Profile Applicability: Level 1


Description: 

AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended to enable AWS Config be enabled in all regions.


Rationale: 

The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing.


Audit: 

Process to evaluate AWS Config configuration per region Via AWS Management Console: 

1. Sign in to the AWS Management Console and open the AWS Config console at https://console.aws.amazon.com/config/. 

2. On the top right of the console select target Region. 

3. If presented with Setup AWS Config - follow remediation procedure: 

4. On the Resource inventory page, Click on edit (the gear icon). The Set Up AWS Config page appears. 

5. Ensure 1 or both check-boxes under "All Resources" is checked. 

    Include global resources related to IAM resources - which needs to be enabled in 1 region only 

6. Ensure the correct S3 bucket has been defined. 

7. Ensure the correct SNS topic has been defined. 

8. Repeat steps 2 to 7 for each region.


Remediation:

To implement AWS Config configuration: Via AWS Management Console: 

1. Select the region you want to focus on in the top right of the console 

2. Click Services 

3. Click Config 

4. Define which resources you want to record in the selected region 

5. Choose to include global resources (IAM resources) 

6. Specify an S3 bucket in the same account or in another managed AWS account 

7. Create an SNS Topic from the same AWS account or another managed AWS account


References: 

1. CCE-78917-2 

2. CIS CSC v6.0 #1.1, #1.3, #1.4, #5.2, #11.1 - #11.3, #14.6 

3. http://docs.aws.amazon.com/cli/latest/reference/configservice/describeconfiguration-recorder-status.html


CIS Controls:

1.4 Maintain Detailed Asset Inventory 

    Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or process information. This inventory shall include all hardware assets, whether connected to the organization's network or not. 

11.2 Document Traffic Configuration Rules 

    All configuration rules that allow traffic to flow through network devices should be documented in a configuration management system with a specific business reason for each rule, a specific individual’s name responsible for that business need, and an expected duration of the need. 

16.1 Maintain an Inventory of Authentication Systems 

    Maintain an inventory of each of the organization's authentication systems, including those located onsite or at a remote service provider.