Step by Step: AWS Config Remediation

For those of you wanting to setup AWS Config Remediation I’ve listed the steps below. I walked through this process on a YouTube video, but since there are a few steps more than usual I decided to create this post. 

AWS Config allows for checking resources in AWS to confirm they are configured the way you intend. If they become non-compliant you can setup a Remediation that act on the resource. In this demonstration I will create a Config rule to monitor S3 buckets that have been made publicly accessible. If a bucket becomes publicly accessible Config sees that as non-compliant and runs a remediation we’ll setup to send an email alert.

Setup AWS Config for first time

If you’ve already setup AWS Config for your region you can skip to next step “Create AWS Config rule”. Make sure you’re in the same region as the resources you want to monitor. From AWS console search for Config and goto that service.

Choose Get Started

Recording Method – All resource types with customizable overrides

Resource type – AWS S3 Bucket freq – continuous

Override settings – leave as default

Data governance – Use an existing AWS Config service-linked role

Delivery method – Create a bucket

S3 Bucket Name – choose descriptive name

Amazon SNS topic – leave unchecked

Next

Next

Confirm

Config Dashboard should appear

Create AWS Config Rule

From the Config Dashboard you’ll need to create a rule.

Add Rule (left navigation)

Choose “Add AWS managed rule

search for s3-bucket-level-public-access-prohibited and select it

Next

Name the rule

Scope of changes – Resources

Resources – choose “AWS S3 Bucket” if not already chosen

Next

Save

Create SNS Topic

In order for our email alert to work we’ll need to create a simple notification service topic. 

Open SNS on console

Create topic – with descriptive name

Standard

Add Display name

Choose Create Topic

 

Create SNS Subscription

Our topic we just created won’t work until we create a subscription and confirm it when we receive email from AWS.

Open SNS if you’re not already there

Choose Subscriptions from left dropdown

Create subscription

Click in box for Topic ARN and choose the one you just created (box appears blank until you click inside it)

Protocol – email

Endpoint – enter your email address for alerts

Save and check email to confirm 

Important: If you don’t check your email and confirm the subscription you won’t receive any emails from SNS.

Create Automation Assume Role

We’ll need to create roles and policies in IAM so Config has the proper permissions to do it’s job. In the AWS documentation is suggests to use the AmazonSSMAutomationRole under Permissions, but that role doesn’t work so I have workaround below.

Got IAM service

go to Roles

Create Role

Trusted entity type – AWS Service

Use Case – Systems Manager

Next

Next (we’ll skip adding Permissions for now; in video I had you use the AmazonSSMAutomationRole which doesn’t work)

Enter a Role Name and Description

Create Role

Open new Roll

Under Permissions tab choose create inline policy from Add Permissions pulldown

From Inline Policy make sure JSON view is selected and paste code from this Github repo (replacing code that was already there)

Next

Name Policy and choose Create Policy

Open Trust Relationships tab

Edit Trust Policy

Copy and Paste JSON from This Github Repo (replacing account Id’s with yours)

Choose Update Policy

Copy ARN from new Role

Attach the iam:PassRole policy to your Automation role

Config needs to assume roles for the remediation

Open newly created IAM role

Permissions tab choose Add permissions then choose “create inline policy

Choose IAM from Service dropdown

From Actions allowed type “PassRole” and select “Write” checkbox

Choose “Add ARNs

Open new tab for IAM and find Role you created in previous step, copy ARN

Go back to tab where you were and paste the ARN in the “Resource ARN” box

Choose “Add ARNs” button

Review then hit NEXT

Give the policy a name and hit “Create policy

Setup Remediation

Now that we have the necessary IAM roles and policies setup we can create our remediation.

Go back to AWS Config dashboard

Select Rule we created earlier and choose Manage Remediation from Actions dropdown

Remediation Method – Automatic remediation

Remediation action details – choose AWS-PublishSNSNotification if not selected

Under Parameters 

TopicARN – paste Topic ARN from SNS console

Message – Can be anything you want just make it descriptive

AutomationAssumeRole – paste Role ARN we created in IAM

Test & Troubleshooting

We can test this by creating an S3 bucket in same region and making it publicly accessible. Now, when you got back to the AWS Config dashboard you should see a non-compliant resource. You should have also received an email alert. If the dashboard doesn’t update you’ll want to choose re-evaluate from the Rule’s summary page.

If you scroll down to the bottom of the Rule’s summary page you should see a status of the rule. If it shows failed the description is worthless so you’ll need to open the CLi. Open the icon at the top of the page that looks like a small command prompt.

Type in this command:

aws configservice describe-remediation-execution-status –config-rule-name <YOUR_RULE_NAME_HERE>

This should give you a pretty good idea of what’s going on. In my YouTube video we had two problems. One, I had copied the ARN for the Subscription instead of the Topic ARN and two, as mentioned earlier the AWS documentation suggests using the AmazonSSMAutomationRole which doesn’t work so I had to make some changes to get it working.

Conclusion

In this post we created an AWS Config rule that would monitor S3 buckets for compliance. We then created the necessary IAM roles and policies to allow us to remediate the resource. We then tested using an S3 bucket that was publicly accessible and finally we went over how to troubleshoot your remediation.

If you would like to watch the YouTube video that corresponds to this post you can find it here.