For those of you wanting to setup AWS Config Remediation I’ve listed the steps below. I walked through this process on a YouTube video, but since there are a few steps more than usual I decided to create this post.
AWS Config allows for checking resources in AWS to confirm they are configured the way you intend. If they become non-compliant you can setup a Remediation that act on the resource. In this demonstration I will create a Config rule to monitor S3 buckets that have been made publicly accessible. If a bucket becomes publicly accessible Config sees that as non-compliant and runs a remediation we’ll setup to send an email alert.
Setup AWS Config for first time
If you’ve already setup AWS Config for your region you can skip to next step “Create AWS Config rule”. Make sure you’re in the same region as the resources you want to monitor. From AWS console search for Config and goto that service.
Choose Get Started
Recording Method – All resource types with customizable overrides
Resource type – AWS S3 Bucket freq – continuous
Override settings – leave as default
Data governance – Use an existing AWS Config service-linked role
Delivery method – Create a bucket
S3 Bucket Name – choose descriptive name
Amazon SNS topic – leave unchecked
Next
Next
Confirm
Config Dashboard should appear
Create AWS Config Rule
From the Config Dashboard you’ll need to create a rule.
Add Rule (left navigation)
Choose “Add AWS managed rule“
search for s3-bucket-level-public-access-prohibited and select it
Next
Name the rule
Scope of changes – Resources
Resources – choose “AWS S3 Bucket” if not already chosen
Next
Save
Create SNS Topic
In order for our email alert to work we’ll need to create a simple notification service topic.
Open SNS on console
Create topic – with descriptive name
Standard
Add Display name
Choose Create Topic
Create SNS Subscription
Our topic we just created won’t work until we create a subscription and confirm it when we receive email from AWS.
Open SNS if you’re not already there
Choose Subscriptions from left dropdown
Create subscription
Click in box for Topic ARN and choose the one you just created (box appears blank until you click inside it)
Protocol – email
Endpoint – enter your email address for alerts
Save and check email to confirm
Important: If you don’t check your email and confirm the subscription you won’t receive any emails from SNS.
Create Automation Assume Role
We’ll need to create roles and policies in IAM so Config has the proper permissions to do it’s job. In the AWS documentation is suggests to use the AmazonSSMAutomationRole under Permissions, but that role doesn’t work so I have workaround below.
Got IAM service
go to Roles
Create Role
Trusted entity type – AWS Service
Use Case – Systems Manager
Next
Next (we’ll skip adding Permissions for now; in video I had you use the AmazonSSMAutomationRole which doesn’t work)
Enter a Role Name and Description
Create Role
Open new Roll
Under Permissions tab choose create inline policy from Add Permissions pulldown
From Inline Policy make sure JSON view is selected and paste code from this Github repo (replacing code that was already there)
Next
Name Policy and choose Create Policy
Open Trust Relationships tab
Edit Trust Policy
Copy and Paste JSON from This Github Repo (replacing account Id’s with yours)
Choose Update Policy
Copy ARN from new Role
Attach the iam:PassRole policy to your Automation role
Config needs to assume roles for the remediation
Open newly created IAM role
Permissions tab choose Add permissions then choose “create inline policy“
Choose IAM from Service dropdown
From Actions allowed type “PassRole” and select “Write” checkbox
Choose “Add ARNs“
Open new tab for IAM and find Role you created in previous step, copy ARN
Go back to tab where you were and paste the ARN in the “Resource ARN” box
Choose “Add ARNs” button
Review then hit NEXT
Give the policy a name and hit “Create policy“
Setup Remediation
Now that we have the necessary IAM roles and policies setup we can create our remediation.
Go back to AWS Config dashboard
Select Rule we created earlier and choose Manage Remediation from Actions dropdown
Remediation Method – Automatic remediation
Remediation action details – choose AWS-PublishSNSNotification if not selected
Under Parameters
TopicARN – paste Topic ARN from SNS console
Message – Can be anything you want just make it descriptive
AutomationAssumeRole – paste Role ARN we created in IAM
Test & Troubleshooting
We can test this by creating an S3 bucket in same region and making it publicly accessible. Now, when you got back to the AWS Config dashboard you should see a non-compliant resource. You should have also received an email alert. If the dashboard doesn’t update you’ll want to choose re-evaluate from the Rule’s summary page.
If you scroll down to the bottom of the Rule’s summary page you should see a status of the rule. If it shows failed the description is worthless so you’ll need to open the CLi. Open the icon at the top of the page that looks like a small command prompt.
Type in this command:
aws configservice describe-remediation-execution-status –config-rule-name <YOUR_RULE_NAME_HERE>
This should give you a pretty good idea of what’s going on. In my YouTube video we had two problems. One, I had copied the ARN for the Subscription instead of the Topic ARN and two, as mentioned earlier the AWS documentation suggests using the AmazonSSMAutomationRole which doesn’t work so I had to make some changes to get it working.
Conclusion
In this post we created an AWS Config rule that would monitor S3 buckets for compliance. We then created the necessary IAM roles and policies to allow us to remediate the resource. We then tested using an S3 bucket that was publicly accessible and finally we went over how to troubleshoot your remediation.
If you would like to watch the YouTube video that corresponds to this post you can find it here.