AWS Config keeps track of the configuration of your AWS resources and their relationships to your other resources. It can also evaluate those AWS resources for compliance. This service uses rules that can be configured to evaluate AWS resources against desired configurations.

For example, there are AWS Config rules that check whether or not your Amazon S3 buckets have logging enabled or your IAM users have an MFA device enabled. AWS Config rules use AWS Lambda functions to perform the compliance evaluations, and the Lambda functions return the compliance status of the evaluated resources as compliant or noncompliant. The noncompliant resources are remediated using the remediation action associated to the AWS Config rule. With Auto Remediation feature of AWS Config rules, the remediation action can be executed automatically when a resource is found non-compliant.

Until now, remediation actions had to be executed manually for each noncompliant resource. This is not always feasible if you have many noncompliant resources for which you want to execute remediation actions. It can also pose risks if these resources remain without remediation for an extended amount of time.

In this post, you learn how to use the new AWS Config Auto Remediation feature on a noncompliant S3 bucket to ensure it is remediated automatically.

Overview

The AWS Config Auto Remediation feature automatically remediates non-compliant resources evaluated by AWS Config rules. You can associate remediation actions with AWS Config rules and choose to execute them automatically to address non-compliant resources without manual intervention.

You can:

  • Choose the remediation action you want to associate from a pre populated list.
  • Create your own custom remediation actions using AWS Systems Manager Automation documents.

If a resource is still non-compliant after auto remediation, you can set the rule to try auto remediation again.

Solution

This post describes how to use the AWS Config Auto Remediation feature to auto remediate any non-compliant S3 buckets using the following AWS Config rules:

  • s3-bucket-logging-enabled
  • s3-bucket-server-side-encryption-enabled
  • s3-bucket-public-read-prohibited
  • s3-bucket-public-write-prohibited

These AWS Config rules act as controls to prevent any non-compliant S3 activities.

Prerequisites

Make sure you have the following prerequisites before following the solution in this post:

  • You must have AWS Config enabled in your AWS account. For more information, see Getting Started with AWS Config.
  • The AutomationAssumeRole in the remediation action parameters should be assumable by SSM. The user must have pass-role permissions for that role when they create the remediation action in AWS Config, and that role must have whatever permissions the SSM document requires. For example, it may need “s3:PutEncryptionConfiguration” or something else specific to the API call that SSM uses.
  • (Optional): While setting up remediation action, if you want to pass the resource ID of non-compliant resources to the remediation action, choose Resource ID parameter. If selected, at runtime that parameter is substituted with the ID of the resource to be remediated. Each parameter has either a static value or a dynamic value. If you do not choose a specific resource ID parameter from the drop-down list, you can enter values for each key. If you choose a resource ID parameter from the drop-down list, you can enter values for all the other keys except the selected resource ID parameter.

Steps

Use the following steps to set up Auto Remediation for each of the four AWS Config rules.

To set up Auto Remediation for s3-bucket-logging-enabled

The “s3-bucket-logging-enabled” AWS Config rule checks whether logging is enabled for your S3 buckets. Use the following steps to auto-remediate an S3 bucket whose logging is not enabled:

  1. Sign in to the AWS Management Console and open the AWS Config console.
  2. On the left pane, choose Rules
  3. On the Rules page, under Rule name, select s3-bucket-logging-enabled and then choose Add rule to add it to the rule list. (If the rule already exists, select it from the rule list and then choose Edit.)  There is one bucket named “tests3loggingnotenabled” which shows as a non-compliant resource under “s3-bucket-logging-enabled” rule.
  4. Return to the Rules page and choose Edit.
  5. In the Choose remediation action section, from the Remediation action list, select AWS-ConfigureS3BucketLogging. (AWS-ConfigureS3BucketLogging is an AWS SSM Automation document that enables logging on an S3 bucket using SSM Automation.)
  6. In the Auto remediation section, select Yes to automatically remediate non-compliant resources.
  7. In the Parameters section, enter the values for the required parameters such as AutomationAssumeRole, Grantee details required to execute the remediation action, and the Target bucket to store logs.
  8. Choose Save. The “s3-bucket-logging-enabled” AWS Config rule can now auto-remediate non-compliant resources. A confirmation that it executed the remediation action shows in the Action status column.S3 bucket Server access logging is now enabled automatically using the AWS Config Auto Remediation feature.

To set up Auto Remediation for s3-bucket-server-side-encryption-enabled

The “s3-bucket-server-side-encryption-enabled” AWS Config rule checks that your S3 bucket either has S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server side encryption.

  1. Sign in to the AWS Management Console and open the AWS Config console 
  2. On the left pane, choose Rules
  3. On the Rules page, under Rule name, select s3-bucket-server-side-encryption-enabled and then choose Add rule to add it to the rule list. (If the rule already exists, select it from the rule list and then choose Edit.)There is one S3 bucket named “s3notencrypted” which is shown as a non-compliant resource under “s3-bucket-server-side-encryption-enabled” rule.
  4. Return to the Rules page and choose Edit.
  5. In the Choose remediation action section, from the Remediation action list, select AWS-EnableS3BucketEncryption. (AWS-EnableS3BucketEncryption is an AWS SSM Automation document that enables server-side encryption on an S3 bucket using SSM Automation. )
  6. In the Auto remediation section, select Yes to automatically remediate non-compliant resources.
  7. In the Parameters section, enter the values for AutomationAssumeRole, SSE algorithm required to execute the remediation action.
  8. Choose Save. The “s3-bucket-server-side-encryption-enabled” AWS Config rule can now auto-remediate non-compliant resources. A confirmation that it executed the remediation action shows in the Action status column.S3 bucket server-side encryption is now enabled automatically using the AWS Config Auto Remediation feature.

To set up auto remediation for s3-bucket-public-read-prohibited and s3-bucket-public-write-prohibited

An AWS S3 bucket can be protected from public read and write using AWS Config rules “s3-bucket-public-read-prohibited” and “s3-bucket-public-write-prohibited” respectively. Enable these AWS Config rules as discussed in the above two scenarios and enable auto remediation feature with existing SSM Document remediation action “AWS-DisableS3BucketPublicReadWrite”. This remediation action disables an S3 bucket’s public Write and Read access via Block Public Access settings.

 

Conclusion

In this post, you saw how to auto-remediate non-compliant S3 resources using the AWS Config auto remediation feature for AWS Config rules. You can also use this feature to maintain compliance of other AWS resources using existing SSM documents or custom SSM documents. For more details, see Remediating Non-compliant AWS Resources by AWS Config Rules.

For pricing details on AWS Config rules, visit the AWS Config pricing page.

 

About the Author

Harshitha Putta is an Associate Consultant with AWS Professional Services in Seattle, WA. She is passionate about building innovative solutions using AWS services to help customers achieve their business objectives. She enjoys spending time with family and friends, playing board games and hiking.

from AWS Management Tools Blog