Logo of Trend Micro

AWS Config Referencing Missing S3 Bucket

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: Config-002

Ensure that Amazon Config service is referencing an active S3 bucket in order to save configuration information (history files and snapshots) for auditing purposes.

This rule can help you with the following compliance standards:

  • APRA
  • MAS

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Operational
excellence

Amazon Config tracks changes within the configuration of your AWS resources and it regularly sends updated configuration details to an S3 bucket that you specify. When AWS Config is not referencing an active S3 bucket, the service is unable to send the recorded information to the designated bucket, therefore you lose the ability to audit later the configuration changes made within your AWS account.

Audit

To determine if AWS Config service is missing the ability to save configuration information (history files and configuration snapshots) due to inactive S3 bucket, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Config dashboard at https://console.aws.amazon.com/config/.

03 In the left navigation panel, select Settings.

04 On the Settings page, in the Amazon S3 bucket section, copy the S3 bucket name currently available within the Bucket Name box.

05 Now navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

06 Paste the name of the S3 bucket copied at step no. 4 inside the Search for buckets search box and press Enter. If no results matching your filter criteria are returned, the referenced S3 bucket is no longer available in your AWS account, therefore the Amazon Config service will not be able to send configuration changes records to the selected S3 bucket for auditing purposes.

07 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-delivery-channels command (OSX/Linux/UNIX) using custom query filters to list the name of the S3 bucket to which AWS Config service, available in the selected region, sends information about configuration changes: 

aws configservice describe-delivery-channels
	--region us-east-1
	--query 'DeliveryChannels[*].s3BucketName'

02 The command output should return the requested S3 bucket name: 

[
    "config-bucket-123456789012"
]

03 Run head-bucket command (OSX/Linux/UNIX) using the name of the S3 bucket returned at the previous step as identifier to determine if the referenced bucket exists within the current AWS account and if you (the authenticated sender of the request) have permission to access it: 

aws s3api head-bucket
	--bucket config-bucket-123456789012

04 If the selected bucket exists and you have access to it no output is returned, otherwise, an error message will be shown: 

A client error (404) occurred when calling the HeadBucket operation: Not Found.

If the following error message is returned: "A client error (404) occurred when calling the HeadBucket operation: Not Found.", the referenced S3 bucket is no longer available within your AWS account, therefore the AWS Config service will not be able to send the information about the configuration changes to the designated S3 bucket.

05 Change the AWS region by updating the --region command parameter value and repeat the audit process for other regions.

Remediation / Resolution

To update Amazon Config service configurations that reference missing S3 buckets, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Config dashboard at https://console.aws.amazon.com/config/.

03 In the left navigation panel, select Settings.

04 On the Settings page, within the Amazon S3 bucket section, choose Create a bucket option and provide a unique name for this new bucket inside the Bucket name box.

05 Click Save to create the new S3 bucket and apply the appropriate permissions required to send and save information about any configuration changes made within your AWS account. As soon as the necessary bucket is created, the AWS Config dashboard should display the following confirmation message: "Success. Your settings were successfully saved.".

06 Change the AWS region from the navigation bar and repeat the entire resolution process for other regions.

Using AWS CLI

01 Run create-bucket command (OSX/Linux/UNIX) to create a new S3 bucket in the selected region. This bucket will be used by AWS Config for saving configuration history and configuration snapshot files: 

aws s3api create-bucket
	--region us-east-1
	--bucket cc-config-bucket-123456789012

02 The command output should return the new S3 bucket location (URL): 

{
    "Location": "/cc-config-bucket-123456789012"
}

03 Now create an access policy that grants AWS Config the permission to write to the newly created S3 bucket. Create a new policy document called s3-bucket-access-policy.json and paste the following (replace the highlighted details – the bucket name and the AWS account ID – with your details or use AWS Policy Generator, to create your own policy): 

{
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AWSConfigS3BucketPermissions",
      "Effect": "Allow",
      "Principal": {
        "Service": [
         "config.amazonaws.com"
        ]
      },
      "Action": "s3:GetBucketAcl",
      "Resource": "arn:aws:s3:::cc-config-bucket-123456789012"
    },
    {
      "Sid": " AWSConfigBucketDelivery",
      "Effect": "Allow",
      "Principal": {
        "Service": [
         "config.amazonaws.com"
        ]
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::cc-config-bucket-123456789012/AWSLogs/123456789012/Config/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-acl": "bucket-owner-full-control"
        }
      }
    }
  ]
}

04 Run put-bucket-policy command (OSX/Linux/UNIX) to attach the access policy defined at the previous step (s3-bucket-access-policy.json) to the newly created S3 bucket (cc-config-bucket-123456789012): 

aws s3api put-bucket-policy
	--bucket cc-config-bucket-123456789012
	--policy file://s3-bucket-access-policy.json

05 Run describe-delivery-channels command (OSX/Linux/UNIX) to return the delivery channel configuration details for the AWS Config service enabled within the selected region: 

aws configservice describe-delivery-channels
	--region us-east-1

06 The command output should return the delivery channel information requested: 

{
  "DeliveryChannels": [
    {
      "snsTopicARN": "arn:aws:sns:us-east-1:123456789012:ConfigSNSTopic",
       "name": "default",
       "s3BucketName": "config-bucket-123456789012"
    }
  ]
}

07 Before you update the AWS Config delivery channel, you must create a JSON document where you need to define the required configuration attributes. Based on the delivery channel attributes returned at the previous step, create a JSON file named new-config-delivery-channel.json and paste the following JSON data (replace the attributes values with your own values): 

{
  "name": "default",
  "s3BucketName": "cc-config-bucket-123456789012",
  "snsTopicARN": "arn:aws:sns:us-east-1:123456789012:ConfigSNSTopic",
  "configSnapshotDeliveryProperties": {
    "deliveryFrequency": "Six_Hours"
  }
}

08 Run put-delivery-channel command (OSX/Linux/UNIX) using the attributes defined at the previous step (new-config-delivery-channel.json) to update the delivery channel of the Amazon Config service with the missing S3 bucket, available in the selected region (the command does not produce an output): 

aws configservice put-delivery-channel
	--region us-east-1
	--delivery-channel file://new-config-delivery-channel.json

09 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 8 to perform the entire process for other regions.

References

Publication date Sep 23, 2017

Related Config rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

AWS Config Referencing Missing S3 Bucket

Risk level: High