</code>}}</li><li> Added key rotation to: {{#spoiler:show=Show|hide=Hide|<code>kmskey1</code> and <code>CloudWatch-Key</code>}}</li></ul> || <ul><li>Removed the keys which we are not using.</li><li>Added the key rotation as 365 days.</li></ul> |- | S3 || s3-bucket-versioning-enabled-conformance-pack-p7hhp48gg || <span style="color:#33d17a; font-weight:bold;">{{#far:circle-check fa-xl}} Compliant</span> || Changed the S3 bucket properties and enabled bucket versioning. || Now all the S3 buckets support bucket versioning and rule status marked as '''Compliant'''. |- | EC2 || restricted-ssh-conformance-pack-xprhrolal || <span style="color:#33d17a; font-weight:bold;">{{#far:circle-check fa-xl}} Compliant</span>|| Removed the all unrestricted SSH and HTTP access rules in security groups. || |- | NZISM || vpc-sg-open-only-to-authorized-ports-conformance-pack-p7hhp48gg || <span style="color:#e01b24; font-weight:bold;">{{#far:circle-xmark fa-xl}} Noncompliant</span> || Skipped. || Only authorizedTcpPorts is '443'. So all other TCP ports such as 22,5432,7474,7687 will be '''Noncompliant'''. |- | NZISM || s3-bucket-ssl-requests-only-conformance-pack-p7hhp48gg || <span style="color:#33d17a; font-weight:bold;">{{#far:circle-check fa-xl}} Compliant</span> || Policy change ||Deny Non SSL Requests to the respective s3 bucket - aws:secureTransport = false |- | NZISM || secretsmanager-using-cmk-conformance-pack-p7hhp48gg ||<span style="color:#33d17a; font-weight:bold;">{{#far:circle-check fa-xl}} Compliant</span> || <ul><li>A new KMS key was added: {{#spoiler:show=Show|hide=Hide|<code>SecretManager-Key</code>}}</li><li>All secrets were updated with the new encryption KMS ID</li></ul> || Updated all secrets using the new KMS encryption key ID. ''<code>aws secretsmanager update-secret --secret-id <SECRET_ARN> --kms-key-id <KMS_KEY_ARN></code>'' |- | NZISM || dynamodb-table-encrypted-kms-conformance-pack-p7hhp48gg || <span style="color:#33d17a; font-weight:bold;">{{#far:circle-check fa-xl}} Compliant</span> || <ul><li>A new KMS key was added:{{#spoiler:show=Show|hide=Hide|<code>dynamoDB-Key</code>}}</li><li>All tables were updated with the new encryption KMS ID</li></ul> || Updated all tables using the new KMS encryption key ID. <code>aws dynamodb update-table --table-name <TABLE_NAME> --sse-specification Enabled=true,SSEType=KMS,KMSMasterKeyId=<KMS_KEY_ARN></code> |- | NZISM || securityhub-enabled-conformance-pack-p7hhp48gg || <span style="color:#33d17a; font-weight:bold;">{{#far:circle-check fa-xl}} Compliant</span>|| [https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html AWS Security Hub] has been enabled with following security standards: <ul><li>AWS Foundational Security Best Practices v1.0.0</li><li>CIS AWS Foundations Benchmark v3.0.0</li><li>NIST Special Publication 800-53 Revision 5</li></ul>|| |- | NZISM || ec2-ebs-encryption-by-default-conformance-pack-p7hhp48gg || <span style="color:#33d17a; font-weight:bold;">{{#far:circle-check fa-xl}} Compliant</span> || Updated EC2 settings to enable <b>'Always encrypt new EBS volumes'</b> || This control ensures that all newly created EBS volumes are automatically encrypted. |- | NZISM || rds-multi-az-support-conformance-pack-p7hhp48gg || <span style="color:#e01b24; font-weight:bold;">{{#far:circle-xmark fa-xl}} Noncompliant</span> || Skipped || |- | NZISM || dynamodb-in-backup-plan-conformance-pack-p7hhp48gg || <span style="color:#e01b24; font-weight:bold;">{{#far:circle-xmark fa-xl}} Noncompliant</span> || Skipped || |- | NZISM || dynamodb-pitr-enabled-conformance-pack-p7hhp48gg || <span style="color:#33d17a; font-weight:bold;">{{#far:circle-check fa-xl}} Compliant</span> ||'''Enabled Point-in-Time Recovery (PITR)''' on the DynamoDB table(s). || By enabling Point-in-Time Recovery ('''PITR'''), we gain the ability to restore our DynamoDB