Profile Applicability: Level 1


Description:

AWS Config generates configuration items when the configuration of resource changes, and it maintains historical records of the configuration items of your resources from the time you start the configuration recorder. By default, AWS Config creates configuration items for every supported resource in the region. If you don't want AWS Config to create configuration items for all supported resources, you can specify the resource types that you want it to track.

Rationale:

By default, AWS Config creates configuration items for every supported resource in the region. If you don't want AWS Config to create configuration items for all supported resources, you can specify the resource types that you want it to track.

Impact:

When your resources are created, updated, or deleted, AWS Config streams these configuration changes to Amazon Simple Notification Service (SNS), so that you are notified of all the configuration changes. AWS Config represents relationships between resources so that you can access how a change to one resource may impact other resources.

Default Value:

By default, AWS config is not enabled in all regions. To make AWS resources more secure enable AWS config.

Audit:

Step 1: Sign in to the AWS Management Console.

Step 2: Navigate to AWS Config dashboard at https://console.aws.amazon.com/config/:

a.If the AWS console redirects your request to the Get started page:

(The service was/is not enabled in the selected AWS region)

b.If the AWS console redirects your request to the Resource inventory page, click the Status link

and check AWS Config status in the Service status dialog box. If the Configuration recorder stopped warning is displayed, the Config service was previously activated but the recorder is currently stopped, meaning that the service is disabled in the selected region.

Step 3:Change the AWS region from the navigation bar

and repeat step no. 2 for each region available.

Remediation:

Pre-Requisite:

1.IAM role with attached policies and rules

2.AWS SNS topic notification with valid email 

Implementation Steps:

Step 1: Sign in to the AWS Management Console.

Step 2: Navigate to the AWS Config dashboard at https://console.aws.amazon.com/config/ and click Get Started Now to open the Setup AWS Config page.

Step 3: Under Resource types to record section:

  1. To track all supported AWS resources, in the All resources category, do the following:

    • Check Record all resources supported in this region to track configuration changes for every supported type of regional AWS resource.

    • Check Include global resources to include any types of global AWS resources (e.g. AWS IAM) to the existent list of supported resources.  

  2. To track only a subset of the available resources, in the category of the Specific type, select the preferred resource(s) available in the dropdown list.

Step 4: Under Amazon S3 Bucket* section designates the S3 bucket that will receive the service configuration history and configuration snapshot files. This data can be used later with the AWS Config console timeline or a 3rd-party tool. Select one of the following options based on your needs:

  1. Create a new bucket - to use a brand new S3 bucket for storing the configuration history data.

  2. Choose a bucket from your account - to use an existing S3 bucket.

  3. Choose a bucket from another account - to use an existing bucket from another AWS account. Ensure that the selected S3 bucket grants access permissions to AWS Config.

Step 5: Next to Bucket Name, enter a unique name and a prefix (optional) for the S3 bucket selected in the previous step.  

Step 6: Under Amazon SNS Topic section, check Enable configuration changes and notifications to be streamed to an Amazon SNS topic so the AWS Config can send configuration changes notifications to an SNS topic. Select one of the following options based on your needs:

  1. Create a new topic - to create a new SNS topic for sending notifications.

  2. Choose a topic from your account - to use an existing SNS topic.

  3. Choose a topic from another account - to use an existing SNS topic from another AWS account. Ensure that the selected SNS topic grants access permissions to AWS Config.

Step 7: In the Topic Name* field, enter a unique name for the SNS topic selected in previous step.

Step 8: Click the Continue button.

Step 9: On the Resource inventory page, under Recording is on section, you should see the Taking inventory... event status in progress.

Step 10: In the left navigation panel, select Topics and open the SNS topic specified during the AWS Config setup by clicking on its ARN name:

Step 11: On the Topic Details <topic name> page, under the Subscriptions section, click the Create subscription button.

Step 12: Select Email as subscription protocol from the Protocol dropdown list and for the Endpoint enter the email address where you will receive the AWS Config notifications.

Step 13: Use your email client application and open the message from AWS Notifications, then click on the appropriate link to confirm your subscription to the SNS topic.

Backout Plan:

If the service was previously enabled in all regions but if want disables, the status for configuration recorders status should be set to OFF.

Using CLI:

aws configservice subscribe
  --region us-east-1
  --s3-bucket MyConfigS3Bucket
  --sns-topic arn:aws:sns:us-east-1:123456789012:MyConfigSNSTopic
  --iam-role arn:aws:iam::123456789012:role/MyConfigRole


Note:

AWS Config is designed to be your primary tool to perform configuration audit and compliance verification of both your AWS and third-party resources.


References:

https://docs.aws.amazon.com/config/latest/developerguide/gs-cli.html 

https://docs.aws.amazon.com/config/latest/developerguide/how-does-config-work.html  

https://docs.aws.amazon.com/config/latest/developerguide/getting-started.html


CIS Controls:

1.4 Maintain Detailed Asset Inventory 

    Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or process information. This inventory shall include all hardware assets, whether connected to the organization's network or not. 

11.2 Document Traffic Configuration Rules 

    All configuration rules that allow traffic to flow through network devices should be documented in a configuration management system with a specific business reason for each rule, a specific individual’s name responsible for that business need, and an expected duration of the need. 

16.1 Maintain an Inventory of Authentication Systems 

    Maintain an inventory of each of the organization's authentication systems, including those located onsite or at a remote service provider.