Use the Conformity Knowledge Base AI to help improve your Cloud Posture

AWS Config Referencing Missing SNS Topic

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that Amazon Config is referencing an active Simple Notification Service (SNS) topic in order to send configuration change notifications to your SNS subscription endpoints for monitoring. These notifications supply useful information regarding each configuration item created by Amazon Config and provide a delivery status for each configuration snapshot and configuration history generated by the Config service.

Operational
excellence

When Amazon Config is not referencing an active SNS topic, the service is unable to send notifications to your subscription endpoints, therefore you lose the ability to monitor the configuration changes made within your AWS cloud account via email (or any other communication method provided by Amazon SNS).


Audit

To determine if Amazon Config is missing the ability to send alert notifications due to inactive SNS topic, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Config console at https://console.aws.amazon.com/config/.

03 In the main navigation panel, under AWS Config, choose Settings.

04 Copy the name of the SNS topic designated to send alert notifications for Amazon Config, listed under SNS topic name, in the Delivery method section.

05 Navigate to Amazon SNS console at https://console.aws.amazon.com/sns/.

06 In the navigation panel, under Amazon SNS, choose Topics.

07 Paste the name of the topic copied at step no. 4 in the Search box to return the SNS topic configured for Amazon Config in the selected AWS region. If no results are returned, the associated SNS topic is no longer available, therefore the Amazon Config service is not able to send alert notifications via the designated SNS topic for monitoring purposes.

08 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-delivery-channels command (OSX/Linux/UNIX) with custom query filters to list the name of the SNS topic designated to send alert notifications about the configuration changes recorded by Amazon Config in the selected AWS region:

aws configservice describe-delivery-channels
  --region us-east-1
  --query 'DeliveryChannels[*].snsTopicARN'

02 The command output should return the name of the configured SNS topic:

[
	"arn:aws:sns:us-east-1:123456789012:cc-config-topic"
]

03 Run get-topic-attributes command (OSX/Linux/UNIX) using the topic ARN returned at the previous step as the identifier parameter to describe the configuration information available for the selected SNS topic:

aws sns get-topic-attributes
  --region us-east-1
  --topic-arn "arn:aws:sns:us-east-1:123456789012:cc-config-topic"

04 The command output should return the requested configuration information:

An error occurred (NotFound) when calling the GetTopicAttributes operation: Topic does not exist

If the get-topic-attributes command output responds with an NotFound error message, as shown in the example above, the associated SNS topic has been deleted, therefore the Amazon Config service is not able to send alert notifications via the specified SNS topic for monitoring purposes.

05 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To ensure that Amazon Config service is not configured with a missing SNS topic, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Parameters": {
		"SNSTopicName": {
			"Type": "String"
		},
		"DeliveryChannelBucketName": {
			"Type": "String"
		}
	},
	"Resources": {
		"ConfigSNSTopic": {
			"Type": "AWS::SNS::Topic",
			"Properties": {
				"TopicName": {
					"Ref": "SNSTopicName"
				},
				"Subscription": [
					{
						"Endpoint": "example@domain.com",
						"Protocol": "email"
					}
				]
			}
		},
		"ConfigurationRecorder": {
			"Type": "AWS::Config::ConfigurationRecorder",
			"Properties": {
				"Name": "default",
				"RoleARN": "arn:aws:iam::123456789012:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig",
				"RecordingGroup": {
					"AllSupported": true,
					"IncludeGlobalResourceTypes": true
				}
			}
		},
		"DeliveryChannel": {
			"Type": "AWS::Config::DeliveryChannel",
			"Properties": {
				"ConfigSnapshotDeliveryProperties": {
					"DeliveryFrequency": "Six_Hours"
				},
				"S3BucketName": {
					"Ref": "DeliveryChannelBucketName"
				},
				"SnsTopicARN": {
					"Ref": "ConfigSNSTopic"
				}
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Parameters:
	SNSTopicName:
		Type: String
	DeliveryChannelBucketName:
		Type: String
	Resources:
	ConfigSNSTopic:
		Type: AWS::SNS::Topic
		Properties:
		TopicName: !Ref 'SNSTopicName'
		Subscription:
			- Endpoint: example@domain.com
			Protocol: email
	ConfigurationRecorder:
		Type: AWS::Config::ConfigurationRecorder
		Properties:
		Name: default
		RoleARN: arn:aws:iam::123456789012:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig
		RecordingGroup:
			AllSupported: true
			IncludeGlobalResourceTypes: true
	DeliveryChannel:
		Type: AWS::Config::DeliveryChannel
		Properties:
		ConfigSnapshotDeliveryProperties:
			DeliveryFrequency: Six_Hours
		S3BucketName: !Ref 'DeliveryChannelBucketName'
		SnsTopicARN: !Ref 'ConfigSNSTopic'

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_sns_topic" "config-sns-topic" {
	name = "cc-config-sns-topic"
}

resource "aws_sns_topic_subscription" "config-topic-subscription" {
	topic_arn = aws_sns_topic.config-sns-topic.arn
	protocol  = "email"
	endpoint  = "example@domain.com"
}

resource "aws_config_configuration_recorder" "configuration-recorder" {
	name     = "default"
	role_arn = "arn:aws:iam::123456789012:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig"
	recording_group {
		all_supported                 = true
		include_global_resource_types = true
	}
}

resource "aws_config_configuration_recorder_status" "configuration-recorder-status" {
	is_enabled = true
	name       = aws_config_configuration_recorder.configuration-recorder.name
}

resource "aws_config_delivery_channel" "config-delivery-channel" {
	name           = "cc-config-delivery-channel"
	s3_bucket_name = "cc-config-bucket"
	sns_topic_arn  = aws_sns_topic.config-sns-topic.arn
	depends_on     = [aws_config_configuration_recorder.configuration-recorder]
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Config console at https://console.aws.amazon.com/config/.

