AWS Config

From Kautepedia
Jump to navigation Jump to search

Background[edit | edit source]

AWS Config is a service that enables the assessment, auditing, and evaluation of configurations for AWS resources.

It provides:

  • Continuous monitoring of resource configurations against a desired state
  • A history of resource configurations
  • Event-driven alerts and actions when configurations drift from established baselines

Conformance Packs[edit | edit source]

Conformance Packs are collections of AWS Config rules and remediation actions that simplify the deployment and maintenance of compliance checks across multiple AWS accounts or regions. AWS provides several sample conformance packs aligned with industry standards. It is also possible to create custom Conformance Packs that address organization-specific requirements or policies.

Deployed Conformance Packs[edit | edit source]

The following Conformance Packs have been deployed:

  • CloudWatch: 09xdfrysf
  • DynamoDB: bmmr6smbj
  • EC2: xprhrolal
  • Lambda: isyj6udvv
  • NZISM: p7hhp48gg
  • RDS: axobqpdee
  • S3: nki5adnel

Rules, Resources, and Compliance Score[edit | edit source]

Rules[edit | edit source]

Rules in AWS Config are predefined or custom logic that evaluates the configuration settings of AWS resources. These rules help ensure that resources adhere to the desired compliance standards and best practices.

  1. Managed Rules: AWS provides a library of predefined rules, such as checking whether S3 buckets are publicly accessible or whether IAM policies are overly permissive.
  2. Custom Rules: Custom rules can be created using AWS Lambda functions to evaluate configurations based on specific organizational policies. (NZISM)

Resources[edit | edit source]

Resources are the AWS entities tracked and evaluated by AWS Config rules. These resources can include compute, storage, networking, and other AWS services.

Compliance Score[edit | edit source]

The Compliance Score is a metric in AWS Config that provides a summary of how well the environment adheres to the applied rules. It helps in assessing the overall compliance posture. The compliance score is expressed as a percentage of the total rules that are compliant.

Compliance States[edit | edit source]

  • Compliant The resource configuration adheres to the rule.
  • Noncompliant The resource configuration does not meet the rule requirements.
  • Not Applicable The rule does not apply to the current resource set or configuration.

Rule Modifications[edit | edit source]

