Ensure that the log files (history files and snapshots) generated by Amazon Config are delivered without any failures to the designated S3 bucket in order to store logging data for auditing purposes.
This rule can help you with the following compliance standards:
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
excellence
Amazon Config tracks changes within the configuration of your AWS cloud resources and it regularly saves this data to log files that are send to an S3 bucket that you specify. When Amazon Config is not able to deliver log files to its recipient due to delivery errors or misconfigurations (usually involving the access policies configured for the associated IAM role), the service is unable to send the recorded information to the designated bucket, therefore you lose the ability to audit the configuration changes made within your AWS cloud account.
Audit
To determine if Amazon Config is able to deliver log files to the specified S3 bucket, perform the following actions:
Remediation / Resolution
Amazon Config fails to deliver log files to the designated S3 bucket when it doesn't have sufficient permissions to complete this operation. To send information to Amazon S3, the Config service needs to assume an IAM role that manages the permissions required to access the designated S3 bucket. To update Amazon Config service configuration in order to solve the permissions issue, perform the following actions:
References
- AWS Documentation
- How AWS Config Works
- Concepts
- Managing the Delivery Channel
- Using Service-Linked Roles for AWS Config
- AWS Command Line Interface (CLI) Documentation
- describe-configuration-recorder-status
- describe-configuration-recorders
- put-configuration-recorder