Use the Conformity Knowledge Base AI to help improve your Cloud Posture

AWS Config Referencing Missing S3 Bucket

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: Config-002

Ensure that Amazon Config is referencing an active S3 bucket in order to save configuration information (history files and snapshots) for auditing purposes.

This rule can help you with the following compliance standards:

  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Operational
excellence

Amazon Config tracks changes within the configuration of your AWS cloud resources and it regularly sends updated configuration details to an S3 bucket that you provide. When Amazon Config is not referencing an active S3 bucket, the service is unable to send the recorded information to the designated bucket, therefore you lose the ability to audit the configuration changes made within your AWS account.


Audit

To determine if Amazon Config is missing the ability to save configuration information (history files and configuration snapshots) due to inactive S3 bucket, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Config console at https://console.aws.amazon.com/config/.

03 In the main navigation panel, under AWS Config, choose Settings.

04 Copy the name of the S3 bucket designated to save configuration information, listed under S3 bucket name, in the Delivery method section.

05 Navigate to Amazon S3 console at https://console.aws.amazon.com/s3/.

06 Paste the name of the S3 bucket copied at step no. 4 inside the Find buckets by name search box and press Enter. If no results matching your filter criteria are returned, the S3 bucket specified in the Config service settings is either no longer available in your AWS cloud account, or it is hosted in another AWS account (e.g. a central organization account). If your organization uses a central account to host this S3 bucket and you don't have access to the central organization account, you may need to contact the authorized personnel in your organization to verify the existence of the bucket.

07 If the bucket no longer exists in your organization, the Amazon Config service is not be able to send relevant information to the selected S3 bucket for auditing purposes.

08 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-delivery-channels command (OSX/Linux/UNIX) with custom query filters to list the name of the S3 bucket to which Amazon Config sends information about configuration changes:

aws configservice describe-delivery-channels
  --region us-east-1
  --query 'DeliveryChannels[*].s3BucketName'

02 The command output should return the name of the configured S3 bucket:

[
	"config-bucket-123456789012"
]

03 Run head-bucket command (OSX/Linux/UNIX) using the name of the Amazon S3 bucket returned at the previous step as the identifier to determine if the associated bucket exists within the current AWS cloud account and if you (the authenticated sender of the request) have permission to access it:

aws s3api head-bucket
  --bucket config-bucket-123456789012

04 If the selected bucket exists and you have permission to access it no output is returned, otherwise, a 404 error message is returned:

A client error (404) occurred when calling the HeadBucket operation: Not Found.

If the head-bucket command output returns the following error message: A client error (404) occurred when calling the HeadBucket operation: Not Found., the S3 bucket specified in the Config service settings is longer available within your AWS account, therefore the Amazon Config service is not be able to send information about configuration changes to the selected S3 bucket for auditing purposes.

05 If the command output returns the following error message: A client error (403) occurred when calling the HeadBucket operation: Forbidden., the configured S3 bucket exists but you don't have access to it. This error is returned when the S3 bucket is hosted in another AWS account. If your organization uses a central account to host the S3 bucket associated with Amazon Config and you don't have access to the central organization account, you may need to contact the authorized personnel in your organization to verify the existence of the S3 bucket.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To ensure that Amazon Config service is not configured with a missing S3 bucket, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Parameters": {
		"DeliveryChannelBucketName": {
			"Type": "String"
		},
		"DeliveryChannelBucketPrefix": {
			"Type": "String"
		}
	},
	"Resources": {
		"DeliveryChannelBucket": {
			"Type": "AWS::S3::Bucket",
			"Properties": {
				"BucketName": {
					"Ref": "DeliveryChannelBucketName"
				},
				"AccessControl": "Private",
				"PublicAccessBlockConfiguration": {
					"BlockPublicAcls": true,
					"IgnorePublicAcls": true,
					"BlockPublicPolicy": true,
					"RestrictPublicBuckets": true
				}
			}
		},
		"ConfigurationRecorder": {
			"Type": "AWS::Config::ConfigurationRecorder",
			"Properties": {
				"Name": "default",
				"RoleARN": "arn:aws:iam::123456789012:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig",
				"RecordingGroup": {
					"AllSupported": true,
					"IncludeGlobalResourceTypes": true
				}
			}
		},
		"DeliveryChannel": {
			"Type": "AWS::Config::DeliveryChannel",
			"Properties": {
				"ConfigSnapshotDeliveryProperties": {
					"DeliveryFrequency": "Six_Hours"
				},
				"S3BucketName": {
					"Ref": "DeliveryChannelBucketName"
				},
				"S3KeyPrefix": {
					"Ref": "DeliveryChannelBucketPrefix"
				}
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Parameters:
	DeliveryChannelBucketName:
		Type: String
	DeliveryChannelBucketPrefix:
		Type: String
	Resources:
	DeliveryChannelBucket:
		Type: AWS::S3::Bucket
		Properties:
		BucketName: !Ref 'DeliveryChannelBucketName'
		AccessControl: Private
		PublicAccessBlockConfiguration:
			BlockPublicAcls: true
			IgnorePublicAcls: true
			BlockPublicPolicy: true
			RestrictPublicBuckets: true
	ConfigurationRecorder:
		Type: AWS::Config::ConfigurationRecorder
		Properties:
		Name: default
		RoleARN: arn:aws:iam::123456789012:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig
		RecordingGroup:
			AllSupported: true
			IncludeGlobalResourceTypes: true
	DeliveryChannel:
		Type: AWS::Config::DeliveryChannel
		Properties:
		ConfigSnapshotDeliveryProperties:
			DeliveryFrequency: Six_Hours
		S3BucketName: !Ref 'DeliveryChannelBucketName'
		S3KeyPrefix: !Ref 'DeliveryChannelBucketPrefix'

