AWS Config Referencing Missing SNS Topic

Risk level: Medium (should be achieved)

Ensure that Amazon Config service is referencing an active Simple Notification Service (SNS) topic in order to send configuration changes notifications to your SNS subscription endpoints for monitoring. These notifications supply useful information regarding each configuration item created by AWS Config and provide a delivery status for each configuration snapshot and configuration history generated by the service.

Operational
excellence

When AWS Config is not referencing an active SNS topic, Amazon cannot send notifications to your subscription endpoints anymore, therefore you lose the ability to monitor the configuration changes made within your AWS account via email (or any other communication protocol provided by SNS).

Audit

To determine if Amazon Config service is missing the ability to send notifications due to inactive SNS topic, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Config dashboard at https://console.aws.amazon.com/config/.

03 In the left navigation panel, select Settings.

04 On the Settings page, within the Amazon SNS topic section, copy the SNS topic name currently available in the Topic Name box.

05 Now navigate to SNS dashboard at https://console.aws.amazon.com/sns/v2/.

06 Choose Topics from the navigation panel.

07 Paste the name of the SNS topic copied at step no. 4 inside the Filter search box and press Enter. If no results matching your filter criteria are returned, the referenced SNS topic is no longer available within your AWS account, therefore the Amazon Config service will not be able to stream configuration changes notifications to the selected SNS topic for monitoring purposes.

08 Change the AWS region from the navigation bar and repeat the entire audit process for other regions.

Using AWS CLI

01 Run describe-delivery-channels command (OSX/Linux/UNIX) using custom query filters to list the Amazon Resource Name (ARN) of the SNS topic to which AWS Config service, available in the selected region, sends notifications about configuration changes:

aws configservice describe-delivery-channels
	--region us-east-1
	--query 'DeliveryChannels[*].snsTopicARN'

02 The command output should return the requested SNS topic ARN:

[
    "arn:aws:sns:us-east-1:575392585563:ConfigSNSTopic"
]

03 Run get-topic-attributes command (OSX/Linux/UNIX) using the ARN returned at the previous step as identifier to describe the configuration information for the selected SNS topic:

aws sns get-topic-attributes
	--region us-east-1
	--topic-arn "arn:aws:sns:us-east-1:123456789012:ConfigSNSTopic"

04 The command output should return the requested topic metadata or an error message:

An error occurred (NotFound) when calling the GetTopicAttributes operation: Topic does not exist.

If the get-topic-attributes command respond with an NotFound error message (as shown in the example above), the requested SNS topic has been deleted at some point after the Config service was enabled, therefore Amazon Config will not be able to stream configuration changes notifications to the selected (inactive) SNS topic.

05 Change the AWS region by updating the --region command parameter value and repeat the entire audit process for other regions.

Remediation / Resolution

To update Amazon Config service configurations that reference missing SNS topics, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Config dashboard at https://console.aws.amazon.com/config/.

03 In the left navigation panel, select Settings.

04 On the Settings page, inside the Amazon SNS topic section, select Create a topic and provide a unique name for the new SNS topic within the Topic Name box.

05 Click Save to create the SNS topic required and apply the appropriate permissions to receive notifications about any configuration changes made within your AWS account. As soon as the necessary topic is created, the Config dashboard should display the following confirmation message: "Success. Your settings were successfully saved.".

06 Navigate to SNS dashboard at https://console.aws.amazon.com/sns/v2/.

07 Choose Topics from the navigation panel.

08 Select the SNS topic created earlier, click the Actions dropdown menu from the dashboard top menu and select Subscribe to topic option.

09 Inside the Create subscription dialog box, select Email (or any other protocol, based on your requirements) from the Protocol dropdown list and provide the email address (or the required endpoint identifier) where you can receive notifications in the Endpoint box.

10 Click Create Subscription to assign the new subscription to the selected SNS topic.

11 Use your preferred email client and open the message from AWS Notifications, then click on the appropriate link to confirm your subscription.

12 Change the AWS region from the navigation bar and repeat the resolution process for other regions.

Using AWS CLI

01 Run create-topic command (OSX/Linux/UNIX) to create a new AWS SNS topic for sending notifications streamed from Amazon Config service enabled in the selected region:

aws sns create-topic
	--region us-east-1
	--name NewConfigSNSTopic

02 The command output should return the newly created SNS topic ARN:

{
    "TopicArn": "arn:aws:sns:us-east-1:123456789012:NewConfigSNSTopic"
}

03 Run subscribe command (OSX/Linux/UNIX) to subscribe to the SNS topic created at the previous step using email as subscription protocol:

aws sns subscribe
	--region us-east-1
	--topic-arn arn:aws:sns:us-east-1:123456789012:NewConfigSNSTopic
	--protocol email
	--notification-endpoint config-status@cloudconformity.com

04 The command output should return the subscription status:

{
    "SubscriptionArn": "pending confirmation"
}

05 Run confirm-subscription command (OSX/Linux/UNIX) to confirm the subscription by validating the token sent to the notification endpoint (in this case your email address) specified at the previous step (the command does not produce an output):

aws sns confirm-subscription
	--region us-east-1
	--topic-arn arn:aws:sns:us-east-1:123456789012:NewConfigSNSTopic
	--token 2071392f37fb687f5d51e6e241d7700ae02f7124d8268910b858cb4db727ceeb2474bb937929d3bdd7ce5d0cce19325d036bca58d3c217426bcafa9c501a2cace93b83f1dd3797627467553dc438a8c974119496fc3eff026eaa5d14472ded6f9a5c43aec62d83ef5f49109da730566

06 Now run describe-delivery-channels command (OSX/Linux/UNIX) to return the delivery channel configuration details for the AWS Config service enabled in the selected region:

aws configservice describe-delivery-channels
	--region us-east-1

07 The command output should return the delivery channel details requested:

{
  "DeliveryChannels": [
    {
      "snsTopicARN": "arn:aws:sns:us-east-1:123456789012:ConfigSNSTopic",
       "name": "default",
       "s3BucketName": "config-bucket-123456789012"
    }
  ]
}

08 Before you update the AWS Config delivery channel, you must create a JSON document where you need to define the necessary configuration attributes. Based on the delivery channel attributes returned at the previous step, create a JSON file named new-delivery-channel.json and paste the following JSON data (replace the attributes values with your own values):

{
  "name": "default",
  "s3BucketName": "config-bucket-123456789012",
  "snsTopicARN": "arn:aws:sns:us-east-1:123456789012:ConfigSNSTopic",
  "configSnapshotDeliveryProperties": {
    "deliveryFrequency": "Twelve_Hours"
  }
}

09 Run put-delivery-channel command (OSX/Linux/UNIX) using the attributes defined at the previous step (new-delivery-channel.json) to update the delivery channel of the Amazon Config service with the missing SNS topic, available in the selected region (the command does not produce an output):

aws configservice put-delivery-channel
	--region us-east-1
	--delivery-channel file://new-delivery-channel.json

10 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 9 to perform the entire process for other regions.

References

AWS Documentation
FAQs
Notifications that AWS Config sends
Monitoring AWS Config Resource Changes by Email

AWS Command Line Interface (CLI) Documentation
configservice
describe-delivery-channels
put-delivery-channel
sns
get-topic-attributes
create-topic
subscribe
confirm-subscription

Publication date Feb 24, 2017

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for and

You are auditing:

AWS Config Referencing Missing SNS Topic

Risk level: Medium

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related Config rules