Conformance pack Rule State Modification/Change Remark
CloudWatch cloudwatch-log-group-encrypted-conformance-pack-p7hhp48gg Compliant
  • Created a KMS key:
  • Update the CloudWatch log groups KMS key ID
 All CloudWatch Log Groups are now encrypted using a KMS key, and the rule status is marked as Compliant.
Lambda lambda-dlq-check-conformance-pack-isyj6udvv Compliant
  • Updated the conformance pack and commented the LambdaDlqCheck rule
  • Updated the default Runtime values and added python3.12
 We do not require handling retriable Lambda failures (all current Lambda errors are genuine and do not need reprocessing), we have commented out the LambdaDlqCheck rule. Additionally, we updated the default runtime values (including python3.12) to avoid false Noncompliant statuses.
CloudWatch cloudwatch-alarm-action-check-conformance-pack-09xdfrysf Compliant Updated the conformance pack and commented the, InsufficientDataActionRequired and OkActionRequired We do not currently require InsufficientData or OK state actions for our CloudWatch alarms, we commented out the InsufficientDataActionRequired and OkActionRequired parameters. This prevents false Noncompliant statuses and aligns the rule with our operational needs.
S3 s3-default-encryption-kms-conformance-pack-p7hhp48gg Noncompliant Skipped Currently, we are using server-side encryption with Amazon S3 managed keys (SSE-S3). We need to evaluate whether server-side encryption with AWS Key Management Service keys (SSE-KMS) would provide additional benefits for our environment. Note - This has been left as Noncompliant
Lambda lambda-inside-vpc-conformance-pack-isyj6udvv Compliant Updated the Lambda function configurations and moved some functions to run inside the VPC. Ignored the CopyImmsData lambda fucntion. Which connect via SFTP to pull the Imms data files.
NZISM cmk-backing-key-rotation-enabled-conformance-pack-p7hhp48gg Compliant
  • Removed the KMS keys which we aren't using:
  • Added key rotation to:
  • Removed the keys which we are not using.
  • Added the key rotation as 365 days.
S3 s3-bucket-versioning-enabled-conformance-pack-p7hhp48gg Compliant Changed the S3 bucket properties and enabled bucket versioning. Now all the S3 buckets support bucket versioning and rule status marked as Compliant.
EC2 restricted-ssh-conformance-pack-xprhrolal Compliant Removed the all unrestricted SSH and HTTP access rules in security groups.
NZISM vpc-sg-open-only-to-authorized-ports-conformance-pack-p7hhp48gg Noncompliant Skipped. Only authorizedTcpPorts is '443'. So all other TCP ports such as 22,5432,7474,7687 will be Noncompliant.
NZISM s3-bucket-ssl-requests-only-conformance-pack-p7hhp48gg Compliant Policy change Deny Non SSL Requests to the respective s3 bucket - aws:secureTransport = false
NZISM secretsmanager-using-cmk-conformance-pack-p7hhp48gg Compliant
  • A new KMS key was added:
  • All secrets were updated with the new encryption KMS ID
 Updated all secrets using the new KMS encryption key ID. aws secretsmanager update-secret --secret-id <SECRET_ARN> --kms-key-id <KMS_KEY_ARN>
NZISM dynamodb-table-encrypted-kms-conformance-pack-p7hhp48gg Compliant
  • A new KMS key was added:
  • All tables were updated with the new encryption KMS ID
 Updated all tables using the new KMS encryption key ID. aws dynamodb update-table --table-name <TABLE_NAME> --sse-specification Enabled=true,SSEType=KMS,KMSMasterKeyId=<KMS_KEY_ARN>
NZISM securityhub-enabled-conformance-pack-p7hhp48gg Compliant AWS Security Hub has been enabled with following security standards:
  • AWS Foundational Security Best Practices v1.0.0
  • CIS AWS Foundations Benchmark v3.0.0
  • NIST Special Publication 800-53 Revision 5
NZISM ec2-ebs-encryption-by-default-conformance-pack-p7hhp48gg Compliant Updated EC2 settings to enable 'Always encrypt new EBS volumes' This control ensures that all newly created EBS volumes are automatically encrypted.
NZISM rds-multi-az-support-conformance-pack-p7hhp48gg Noncompliant Skipped
NZISM dynamodb-in-backup-plan-conformance-pack-p7hhp48gg Noncompliant Skipped
NZISM dynamodb-pitr-enabled-conformance-pack-p7hhp48gg Compliant Enabled Point-in-Time Recovery (PITR) on the DynamoDB table(s). By enabling Point-in-Time Recovery (PITR), we gain the ability to restore our DynamoDB tables to any moment within the last 35 days, protecting us from data loss due to accidental deletion or corruption.
NZISM rds-logging-enabled-conformance-pack-p7hhp48gg Compliant Enabled the postgresql and upgrade log exports for the RDS instance by modifying the Enable CloudWatch Logs Exports settings.
NZISM iam-user-mfa-enabled-conformance-pack-p7hhp48gg Noncompliant Skipped MFA not required for,

valentia, kotahi_writer and sql-backup-user

S3 s3-account-level-public-access-blocks-periodic-conformance-pack-p7hhp48gg Compliant Enabled the Block Public Access settings for the AWS account. Block all public access
  • Block public access to buckets and objects granted through new access control lists (ACLs)
  • Block public access to buckets and objects granted through any access control lists (ACLs)
  • Block public access to buckets and objects granted through new public bucket or access point policies
  • Block public and cross-account access to buckets and objects through any public bucket or access point policies
RDS rds-in-backup-plan-conformance-pack-p7hhp48gg Compliant Enabled the AWS Backup plan Rds-backup with daily backups and a 7-day retention period. The existing RDS backup has a 1-day retention period and fits within the AWS Free Tier. It has not been disabled, so both RDS backup and AWS Backup are active.
NZISM iam-password-policy-conformance-pack-p7hhp48gg Compliant Updated password policy on IAM

