Ensure that the log files (history files and snapshots) generated by AWS Config are delivered without any failures to designated S3 bucket in order to store logging data for auditing purposes.
This rule can help you with the following compliance standards:
- NIST 800-53 (Rev. 4)
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Amazon Config tracks changes within the configuration of your AWS resources and it regularly saves this data to log files that are send to an S3 bucket that you specify. When AWS Config is not able to deliver log files to its recipient due to delivery errors or misconfigurations (usually involving the access policies defined for the associated IAM role), the service is unable to send the recorded information to the designated bucket, therefore you lose the ability to audit the configuration changes made within your AWS account.
To determine if AWS Config is able to deliver log files to the specified S3 bucket, perform the following actions:
Remediation / Resolution
Usually, AWS Config fails to deliver its log files to the specified S3 bucket when it doesn't have sufficient permissions to complete this operation. To send information to Amazon S3, AWS Config needs to assume an IAM role that manages the permissions (through IAM policies) required to access the designated S3 bucket. To resolve this issue, create a new IAM role and update the service configuration to reference the new role so that AWS Config can send log files to S3. To update AWS Config service configuration, perform the following:
- AWS Documentation
- How Does AWS Config Work?
- Selecting Which Resources AWS Config Records
- Managing the Delivery Channel
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
You are auditing:
Config Delivery Failing
Risk level: Medium