03 In the main navigation panel, under AWS Config, choose Settings.

04 Choose Edit to access the configuration settings available for Amazon Config in the selected AWS region.

05 Ensure that Stream configuration changes and notifications to an Amazon SNS topic is enabled under Amazon SNS topic.

06 In the Delivery method section, select one of the following options:

  1. Select Create a topic to create a new SNS topic, provide a unique name for the new topic in the SNS topic name box, and choose Save to apply the changes.
  2. Select Choose a topic from your account to specify an existing topic, select the name of the existing topic from the SNS topic namedropdown list, and choose Save to apply the changes.
  3. Select Choose a topic from another account to specify an SNS topic from another AWS account, type the ARN of the existing topic in the SNS topic ARN box, and choose Save to apply the changes. If the selected SNS topic is from a central organization account, you will need to configure SNS permissions accordingly.

07 If you selected the option to create a new SNS topic, navigate to Amazon SNS console at https://console.aws.amazon.com/sns/.

08 In the main navigation panel, under Amazon SNS, choose Topics.

09 Click on the name of the SNS topic created at step no. 6, select the Subscriptions tab, and choose Create subscription.

10 On the Create subscription setup page, select Email from the Protocol dropdown list, provide the email address where you want to receive alert notifications in the Endpoint box, then choose Create subscription to apply the new subscription to the selected Amazon SNS topic.

11 Use your preferred email client to open the subscription message from the AWS Notifications, then click on the appropriate link to confirm your SNS subscription.

12 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run create-topic command (OSX/Linux/UNIX) to create the Amazon SNS topic required to replace the missing SNS topic associated with your Amazon Config recorder:

aws sns create-topic
  --region us-east-1
  --name cc-config-service-sns-topic

02 The command output should return the Amazon Resource Name (ARN) of the newly created SNS topic:

{
	"TopicArn": "arn:aws:sns:us-east-1:123456789012:cc-config-service-sns-topic"
}

03 Run subscribe command (OSX/Linux/UNIX) to subscribe to the Amazon SNS topic created at the previous step using one or more email addresses as subscription endpoints:

aws sns subscribe
  --region us-east-1
  --topic-arn arn:aws:sns:us-east-1:123456789012:cc-config-service-sns-topic
  --protocol email
  --notification-endpoint alert@trendmicro.com
  --return-subscription-arn

04 The command output should return the ARN of the new SNS subscription:

{
	"SubscriptionArn": "arn:aws:sns:us-east-1:123456789012:cc-config-service-sns-topic:abcdabcd-1234-abcd-1234-abcd1234abcd"
}

05 Run confirm-subscription command (OSX/Linux/UNIX) to confirm the new SNS subscription by validating the token sent to the subscription endpoint (i.e. your email address) specified at the previous step (the command should not produce an output):

aws sns confirm-subscription
  --region us-east-1
  --topic-arn arn:aws:sns:us-east-1:123456789012:cc-config-service-sns-topic
  --token 3568392f37fb687f5d51e6e241d7700ae02f7124d8268910b858cb4db727ceeb2474bb937929d3bdd7ce5d0cce19325d036bca58d3c217426bcafa9c501a2cac5646456gf1dd3797627467553dc438a8c974119496fc3eff026eaa5d15578ded6f9a5c43aec62d83ef5f49109da730511

06 Run describe-delivery-channels command (OSX/Linux/UNIX) to return the delivery channel configuration details for Amazon Config service in the selected AWS region:

aws configservice describe-delivery-channels
  --region us-east-1

07 The command output should return the requested delivery channel information:

{
	"DeliveryChannels": [
		{
			"name": "default",
			"s3BucketName": "config-bucket-123456789012",
			"snsTopicARN": "arn:aws:sns:us-east-1:123456789012:cc-config-topic"
		}
	]
}

08 Create the required configuration document and save it to a JSON file. Based on the delivery channel attributes returned at the previous step, create a JSON file named new-config-delivery-channel.json and paste the following information (replace the configuration data with your own data):

{
	"name": "default",
	"s3BucketName": "config-bucket-123456789012",
	"snsTopicARN": "arn:aws:sns:us-east-1:123456789012:cc-config-service-sns-topic",
	"configSnapshotDeliveryProperties": {
		"deliveryFrequency": "Twelve_Hours"
	}
}

09 Run put-delivery-channel command (OSX/Linux/UNIX) using the configuration document defined at the previous step (i.e. new-config-delivery-channel.json) to update the delivery channel of the Amazon Config service in the selected AWS region in order to replace the missing SNS topic (the command does not produce an output):

aws configservice put-delivery-channel
  --region us-east-1
  --delivery-channel file://new-config-delivery-channel.json

10 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Feb 24, 2017

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

AWS Config Referencing Missing SNS Topic

Risk Level: Medium