tables to any moment within the last 35 days, protecting us from data loss due to accidental deletion or corruption. |- | NZISM || rds-logging-enabled-conformance-pack-p7hhp48gg || <span style="color:#33d17a; font-weight:bold;">{{#far:circle-check fa-xl}} Compliant</span>|| Enabled the '''postgresql''' and '''upgrade''' log exports for the RDS instance by modifying the Enable CloudWatch Logs Exports settings. || |- |NZISM |iam-user-mfa-enabled-conformance-pack-p7hhp48gg |<span style="color:#e01b24; font-weight:bold;">{{#far:circle-xmark fa-xl}} Noncompliant</span> |Skipped |MFA not required for, '''valentia''', '''kotahi_writer''' and '''sql-backup-user''' |- |S3 |s3-account-level-public-access-blocks-periodic-conformance-pack-p7hhp48gg |<span style="color:#33d17a; font-weight:bold;">{{#far:circle-check fa-xl}} Compliant</span> |Enabled the Block Public Access settings for the AWS account. |Block ''all'' public access * Block public access to buckets and objects granted through ''new'' access control lists (ACLs) * Block public access to buckets and objects granted through ''any'' access control lists (ACLs) * Block public access to buckets and objects granted through ''new'' public bucket or access point policies * Block public and cross-account access to buckets and objects through ''any'' public bucket or access point policies |- |RDS |rds-in-backup-plan-conformance-pack-p7hhp48gg |<span style="color:#33d17a; font-weight:bold;">{{#far:circle-check fa-xl}} Compliant</span> |Enabled the AWS Backup plan '''Rds-backup''' with '''daily''' backups and a '''7-day retention''' '''period'''. |The existing RDS backup has a '''1'''-day retention period and fits within the AWS Free Tier. It has not been disabled, so both '''RDS backup''' and '''AWS Backup''' are active. |- |NZISM |iam-password-policy-conformance-pack-p7hhp48gg |<span style="color:#33d17a; font-weight:bold;">{{#far:circle-check fa-xl}} Compliant</span> |Updated password policy on '''IAM''' | <div> '''Password Strength:''' * Require at least one uppercase letter from the Latin alphabet (A-Z) * Require at least one lowercase letter from the Latin alphabet (a-z) * Require at least one number * Require at least one non-alphanumeric character '''Other Requirements:''' * Password expires in 90 days * Allow users to change their own password * Prevent password reuse from the past 8 changes </div> |- |NZISM |root-account-hardware-mfa-enabled-conformance-pack-p7hhp48gg |<span style="color:#e01b24; font-weight:bold;">{{#far:circle-xmark fa-xl}} Noncompliant</span> |Skipped | |- |CloudTrail |cloudtrail-security-trail-enabled-conformance-pack-p7hhp48gg |<span style="color:#33d17a; font-weight:bold;">{{#far:circle-check fa-xl}} Compliant</span> |Created the cloudtrail: <code>management-events-ap-southeast-2</code> |The cloudtrail tracks management events |- |RDS |rds-instance-public-access-check-conformance-pack-p7hhp48gg |<span style="color:#e01b24; font-weight:bold;">{{#far:circle-xmark fa-xl}} Noncompliant</span> | |Checking the workarounds (Wireguard VPN) |- |NZISM |vpc-flow-logs-enabled-conformance-pack-p7hhp48gg |<span style="color:#33d17a; font-weight:bold;">{{#far:circle-check fa-xl}} Compliant</span> |Created flow logs for each instance and configured the log save location as the CloudWatch. |Created '''kpt-default-flow-log''' and '''public-ec2-default-flow-log''', and all logs will be saved in the CloudWatch log group '''VPC-Flow-Log''' |- |NZISM |encrypted-volumes-conformance-pack-p7hhp48gg |<span style="color:#33d17a; font-weight:bold;">{{#far:circle-check fa-xl}} Compliant</span> |Enabled encryption on volumes for ec2 |New volumes do not need to enable encryption manually |- |CloudTrail |cloud-trail-cloud-watch-logs-enabled-conformance-pack-p7hhp48gg |<span style="color:#33d17a; font-weight:bold;">{{#far:circle-check