SOA_EN

Configure remediation actions when non-compliant resources are detected by AWS Config

スポンサーリンク
Configure remediation actions when non-compliant resources are detected by AWS Config. SOA_EN
スポンサーリンク
スポンサーリンク

Configure remediation actions when non-compliant resources are detected by AWS Config

One of the topics covered in AWS SOA is monitoring, logging, and remediation.

AWS Config allows you to define remediation actions.

AWS Config allows you to remediate noncompliant resources that are evaluated by AWS Config Rules.

Remediating Noncompliant Resources with AWS Config Rules

This time, we will define AWS Config rules and repair actions for SSE on S3 buckets and check the actual behavior.

Environment

Diagram of configure remediation actions when non-compliant resources are detected by AWS Config.

Create an S3 bucket with SSE enabled for verification.

In AWS Config, create rules regarding SSE and remediation actions for the S3 bucket.
When an S3 bucket with SSE disabled is detected and determined to be non-compliant, it will be automatically restored.

CloudFormation template files

The above configuration is built with CloudFormation.
The CloudFormation templates are located at the following URL

awstut-soa/01/001 at main · awstut-an-r/awstut-soa
Contribute to awstut-an-r/awstut-soa development by creating an account on GitHub.

Explanation of key points of the template files

This page focuses on the contents related to AWS Config remediation actions.

For basic information about AWS Config, please refer to the following page

AWS Config Rules

Resources: S3BucketSSEEnabledConfigRule: Type: AWS::Config::ConfigRule DependsOn: - ConfigurationRecorder Properties: ConfigRuleName: !Sub "${Prefix}-S3-Bucket-SSE-Enabled" Scope: ComplianceResourceId: !Ref TestBucket ComplianceResourceTypes: - AWS::S3::Bucket Source: Owner: AWS SourceIdentifier: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED
Code language: YAML (yaml)

Define rules for SSE of S3 buckets.

In this case, we will limit the resources to be audited for verification purposes.
In the Scope property, specify the bucket name in the ComplianceResourceId property and “AWS::S3::Bucket” in the ComplianceResourceTypes property to make only the bucket for verification subject to the rule.

AWS Config remediation actions

Resources: RemediationConfiguration: Type: AWS::Config::RemediationConfiguration Properties: Automatic: true ConfigRuleName: !Ref S3BucketSSEEnabledConfigRule MaximumAutomaticAttempts: 5 Parameters: BucketName: ResourceValue: Value: RESOURCE_ID SSEAlgorithm: StaticValue: Values: - !Ref SSEAlgorithm AutomationAssumeRole: StaticValue: Values: - !GetAtt RemediationConfigurationRole.Arn ResourceType: AWS::S3::Bucket RetryAttemptSeconds: 60 TargetId: AWS-EnableS3BucketEncryption TargetType: SSM_DOCUMENT TargetVersion: "1"
Code language: YAML (yaml)

Remediation actions are accomplished through the use of SSM Automation documentation.

AWS Config applies remediation using AWS Systems Manager Automation documents. These documents define the actions to be performed on noncompliant AWS resources evaluated by AWS Config Rules.

Remediating Noncompliant Resources with AWS Config Rules

We will cover the characteristic parameters.

The Automatic property is a parameter that sets whether or not the remediation action will be performed automatically.

you can either choose to manually or automatically remediate noncompliant resources by associating remediation actions with AWS Config rules. With all remediation actions, you can either choose manual or automatic remediation.

Remediating Noncompliant Resources with AWS Config Rules

In this case, we will specify “true” to automatically execute the remediation action.

The TargetId, TargetType, and TargetVersion properties are parameters related to the document to be executed.
This time we will enable SSE for S3 buckets by running the managed document AWS-EnableS3BucketEncryption.
You can find more information about this document on the following page

AWS-EnableS3BucketEncryption - AWS Systems Manager Automation runbook reference
Configure default encryption for an Amazon S3 bucket.

The MaximumAutomaticAttempts property is a parameter that specifies the maximum number of automatic repair failures.
In this case, we will set it to the default value of 5 times.

The RetryAttemptSeconds property is a parameter that specifies the maximum time to perform an automatic repair.
This time it is set to the default value of 60 seconds.

The Parameters property is the parameter to pass when executing the document.
As indicated in the page above, the following three parameters must be specified to run this document

  • BucketName
  • SSEAlgorithm
  • AutomationAssumeRole

Set these parameters in the Parameters property.
The key point is whether the value specified for each parameter is dynamic or static.

For example, BucketName is a dynamic value because it varies for each bucket that is determined to be non-compliant by the audit.
For a dynamic value, use the ResourceValue property and specify “RESOURCE_ID” in the internal Value property.

On the other hand, SSEAlgorithm and AutomationAssumeRole are static values.
The former specifies the default value “AES256” and the latter specifies a fixed IAM role as described below.
In this case, use the StaticValue property and set the value to the internal Values property.

The IAM role is used to grant SSM Automation the necessary privileges for remediation actions.

Resources: RemediationConfigurationRole: Type: AWS::IAM::Role DeletionPolicy: Delete Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: sts:AssumeRole Principal: Service: - ssm.amazonaws.com Policies: - PolicyName: S3PutSSEPolicy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - s3:PutEncryptionConfiguration Resource: - !Sub "arn:aws:s3:::${TestBucket}"
Code language: YAML (yaml)

This time, we will give permission to enable SSE settings for the verification bucket.

Architecting

Using CloudFormation, we will build this environment and verify the actual behavior.

Create CloudFormation stacks and verify resources in stacks

Create CloudFormation stacks.
For information on how to create stacks and check each stack, please refer to the following page

After checking the resources in each stack, information on the main resources created this time is as follows

  • AWS Config rule: soa-01-001-S3-Bucket-SSE-Enabled
  • Bucket for verification: soa-01-001-encryption-enabled

Check each resource from the AWS Management Console.
First, check the AWS Config rules.

Detail of AWS Config 1.

We can see that the rule has been successfully created.
The audit based on the rule also shows that the validation bucket is “Compliant”.

The remediation action is defined and the SSM document AWS-EnableS3BucketEncryption and parameters for document execution are specified.
If SSE is disabled for the validation bucket and the audit results show that it is non-compliant, this document will be executed as the remediation action.

Check the validation bucket.

Detail of S3 1.

You can see that SSE is indeed enabled.

Checking Action

Now that everything is ready, let’s check the action.

Disable the SSE setting for the S3 bucket.

Detail of S3 2.

SSE has been disabled.

The AWS Config evaluation is changed.

Detail of AWS Config 2.

It was “Compliant” earlier, but it changed to “Nocompliant” after SSE was disabled.

Check SSM Automation.

Detail of SSM 1.

SSM Automation has indeed been executed.

SSM Automation executed the SSM document AWS-EnableS3BucketEncryption and we can see that it completed successfully.

We will check the AWS Config rules and S3 bucket again.

Detail of AWS Config 3.
Detail of S3 3.

On the AWS Config rules page, we are back to “Compliant” again.
And on the S3 Buckets page, we can see that SSE has been enabled again.

This indicates that SSM Automation has executed the SSM document and enabled the SSE feature for the S3 bucket.

Summary

We have seen how to automatically recover a resource by defining a remediation action in AWS Config rules.

タイトルとURLをコピーしました