Open menu
-->

AWS Config Log Files Delivery Failing

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security
Operational
excellence

Risk level: Medium (should be achieved)

Ensure that the log files (history files and snapshots) generated by AWS Config are delivered without any failures to designated S3 bucket in order to store logging data for auditing purposes.

Amazon Config tracks changes within the configuration of your AWS resources and it regularly saves this data to log files that are send to an S3 bucket that you specify. When AWS Config is not able to deliver log files to its recipient due to delivery errors or misconfigurations (usually involving the access policies defined for the associated IAM role), the service is unable to send the recorded information to the designated bucket, therefore you lose the ability to audit the configuration changes made within your AWS account.

Audit

To determine if AWS Config is able to deliver log files to the specified S3 bucket, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Config dashboard at https://console.aws.amazon.com/config/.

03 In the left navigation panel, choose Dashboard. If the following error message is displayed: "AWS Config does not have sufficient permissions to record one or more AmazonIdentityManagement resources using arn:aws:iam:::role/service-role/<IAM_role>", the AWS Config service failed to deliver the last log file to the designated S3 bucket due to permission errors.

04 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-configuration-recorder-status command (OSX/Linux/UNIX) to describe the current status of the AWS Config service configuration recorder:

aws configservice describe-configuration-recorder-status
	--region us-east-1

02 The command output should return the requested configuration recorder status:

{
    "ConfigurationRecordersStatus": [
        {
            "name": "default",
            "lastErrorMessage": "AWS Config does not have sufficient permissions to record one or more AmazonIdentityManagement resources using arn:aws:iam::123456789012:role/service-role/cc-config-role",
            "lastStatus": "FAILURE",
            "recording": true,
            "lastStatusChangeTime": 1508173693.866,
            "lastStartTime": 1508173243.419,
            "lastErrorCode": "AccessDenied",
            "lastStopTime": 1507995590.643
        }
    ]
}

If the value returned by the lastStatus attribute is "FAILURE" (as shown in the output example above), the AWS Config service failed to deliver the last log file to the designated recipient due to permission errors.

03 Change the AWS region by updating the --region command parameter value and repeat the audit process for other regions.

Remediation / Resolution

Usually, AWS Config fails to deliver its log files to the specified S3 bucket when it doesn't have sufficient permissions to complete this operation. To send information to Amazon S3, AWS Config needs to assume an IAM role that manages the permissions (through IAM policies) required to access the designated S3 bucket. To resolve this issue, create a new IAM role and update the service configuration to reference the new role so that AWS Config can send log files to S3. To update AWS Config service configuration, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Config dashboard at https://console.aws.amazon.com/config/.

03 In the left navigation panel, select Settings.

04 On the Settings page, within AWS Config role section, choose Create a role option and provide a unique name for this new IAM role inside the Role name box.

05 Click Save to apply the changes. Once the configuration changes are saved, the following confirmation message will be displayed: "Success: Your settings were successfully saved." AWS Config will begin to deliver log files to the existing S3 bucket and the error message displayed on the service dashboard will disappear.

Using AWS CLI

01 First, you need to define the required trust relationship policy for the new IAM role. To create the trust relationship policy for the IAM role that will be assigned later to AWS Config service, paste the following information into a new policy document named config-role-trust-policy.json:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "config.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

02 Run create-role command (OSX/Linux/UNIX) to create the required IAM role using the trust relationship policy defined at the previous step (i.e. config-role-trust-policy.json):

aws iam create-role
	--role-name cc-new-config-role
	--assume-role-policy-document file://config-role-trust-policy.json

03 The command output should return the new role metadata:

{
    "Role": {
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": "sts:AssumeRole",
                    "Effect": "Allow",
                    "Principal": {
                       "Service": "config.amazonaws.com"
                    }
                }
            ]
        },
        "RoleId": "AAAAABBBBBCCCCCDDDDD",
        "CreateDate": "2017-10-14T12:39:39.502Z",
        "RoleName": "cc-new-config-role",
        "Path": "/",
        "Arn": "arn:aws:iam::123456789012:role/cc-new-config-role"
    }
}

04 Run attach-role-policy command (OSX/Linux/UNIX) using the name of the IAM role created at the previous step to attach the "AWSConfigRole" managed policy provided by Amazon Identity and Access Management, identified by the ARN "arn:aws:iam::aws:policy/service-role/AWSConfigRole" (the command does not return an output):

aws iam attach-role-policy
	--policy-arn "arn:aws:iam::aws:policy/service-role/AWSConfigRole"
	--role-name cc-new-config-role

05 Now, execute describe-configuration-recorders command (OSX/Linux/UNIX) using custom query filters to get the name of the existing AWS Config recorder:

aws configservice describe-configuration-recorders
	--region us-east-1
	--query 'ConfigurationRecorders[*].name'

06 The command output should return the recorder name. By default, AWS Config automatically assigns the name "default" when creating the service configuration recorder:

[
    "default"
]

07 Run put-configuration-recorder command (OSX/Linux/UNIX) using the name of the recorder returned at previous step and the Amazon Resource Name (ARN) of the newly created IAM role as parameters, to replace the role currently assigned to AWS Config service recorder (the command does not produce an output):

aws configservice put-configuration-recorder
	--region us-east-1
	--configuration-recorder name=default,roleARN=arn:aws:iam::123456789012:role/cc-new-config-role

References

Publication date Oct 17, 2016