iCompaas Support

Profile Applicability: Level 1

Description:

AWS Config generates configuration items when the configuration of resources changes, and it maintains historical records of the configuration items of your resources from the time you start the configuration recorder. By default, AWS Config creates configuration items for every supported resource in the region. If you don't want AWS Config to create configuration items for all supported resources, you can specify the resource types that you want it to track.

Rationale:

By default, AWS Config creates configuration items for every supported resource in the region. If you don't want AWS Config to create configuration items for all supported resources, you can specify the resource types that you want it to track.

Impact:

When your resources are created, updated, or deleted, AWS Config streams these configuration changes to Amazon Simple Notification Service (SNS), so that you are notified of all the configuration changes. AWS Config represents relationships between resources so that you can access how a change to one resource may impact other resources.

Default Value:

By default, the AWS config is not enabled in all regions. To make AWS resources more secure enable AWS config.

Pre-Requisite:

1. IAM role with attached policies and rules

2. AWS SNS topic notification with valid email

Remediation:

Test Plan:

Step 1: Sign in to the AWS Management Console.

Step 2: Navigate to the AWS Config dashboard at https://console.aws.amazon.com/config/:

a. If the AWS console redirects your request to the Get started page:

(The service was/is not enabled in the selected AWS region)

b. If the AWS console redirects your request to the Resource inventory page, click the Status link

and check the AWS Config status in the Service status dialog box. If the Configuration recorder stopped warning is displayed, the Config service was previously activated but the recorder is currently stopped, meaning that the service is disabled in the selected region.

Step 3:Change the AWS region from the navigation bar

and repeat step no. 2 for each region available.

Implementation Steps:

Step 1: Sign in to the AWS Management Console.

Step 2: Navigate to the AWS Config dashboard at https://console.aws.amazon.com/config/ and click Get Started Now to open the Setup AWS Config page.

Step 3: Under Resource types to record section:

1. To track all supported AWS resources, in the All resources category, do the following:

   • Check and Record all resources supported in this region to track configuration changes for every supported type of regional AWS resource.

   • Check Include global resources to include any types of global AWS resources (e.g. AWS IAM) to the existent list of supported resources.  

2. To track only a subset of the available resources, in the category of the Specific type, select the preferred resource(s) available in the dropdown list.
   

Step 4: Under the Amazon S3 Bucket* section designates the S3 bucket that will receive the service configuration history and configuration snapshot files. This data can be used later with the AWS Config console timeline or a 3rd-party tool. Select one of the following options based on your needs:

1. Create a new bucket - use a brand new S3 bucket for storing the configuration history data.

2. Choose a bucket from your account - to use an existing S3 bucket.

3. Choose a bucket from another account - to use an existing bucket from another AWS account. Ensure that the selected S3 bucket grants access permissions to AWS Config.

Step 5: Next to Bucket Name, enter a unique name and a prefix (optional) for the S3 bucket selected in the previous step.  

Step 6: Under the Amazon SNS Topic section, check Enable configuration changes and notifications to be streamed to an Amazon SNS topic so the AWS Config can send configuration changes notifications to an SNS topic. Select one of the following options based on your needs:

1. Create a new topic - to create a new SNS topic for sending notifications.

2. Choose a topic from your account - to use an existing SNS topic.

3. Choose a topic from another account - use an existing SNS topic from another AWS account. Ensure that the selected SNS topic grants access permissions to AWS Config.

Step 8:On the Rules page, choose the rules that you want. You can customize these rules and add other rules to your account after setup. Click the Next button. 

         Step 9: On the Review page, verify your setup details and then choose Confirm. 

      Step 10:  On the Resource inventory page, under the Recording is on section, you should see the Taking inventory... event status in progress.

Backout Plan:

If the service was previously enabled in all regions but if want disables, the status for configuration recorders status should be set to OFF.

• Sign in to the AWS Management Console

• Navigate to the AWS Config dashboard at https://console.aws.amazon.com/config/:

• Select Setting from the left navigation panel

• Click on Edit
• Uncheck the enable recording then it will prompt to confirm stop recording. 

• Click on Confirm and then OK.

Using AWS CLI:

aws configservice subscribe
  --region us-east-1
  --s3-bucket MyConfigS3Bucket
  --sns-topic arn:aws:sns:us-east-1:123456789012:MyConfigSNSTopic
  --iam-role arn:aws:iam::123456789012:role/MyConfigRole

Note:

AWS Config is designed to be your primary tool to perform configuration audit and compliance verification of both your AWS and third-party resources.

References:

https://docs.aws.amazon.com/config/latest/developerguide/gs-cli.html 

https://docs.aws.amazon.com/config/latest/developerguide/how-does-config-work.html  

https://docs.aws.amazon.com/config/latest/developerguide/getting-started.html

CIS Controls:

1.4 Maintain Detailed Asset Inventory 

    Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or process information. This inventory shall include all hardware assets, whether connected to the organization's network or not. 

11.2 Document Traffic Configuration Rules 

    All configuration rules that allow traffic to flow through network devices should be documented in a configuration management system with a specific business reason for each rule, a specific individual’s name responsible for that business need, and an expected duration of the need. 

16.1 Maintain an Inventory of Authentication Systems 

    Maintain an inventory of each of the organization's authentication systems, including those located onsite or at a remote service provider.