Use the Conformity Knowledge Base AI to help improve your Cloud Posture

AWS Config Configuration Changes

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable risk)
Rule ID: Config-005

Monitor AWS Config configuration changes. Amazon Config is a service that maintains a configuration history of your AWS resources and evaluates the configuration against the industry best practices and your organization internal policies. Once enabled, the Config service detects your existing AWS cloud resources, then records their current configurations and any changes made to these resources later. The data recorded by AWS Config can be extremely useful for operational troubleshooting, security audits and compliance use cases, as it can determine how an AWS resource was configured at a certain point in time and what relationships had with other services and resources. As a security best practice, you need to be aware of all configuration changes made at the AWS Config level. The activity detected by this Cloud Conformity RTMA rule could be any root/IAM user request initiated through AWS Management Console or any AWS API request initiated programmatically using AWS CLI or SDKs, that triggers any of the Config service actions listed below:

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Real-Time Threat Monitoring.

Security



"StartConfigRulesEvaluation" - Performs an on-demand evaluation for the specified AWS Config rules against the last known configuration state of the resources.

"StartConfigurationRecorder" - Starts recording configurations of the resources that you have selected to record within your AWS account.

"StopConfigurationRecorder" - Stops recording configurations of the resources that you have selected to record in your AWS account.

"PutConfigurationRecorder" - Launch a new configuration recorder to record the selected AWS resource configurations.

"PutConfigurationAggregator" - Creates and updates the configuration aggregator with the selected source accounts (individual accounts or an organization) and regions.

"PutAggregationAuthorization" - Authorizes the aggregator account to collect data from the selected source account and region.

"PutConfigRule" - Adds or updates an Amazon Config rule for evaluating whether your AWS resources comply with your desired configurations.

"PutDeliveryChannel" - Sets up a delivery channel object to deliver configuration information to an AWS S3 bucket and an AWS SNS topic.

"DeleteConfigurationRecorder" - Deletes the configuration recorder.

"DeleteAggregationAuthorization" - Deletes the authorization granted to the specified configuration aggregator account in a specified AWS region.

"DeleteConfigRule" - Deletes the specified AWS Config rule and all of its existing evaluation results.

"DeleteConfigurationAggregator" - Deletes the specified configuration aggregator and all the data associated with the selected aggregator.

"DeleteDeliveryChannel" - Deletes the delivery channel object.

"DeleteEvaluationResults" - Deletes the evaluation results for the specified Amazon Config rule.

"DeletePendingAggregationRequest" - Deletes pending authorization requests for a certain aggregator account in a specified AWS region.

The Config service is often used by Operations or DevOps teams to avoid misconfigurations at the AWS service/resource level and close security gaps. Because of its important role within an AWS cloud environment, Cloud Conformity strongly recommends that you avoid as much as possible to provide your non-privileged IAM users the permission to change the AWS Config service configuration within your Amazon Web Services account. The communication channels required for sending RTMA notifications can be configured in your Cloud Conformity account. The list of supported communication channels that you can use to receive configuration change alerts for AWS Config are SMS, Email, Slack, PagerDuty, ServiceNow and Zendesk.

Rationale

The visibility into your Amazon Web Services account activity is a key aspect of security and operational best practices. Using Cloud Conformity RTMA to detect AWS Config configuration changes can help you prevent any accidental or intentional modifications that may lead to unauthorized access or other security breaches. You use AWS Config to get the current and historical configurations of each AWS resource provisioned in your account and to get information about the relationship between the resources. Therefore, monitoring any configuration change made at the Config service level is critical for keeping your AWS cloud environment secure.

References

Publication date Sep 7, 2018