Password Strength:

  • Require at least one uppercase letter from the Latin alphabet (A-Z)
  • Require at least one lowercase letter from the Latin alphabet (a-z)
  • Require at least one number
  • Require at least one non-alphanumeric character

Other Requirements:

  • Password expires in 90 days
  • Allow users to change their own password
  • Prevent password reuse from the past 8 changes
NZISM root-account-hardware-mfa-enabled-conformance-pack-p7hhp48gg Noncompliant Skipped
CloudTrail cloudtrail-security-trail-enabled-conformance-pack-p7hhp48gg Compliant Created the cloudtrail: management-events-ap-southeast-2 The cloudtrail tracks management events


RDS rds-instance-public-access-check-conformance-pack-p7hhp48gg Noncompliant Checking the workarounds (Wireguard VPN)
NZISM vpc-flow-logs-enabled-conformance-pack-p7hhp48gg Compliant Created flow logs for each instance and configured the log save location as the CloudWatch. Created kpt-default-flow-log and public-ec2-default-flow-log, and all logs will be saved in the CloudWatch log group VPC-Flow-Log
NZISM encrypted-volumes-conformance-pack-p7hhp48gg Compliant Enabled encryption on volumes for ec2 New volumes do not need to enable encryption manually
CloudTrail cloud-trail-cloud-watch-logs-enabled-conformance-pack-p7hhp48gg Compliant CloudWatch Logs configured for management-events-ap-southeast-2 trail
EC2 ec2-instance-managed-by-systems-manager-conformance-pack-p7hhp48gg Noncompliant Enabled system manager Details here : https://wiki.kautepasifika.com/wiki/Systems_Manager#Unmanaged_Instances
CloudTrail cloudtrail-s3-dataevents-enabled-conformance-pack-p7hhp48gg Compliant Enabled S3 data events for all current and future buckets with Read and Write actions logged. The rule checks if AWS CloudTrail is configured to log S3 data events (object-level activity in S3 buckets)
CloudTrail cloud-trail-log-file-validation-enabled-conformance-pack-p7hhp48gg Compliant Enabled log file validation for the CloudTrail trail from the additional settings. CloudTrail generates a SHA-256 hash digest for every log file it delivers to S3. This digest acts like a "digital fingerprint" for the log file. If someone modifies or deletes a log file, the hash digest will no longer match the altered file. This allows you to detect unauthorized changes to audit logs.
EC2 ec2-instance-no-public-ip-conformance-pack-p7hhp48gg Noncompliant Skipped
NZISM sns-encrypted-kms-conformance-pack-p7hhp48gg Compliant Encrypted the all SNS topics using KMS.
NZISM ebs-in-backup-plan-conformance-pack-p7hhp48gg Compliant Enabled the AWS Backup plan ebs-backup with daily backups and a 1-day retention period.
NZISM vpc-sg-open-only-to-authorized-ports-conformance-pack-p7hhp48gg Noncompliant Can't remove public access to port 8080 from mediawiki ec2 instance.

Skipped

  • Deleted 8182 port (0.0.0.0/0) from sg-0b2301c8dc47ff362.
  • Deleted internal rule of sg-0b2301c8dc47ff362 (All protocols from All ports) The default SG allows traffic from sg-0b2301c8dc47ff362 (e.g., for internal communication).
NZISM vpc-default-security-group-closed-conformance-pack-p7hhp48gg Compliant Removed all rules from the default security group, created a new security group, and added all the rules, including public rules. We applied this to all VPC default security groups by transferring all necessary rules to a separate security group, leaving the default security groups without any inbound/outbound rules
NZISM ec2-imdsv2-check-conformance-pack-p7hhp48gg Compliant Changed the IMDSv2 to Required in mediawiki ec2 instance.

References[edit | edit source]

Retrieved from "https://wiki.kautepasifika.com/mediawiki/index.php?title=AWS_Config&oldid=2658"