Articles → AWS → AWS Config

AWS Config

In this article, we will discuss AWS config.

Purpose

AWS config is the cloud audit service where you can perform logging based on certain rules. The action i.e., logging is performed based on the certain triggers: -

Configuration based → This type of trigger runs the evaluation when a resource is created, changed, or deleted. For example, s3-bucket-replication-enabled (Checks if the replication is enabled for S3 bucket or not)
Periodic → This type of trigger runs the evaluation on a certain interval of time. For example, ec2-stopped-instance (Checks if the ec2 is stopped more than allowed number of times)

Steps

In this article, we will work on the following steps: -

Create a S3 bucket
Create a new role
Create a rule
Reevaluate rules
Remediation
Output

Let us get started.

Create A S3 Bucket

First, create a S3 bucket.

Picture showing the S3 bucket created in AWS console

Click to Enlarge

Create A New Role

Second step is to create a new role. While creating the role, the use case must be Systems Manager.

Picture showing the use case as Systems Manager while creating the role

Click to Enlarge

Permissions must be AmazonS3FullAccess.

Picture showing adding the permission AmazonS3FullAccess while creating the role

Click to Enlarge

Let us name the role as AWSConfigRemediationRole.

Picture showing specifying the role name

Click to Enlarge

Create A Rule

To create a rule, click on the Rules menu on the left-hand side.

Picture showing the Rules menu in AWS config for creating the new rule

Click to Enlarge

A screen will appear to add a rule. Click on the Add rule button.

Picture showing the Add rule button for creating the new rule

Click to Enlarge

In the first step of add rule screen, Select rule type as Add AWS managed rule.

Picture showing the section of rule screen to specify rule type

Click to Enlarge

Scroll down to the AWS Managed Rules section. Select the s3-bucket-server-side-encryption-enabled.

Picture showing the section of screen to select the predefined rule

Click to Enlarge

Click on the Next button. In the second step, enter the Name.

Picture showing the section of Configure rule screen to enter the rule name

Click to Enlarge

Scroll down to the Trigger section. Select the Scope of changes as Resources.

Picture showing the section of Configure rule screen to specify the trigger

Click to Enlarge

Scroll down to the bottom and click on the Next button. The review screen will appear.

Picture showing the review and create screen of rule in AWS config

Click to Enlarge

Scroll down below and click on the Add rule button to create the rule.

Reevaluate Rules

Once the rule is created, you need to reevaluate the role on the existing resources. For that, select the rule and click on Actions Re-evaluate.

Picture showing the Re-evaluate menu option to reevaluate the AWS config rule

Click to Enlarge

Once the resource is evaluated, you will see the non-compliance message.

Picture showing the non-compliance message when the rule is evaluated

Click to Enlarge

Remediation

To remediate, select the rule and click on Manage remediation.

Click to Enlarge

In the edit remediation screen, select the remediation method as Automatic remediation and Remediation action details as AWS-EnableS3BucketEncryption.

Picture showing the Edit Remediation screen for selecting the remediation method

Click to Enlarge

Set the Resource ID parameter as BucketName.

Picture showing setting the Resource ID parameter as BucketName

Click to Enlarge

Scroll down further and enter the parameters.

Picture showing setting the other parameters while editing the remediation

Click to Enlarge

Click on Save changes button. You will get the confirmation message.

Picture showing the confirmation message when remediation is updated

Click to Enlarge

On the same page, you can see the resources that requires remediation.

Picture showing the list of non-compliance resources

Click to Enlarge

Select the resource and click on the Remediate button. Once the remediation is completed, the status of the resource is changed.

Picture showing the status of resource when remediation is run on non-compliance resources

Click to Enlarge

Output

The encryption is enabled in S3 bucket.

Picture showing the encryption enabled on S3 bucket

Click to Enlarge

Posted By -	Karan Gupta

Posted On -	Monday, September 20, 2021

Updated On -	Monday, September 19, 2022

Query/Feedback

Your Email Id		**

Subject		*

Query/Feedback	Characters remaining 250	**