How To Create Conformance Pack In AWS Config
Hello Everyone
Welcome to CloudAffaire and this is Debjeet.
In the last blog post, we discussed how to auto-remediate AWS config rules.
https://cloudaffaire.com/how-to-auto-remediate-using-aws-config-rule/
You can deploy a collection of config rule together using Conformance Pack. To deploy a conformance pack, first you need to define the rules that you want to include in your conformance pack and their respective remediation configuration in the form of YAML. You can use AWS provided sample conformation pack template or create your own custom conformation pack. In this blog post, we will create a conformation pack for S3 and best practices.
How To Create Conformance Pack In AWS Config:
Prerequisites:
- AWS CLI installed and configured with proper access. You can use below link to install and configure AWS CLI.
https://cloudaffaire.com/how-to-install-aws-cli/
https://cloudaffaire.com/how-to-configure-aws-cli/
Step 1: Create a S3 bucket to store configuration snapshots created by AWS config.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 |
## Create the S3 bucket aws s3api create-bucket \ --bucket s3-for-config-conformance-demo \ --region ap-south-1 \ --create-bucket-configuration LocationConstraint=ap-south-1 ## Create a bucket policy definition file for config cat < { "Version": "2012-10-17", "Statement": [ { "Sid": "AWSConfigBucketPermissionsCheck", "Effect": "Allow", "Principal": { "Service": [ "config.amazonaws.com" ] }, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::s3-for-config-conformance-demo" }, { "Sid": "AWSConfigBucketExistenceCheck", "Effect": "Allow", "Principal": { "Service": [ "config.amazonaws.com" ] }, "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::s3-for-config-conformance-demo" }, { "Sid": "AWSConfigBucketDelivery", "Effect": "Allow", "Principal": { "Service": [ "config.amazonaws.com" ] }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::s3-for-config-conformance-demo/*", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } } ] } EOF ## Create a S3 bucket policy for Config aws s3api put-bucket-policy \ --bucket s3-for-config-conformance-demo \ --policy file://config_bucket_policy.json |
This bucket will serve dual purpose in this demo, to store the config configuration item snapshots and also the confirmation pack that we will create will be evaluated against this bucket.
Step 2: Create IAM role with proper policy for AWS config service.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 |
## Create assume role policy definition cat <<'EOF'> config_assume_role_policy.json { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "config.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF ## Create IAM role aws iam create-role \ --role-name config_iam_role \ --assume-role-policy-document file://config_assume_role_policy.json ## Create IAM policy definition for config to access S3 cat < { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:PutObject", "s3:PutObjectAcl" ], "Resource":[ "arn:aws:s3:::s3-for-config-conformance-demo/*" ], "Condition":{ "StringLike":{ "s3:x-amz-acl":"bucket-owner-full-control" } } }, { "Effect":"Allow", "Action":[ "s3:GetBucketAcl" ], "Resource":"arn:aws:s3:::s3-for-config-conformance-demo" } ] } EOF ## Update the IAM role with the above IAM policy aws iam put-role-policy \ --role-name config_iam_role \ --policy-name config_iam_policy \ --policy-document file://config_iam_policy.json ## Add AWS managed AWS_ConfigRole policy to the role aws iam attach-role-policy \ --role-name config_iam_role \ --policy-arn arn:aws:iam::aws:policy/service-role/AWS_ConfigRole |
Step 3: Enable AWS config service.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
## Create recording group configuration cat <<'EOF' > config_recording_group.json { "allSupported": false, "includeGlobalResourceTypes": false, "resourceTypes": ["AWS::S3::Bucket"] } EOF ## Enable AWS Config using AWS CLI ACCOUNT_ID=$(aws sts get-caller-identity | jq -r .Account) && CONFIG_IAM_ROLE_ARN=arn:aws:iam::$ACCOUNT_ID:role/config_iam_role && aws configservice put-configuration-recorder \ --configuration-recorder name=myconfig,roleARN=$CONFIG_IAM_ROLE_ARN \ --recording-group file://config_recording_group.json |
Warning: Additional cost is associated with AWS Config service.
Step 4: Create config delivery channel for AWS config
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
## Create config delivery channel object configuration file cat << EOF > config_delivery_channel.json { "name": "myconfig", "s3BucketName": "s3-for-config-conformance-demo", "configSnapshotDeliveryProperties": { "deliveryFrequency": "One_Hour" } } EOF ## Create config delivery channel object as S3 aws configservice put-delivery-channel \ --delivery-channel file://config_delivery_channel.json |
Step 5: Start AWS config recordings.
