Config Delivery Failing
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product features
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product featuresEnsure that the log files (history files and snapshots) generated by AWS Config are delivered without any failures to designated S3 bucket in order to store logging data for auditing purposes.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Amazon Config tracks changes within the configuration of your AWS resources and it regularly saves this data to log files that are send to an S3 bucket that you specify. When AWS Config is not able to deliver log files to its recipient due to delivery errors or misconfigurations (usually involving the access policies defined for the associated IAM role), the service is unable to send the recorded information to the designated bucket, therefore you lose the ability to audit the configuration changes made within your AWS account.
To determine if AWS Config is able to deliver log files to the specified S3 bucket, perform the following actions:
01 Sign in to the AWS Management Console.
02 Navigate to AWS Config dashboard at https://console.aws.amazon.com/config/.
03
In the left navigation panel, choose Dashboard. If the following error message is displayed: "AWS Config does not have sufficient permissions to record one or more AmazonIdentityManagement resources using arn:aws:iam::
04 Change the AWS region from the navigation bar and repeat the audit process for other regions.
01 Run describe-configuration-recorder-status command (OSX/Linux/UNIX) to describe the current status of the AWS Config service configuration recorder:
aws configservice describe-configuration-recorder-status --region us-east-1
02 The command output should return the requested configuration recorder status:
{
"ConfigurationRecordersStatus": [
{
"name": "default",
"lastErrorMessage": "AWS Config does not have sufficient permissions to record one or more AmazonIdentityManagement resources using arn:aws:iam::123456789012:role/service-role/cc-config-role",
"lastStatus": "FAILURE",
"recording": true,
"lastStatusChangeTime": 1508173693.866,
"lastStartTime": 1508173243.419,
"lastErrorCode": "AccessDenied",
"lastStopTime": 1507995590.643
}
]
}
03 Change the AWS region by updating the --region command parameter value and repeat the audit process for other regions.
Usually, AWS Config fails to deliver its log files to the specified S3 bucket when it doesn't have sufficient permissions to complete this operation. To send information to Amazon S3, AWS Config needs to assume an IAM role that manages the permissions (through IAM policies) required to access the designated S3 bucket. To resolve this issue, create a new IAM role and update the service configuration to reference the new role so that AWS Config can send log files to S3. To update AWS Config service configuration, perform the following:
01 Sign in to the AWS Management Console.
02 Navigate to AWS Config dashboard at https://console.aws.amazon.com/config/.
03 In the left navigation panel, select Settings.
04 On the Settings page, within AWS Config role section, choose Create a role option and provide a unique name for this new IAM role inside the Role name box.
05 Click Save to apply the changes. Once the configuration changes are saved, the following confirmation message will be displayed: "Success: Your settings were successfully saved." AWS Config will begin to deliver log files to the existing S3 bucket and the error message displayed on the service dashboard will disappear.
01 First, you need to define the required trust relationship policy for the new IAM role. To create the trust relationship policy for the IAM role that will be assigned later to AWS Config service, paste the following information into a new policy document named config-role-trust-policy.json:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
02 Run create-role command (OSX/Linux/UNIX) to create the required IAM role using the trust relationship policy defined at the previous step (i.e. config-role-trust-policy.json):
aws iam create-role --role-name cc-new-config-role --assume-role-policy-document file://config-role-trust-policy.json
03 The command output should return the new role metadata:
{
"Role": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
}
}
]
},
"RoleId": "AAAAABBBBBCCCCCDDDDD",
"CreateDate": "2017-10-14T12:39:39.502Z",
"RoleName": "cc-new-config-role",
"Path": "/",
"Arn": "arn:aws:iam::123456789012:role/cc-new-config-role"
}
}
04 Run attach-role-policy command (OSX/Linux/UNIX) using the name of the IAM role created at the previous step to attach the "AWSConfigRole" managed policy provided by Amazon Identity and Access Management, identified by the ARN "arn:aws:iam::aws:policy/service-role/AWSConfigRole" (the command does not return an output):
aws iam attach-role-policy --policy-arn "arn:aws:iam::aws:policy/service-role/AWSConfigRole" --role-name cc-new-config-role
05 Now, execute describe-configuration-recorders command (OSX/Linux/UNIX) using custom query filters to get the name of the existing AWS Config recorder:
aws configservice describe-configuration-recorders --region us-east-1 --query 'ConfigurationRecorders[*].name'
06 The command output should return the recorder name. By default, AWS Config automatically assigns the name "default" when creating the service configuration recorder:
[
"default"
]
07 Run put-configuration-recorder command (OSX/Linux/UNIX) using the name of the recorder returned at previous step and the Amazon Resource Name (ARN) of the newly created IAM role as parameters, to replace the role currently assigned to AWS Config service recorder (the command does not produce an output):
aws configservice put-configuration-recorder --region us-east-1 --configuration-recorder name=default,roleARN=arn:aws:iam::123456789012:role/cc-new-config-role
Whether your AWS exploration is just starting to take shape, you’re mid-way through a migration or you’re already running complex workloads in the cloud, Cloud Conformity offers full visibility of your infrastructure and provides continuous assurance it’s secure, optimized and compliant.
Chat with us to set up your onboarding session and start a free trial.
Let’s Chat