Welcome to the first blog for 2023 !!
In this post, I wanted to narrate the steps involved in setting up AWS Config - Auto Remediate configuration for AWS account level s3 public access settings.
As we know, to learn more about the services, the right place to look into is AWS documentation and hence I am only giving breif explanation on what-is-what and jumping straight away into the use case(Relieved :-) ?)
AWS Config
is a service which records, monitors the configuration changes of the AWS Resources
Purpose of AWS Config Rules & Remediation
If you are using cloud and in AWS, hosting applications or utilizing resources on AWS cloud, then ultimately account & its resources are to be maintained and monitored, to avoid any mis-happenings like deletion of resources, launching of unnecessary resources
There are 2 ways ("Preventive" & "Detective" Rules) to have the AWS Environment, monitored for checking compliance. As the word says, "Preventive" rules are implemented or configured to stop certain configurations from being implemented. On the other side, "Detective" rules are the ones which needs monitoring of certain "config settings" to not to be modified, as it would compromise the environment.
Well, with that background, let us implement one of the compliance detection & auto remediation here
AWS S3
is a storage service in AWS cloud where any objects could be stored with encryption, lifecycle definitions.
Vital part of ensuring security for the data or objects stored in S3 is to restrict public access to buckets in S3 at individual resource(bucket) level & at AWS account level.
How-To: Account level public access restriction on S3 Objects
By default, the account level public access is restricted with the settings under S3. While this setting is one time activity, what if, any user or application, which has access, modifies this "public access to all at account level"? This is compromising the environment's compliance and data security
So here comes, AWS Config, which tracks & monitors the change that is happening against specific categories, by way of Rule definitions
We can achieve the "Capture & Remediate" in 4 simple steps and here are they
Step 1:
Configure AWS Config Detective Rule - "S3-Account-Level-Public-Access-Blocks"
(i) Select the appropriate AWS Managed Config Rule
(ii) Configure the S3 bucket where the logs for this rule(execution logs & details) for this rule & click on "Confirm" to get the rule created
(iii) Now the rule is listed under the AWS Config Rules View
Step 2:
Setup auto remediation for rule "S3-Account-Level-Public-Access-Blocks"
(iv) In order to complete, the Config Rule creation, We need a role to action against the services that are configured. So create a role in your aws account as shown here. I have taken AWSS3FullAccess here
(v) The Remediation action for restricting account level S3 public access is "AWSConfigRemediation-ConfigureS3PublicAccessBlock"
Step 3:
Run config rules evaluation, post modifying the AWS S3 account level access to "On" mode
(vi) Manually change the "Block Public Access" at account level to "No" (uncheck all the block public access options)
(vii) Rule Config & Compliance status view from "AWS Config - Rule View"
Step 4:
Observe the status being reported as "Non-compliant" and also auto-remediated to "Compliant" state
(viii) While the Rule is evaluated observe the status of rule execution. (In case of any errors, check the logs from the S3 bucket configured while defining the rule)
(ix) Post the auto remediation, the "Block All Public Access" is now set to "On" !! Success !!
(x) Next, rule defined is now in "Compliant" state post the successfull action remediation
(xi) Also, the buckets are now "not public"
Note: Re-setting a config change looks simple, makes people think that "would have done manually in minutes...why automation" but in case of hundreds or thousands of AWS Accounts, AWS Config - Auto Remediation is the true saviour
Happy Config Tracking !!
Top comments (0)