|
1 2 3 |
## Starts recording configurations of recording group aws configservice start-configuration-recorder \ --configuration-recorder-name myconfig |
Step 6: Create and deploy conformance pack in AWS config.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 |
## Create config conformance pack definition file cat <<'EOF' > config_s3_conformance_pack.yaml Resources: S3BucketPublicReadProhibited: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: S3BucketPublicReadProhibited Description: >- Checks that your Amazon S3 buckets do not allow public read access. The rule checks the Block Public Access settings, the bucket policy, and the bucket access control list (ACL). Scope: ComplianceResourceTypes: - "AWS::S3::Bucket" Source: Owner: AWS SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED MaximumExecutionFrequency: Six_Hours S3BucketPublicWriteProhibited: Type: "AWS::Config::ConfigRule" Properties: ConfigRuleName: S3BucketPublicWriteProhibited Description: "Checks that your Amazon S3 buckets do not allow public write access. The rule checks the Block Public Access settings, the bucket policy, and the bucket access control list (ACL)." Scope: ComplianceResourceTypes: - "AWS::S3::Bucket" Source: Owner: AWS SourceIdentifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED MaximumExecutionFrequency: Six_Hours S3BucketReplicationEnabled: Type: "AWS::Config::ConfigRule" Properties: ConfigRuleName: S3BucketReplicationEnabled Description: "Checks whether the Amazon S3 buckets have cross-region replication enabled." Scope: ComplianceResourceTypes: - "AWS::S3::Bucket" Source: Owner: AWS SourceIdentifier: S3_BUCKET_REPLICATION_ENABLED S3BucketSSLRequestsOnly: Type: "AWS::Config::ConfigRule" Properties: ConfigRuleName: S3BucketSSLRequestsOnly Description: "Checks whether S3 buckets have policies that require requests to use Secure Socket Layer (SSL)." Scope: ComplianceResourceTypes: - "AWS::S3::Bucket" Source: Owner: AWS SourceIdentifier: S3_BUCKET_SSL_REQUESTS_ONLY ServerSideEncryptionEnabled: Type: "AWS::Config::ConfigRule" Properties: ConfigRuleName: ServerSideEncryptionEnabled Description: "Checks that your Amazon S3 bucket either has S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server side encryption." Scope: ComplianceResourceTypes: - "AWS::S3::Bucket" Source: Owner: AWS SourceIdentifier: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED S3BucketLoggingEnabled: Type: "AWS::Config::ConfigRule" Properties: ConfigRuleName: S3BucketLoggingEnabled Description: "Checks whether logging is enabled for your S3 buckets." Scope: ComplianceResourceTypes: - "AWS::S3::Bucket" Source: Owner: AWS SourceIdentifier: S3_BUCKET_LOGGING_ENABLED EOF ## Create config conformance pack for S3 aws configservice put-conformance-pack \ --conformance-pack-name mys3conformancepack \ --template-body file://config_s3_conformance_pack.yaml \ --delivery-s3-bucket s3-for-config-conformance-demo \ --delivery-s3-key-prefix s3conformancepack |
Step 7: Get details on AWS config and conformance pack.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 |
## Get config recorder status aws configservice describe-configuration-recorder-status ## Get details on config recorder aws configservice describe-configuration-recorders ## Get all the resources discovered aws configservice get-discovered-resource-counts \ --resource-type AWS::S3::Bucket ## List all the resources discovered aws configservice list-discovered-resources \ --resource-type "AWS::S3::Bucket" ## List config delivery channels aws configservice describe-delivery-channels ## Get config delivery channel status aws configservice describe-delivery-channel-status ## Get config rule compliance summary aws configservice get-compliance-summary-by-config-rule ## Get config rule compliance details aws configservice get-compliance-details-by-config-rule \ --config-rule-name myconfigrule \ --compliance-types NON_COMPLIANT && aws configservice get-compliance-details-by-config-rule \ --config-rule-name myconfigrule \ --compliance-types COMPLIANT ## Get config conformance pack details aws configservice describe-conformance-packs \ --conformance-pack-names mys3conformancepack ## Get config conformance pack status aws configservice describe-conformance-pack-status \ --conformance-pack-names mys3conformancepack ## Get compliance staus based on the cumulative compliance results aws configservice get-conformance-pack-compliance-summary \ --conformance-pack-names mys3conformancepack ## Get config conformance pack compliance status aws configservice describe-conformance-pack-compliance \ --conformance-pack-name mys3conformancepack ## Get config conformance pack compliance details aws configservice get-conformance-pack-compliance-details \ --conformance-pack-name mys3conformancepack |
We have successfully deployed conformation pack in AWS config. Next, we will delete all the resources deployed in this demo.
Step 8: Clean up
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
## Stop config recorder aws configservice stop-configuration-recorder \ --configuration-recorder-name myconfig ## Delete config conformance pack aws configservice delete-conformance-pack \ --conformance-pack-name mys3conformancepack ## Wait for some time to complete the deletion ## Delete config delivery channel aws configservice delete-delivery-channel \ --delivery-channel-name myconfig ## Disable config service aws configservice delete-configuration-recorder \ --configuration-recorder-name myconfig ## Delete the S3 bucket with objects (configuration items) aws s3 rb \ s3://s3-for-config-conformance-demo --force ## Delete IAM Role & Policy aws iam detach-role-policy \ --role-name config_iam_role \ --policy-arn arn:aws:iam::aws:policy/service-role/AWS_ConfigRole && aws iam delete-role-policy \ --role-name config_iam_role \ --policy-name config_iam_policy && aws iam delete-role \ --role-name config_iam_role |
Hope you have enjoyed this article. To know more about AWS Config, please refer below official documentation
https://docs.aws.amazon.com/config/index.html
AWS provided conformation pack
https://docs.aws.amazon.com/config/latest/developerguide/conformancepack-sample-templates.html
https://github.com/awslabs/aws-config-rules/tree/master/aws-config-conformance-packs