fa-xl}} Compliant</span> |CloudWatch Logs configured for <code>management-events-ap-southeast-2</code> trail | |- |EC2 |ec2-instance-managed-by-systems-manager-conformance-pack-p7hhp48gg |<span style="color:#e01b24; font-weight:bold;">{{#far:circle-xmark fa-xl}} Noncompliant</span> | Enabled system manager | Details here : https://wiki.kautepasifika.com/wiki/Systems_Manager#Unmanaged_Instances |- |CloudTrail |cloudtrail-s3-dataevents-enabled-conformance-pack-p7hhp48gg |<span style="color:#33d17a; font-weight:bold;">{{#far:circle-check fa-xl}} Compliant</span> |Enabled S3 data events for all current and future buckets with '''Read''' and '''Write''' actions logged. |The rule checks if AWS CloudTrail is configured to log '''S3 data events''' (object-level activity in S3 buckets) |- |CloudTrail |cloud-trail-log-file-validation-enabled-conformance-pack-p7hhp48gg |<span style="color:#33d17a; font-weight:bold;">{{#far:circle-check fa-xl}} Compliant</span> |Enabled log file validation for the CloudTrail trail from the additional settings. |CloudTrail generates a '''SHA-256 hash digest''' for every log file it delivers to S3. This digest acts like a "digital fingerprint" for the log file. If someone modifies or deletes a log file, the hash digest will no longer match the altered file. This allows you to detect unauthorized changes to audit logs. |- |EC2 |ec2-instance-no-public-ip-conformance-pack-p7hhp48gg |<span style="color:#e01b24; font-weight:bold;">{{#far:circle-xmark fa-xl}} Noncompliant</span> |Skipped | |- |NZISM |sns-encrypted-kms-conformance-pack-p7hhp48gg |<span style="color:#33d17a; font-weight:bold;">{{#far:circle-check fa-xl}} Compliant</span> |Encrypted the all SNS topics using KMS. | |- |NZISM |ebs-in-backup-plan-conformance-pack-p7hhp48gg |<span style="color:#33d17a; font-weight:bold;">{{#far:circle-check fa-xl}} Compliant</span> |Enabled the AWS Backup plan '''ebs-backup''' with '''daily''' backups and a '''1-day retention''' '''period'''. | |- |NZISM |vpc-sg-open-only-to-authorized-ports-conformance-pack-p7hhp48gg |<span style="color:#e01b24; font-weight:bold;">{{#far:circle-xmark fa-xl}} Noncompliant</span> |Can't remove public access to port 8080 from mediawiki ec2 instance. '''Skipped''' | * Deleted 8182 port (0.0.0.0/0) from sg-0b2301c8dc47ff362. * Deleted internal rule of sg-0b2301c8dc47ff362 ('''All''' protocols from '''All''' ports) The default SG allows traffic from <code>sg-0b2301c8dc47ff362</code> (e.g., for internal communication). |- |NZISM |vpc-default-security-group-closed-conformance-pack-p7hhp48gg |<span style="color:#33d17a; font-weight:bold;">{{#far:circle-check fa-xl}} Compliant</span> |Removed all rules from the default security group, created a new security group, and added all the rules, including public rules. |We applied this to all VPC default security groups by transferring all necessary rules to a separate security group, leaving the default security groups without any inbound/outbound rules |- |NZISM |ec2-imdsv2-check-conformance-pack-p7hhp48gg |<span style="color:#33d17a; font-weight:bold;">{{#far:circle-check fa-xl}} Compliant</span> |Changed the '''IMDSv2''' to '''Required''' in '''mediawiki''' ec2 instance. | |} ==References== [[Category:AWS]]
Summary:
Please note that all contributions to Kautepedia are considered to be released under the Creative Commons Attribution-NonCommercial-ShareAlike (see
Kautepedia:Copyrights
for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource.
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
Navigation menu
Personal tools
British English
Not logged in
Talk
Contributions
Log in
Namespaces
Page
Discussion
British English
Views
Read
Edit
Edit source
View history
More
Search
Navigation
Main page
Recent changes
Random page
Help about MediaWiki
Tools
What links here
Related changes
Special pages
Page information