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_s3_bucket" "aws-config-bucket" {
	bucket = "cc-config-bucket"
	acl    = "private"
}

resource "aws_s3_bucket_public_access_block" "s3-block-public-access" {
	bucket                  = aws_s3_bucket.aws-config-bucket.id
	block_public_acls       = true
	ignore_public_acls      = true
	block_public_policy     = true
	restrict_public_buckets = true
}

resource "aws_config_configuration_recorder" "configuration-recorder" {
	name     = "default"
	role_arn = "arn:aws:iam::123456789012:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig"
	recording_group {
		all_supported                 = true
		include_global_resource_types = true
	}
}

resource "aws_config_configuration_recorder_status" "configuration-recorder-status" {
	is_enabled = true
	name       = aws_config_configuration_recorder.configuration-recorder.name
}

resource "aws_config_delivery_channel" "config-delivery-channel" {
	name           = "cc-config-delivery-channel"
	s3_bucket_name = aws_s3_bucket.aws-config-bucket.bucket
	s3_key_prefix  = "config-history"
	depends_on     = [aws_config_configuration_recorder.configuration-recorder]
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Config console at https://console.aws.amazon.com/config/.

03 In the main navigation panel, under AWS Config, choose Settings.

04 Choose Edit to access the configuration settings available for Amazon Config in the selected AWS region.

05 In the Delivery method section, select one of the following options:

  1. Select Create a bucket to create a new S3 bucket, provide a unique name for the new bucket in the S3 bucket name box, add a prefix for the log path (optional), then choose Save to apply the changes.
  2. Select Choose a bucket from your account to specify an existing bucket, select the name of the existing bucket from the S3 bucket name box, add a prefix for the log path (optional), then choose Save to apply the changes.
  3. Select Choose a bucket from another account to specify an S3 bucket from another AWS account, type the name of the existing bucket in the S3 bucket name box, add a prefix for the log path (optional), then choose Save to apply the changes. If the selected bucket is from a central organization account, you will need to configure S3 permissions accordingly, such as granting permissions for the Amazon S3 Bucket via the S3 bucket policy.

06 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run create-bucket command (OSX/Linux/UNIX) to create the S3 bucket where Amazon Config will send detailed information about the configuration changes made in your AWS account:

aws s3api create-bucket
  --region us-east-1
  --bucket cc-config-log-data
  --acl private

02 The command output should return the name of the newly created S3 bucket:

{
	"Location": "/cc-config-log-data"
}

03 Run put-public-access-block command (OSX/Linux/UNIX) to enable the S3 Public Access Block feature for the new Amazon S3 bucket (the command should not produce an output):

aws s3api put-public-access-block
  --region us-east-1
  --bucket cc-config-log-data
  --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true

04 Create an access policy that grants Amazon Config the permission to write to the newly created S3 bucket. Create a JSON file named s3-bucket-access-policy.json and paste the following information (replace the highlighted details – the ARN of your bucket and the AWS account ID – with your details, or use AWS Policy Generator to create your own policy):

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "AWSConfigS3BucketPermissions",
			"Effect": "Allow",
			"Principal": {
				"Service": [
					"config.amazonaws.com"
				]
			},
			"Action": "s3:GetBucketAcl",
			"Resource": "arn:aws:s3:::cc-config-log-data"
		},
		{
			"Sid": " AWSConfigBucketDelivery",
			"Effect": "Allow",
			"Principal": {
				"Service": [
					"config.amazonaws.com"
				]
			},
			"Action": "s3:PutObject",
			"Resource": "arn:aws:s3:::cc-config-log-data/AWSLogs/123456789012/Config/*",
			"Condition": { 
				"StringEquals": { 
					"s3:x-amz-acl": "bucket-owner-full-control" 
				}
			}
		}
	]
}

05 Run put-bucket-policy command (OSX/Linux/UNIX) to attach the bucket policy defined at the previous step (i.e. s3-bucket-access-policy.json) to your new Amazon S3 bucket (the command does not produce an output):

aws s3api put-bucket-policy
  --region us-east-1
  --bucket cc-config-log-data
  --policy file://s3-bucket-access-policy.json

06 Run describe-delivery-channelscommand (OSX/Linux/UNIX) to return the delivery channel configuration details for Amazon Config service in the selected AWS region:

aws configservice describe-delivery-channels --region us-east-1

07 The command output should return the requested delivery channel information:

{
	"DeliveryChannels": [
		{
			"name": "default",
			"s3BucketName": "config-bucket-123456789012",
			"s3KeyPrefix": "logs",
			"snsTopicARN": "arn:aws:sns:us-east-1:123456789012:cc-config-sns-topic"
		}
	]
}

08 Create the required configuration document and save it to a JSON file. Based on the delivery channel attributes returned at the previous step, create a JSON file named new-config-delivery-channel.json and paste the following information (replace the configuration data with your own data):

{
	"name": "default",
	"s3BucketName": "cc-config-log-data",
	"snsTopicARN": "arn:aws:sns:us-east-1:123456789012:cc-config-sns-topic",
	"configSnapshotDeliveryProperties": {
		"deliveryFrequency": "Six_Hours"
	}
}

09 Run put-delivery-channel command (OSX/Linux/UNIX) using the configuration document defined at the previous step (i.e. new-config-delivery-channel.json) to update the delivery channel of the Amazon Config service in the selected AWS region in order to replace the missing S3 bucket (the command does not produce an output):

aws configservice put-delivery-channel
  --region us-east-1
  --delivery-channel file://new-config-delivery-channel.json

10 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Sep 23, 2017