By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Many buckets created by AWSConfig StackSet (required for SecurityHub)

0

Hi,

Enabling SecurityHub on my accounts. Thus asked to enable AWS Config on all accounts in all regions. Found the AWSConfig StackSet that does this automatically. Great automation, but is it expected that I get buckets for all regions in my accounts? That's around 20 buckets already and the regular S3 quota in an account is 100. One account runs into bucket limits now. It seems odd Config logs occupy 20% of S3 quota...

I do have a Config Aggregator enabled in the security-tooling account, but that doesn't seem to help.

Can anyone confirm this is expected, or advise a best practice to do it another way?

Thanks!

  • AWS-User-8416516
    2 years ago

    I do have a separate log-archive account, too. Best to have the logs here, even, I think, if possible. Yet even then with around 20 buckets per account, can only host 5 accounts until limit of 100 is reached (?) There must be a better way.

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Security HubAWS ConfigAWS OrganizationsAWS CloudTrail
Language
English
AWS-User-8416516
asked 2 years ago302 views
1 Answer
0
Accepted Answer

Hi,

Thanks for reaching out to us. I understand that you're concerned about having to enable an S3 bucket per region, to meet the compliance requirement for CIS AWS Foundations Benchmark controls 2.5 – Ensure AWS Config is enabled for an AWS account.

You are able to use one S3 bucket for all regions per account to meet the compliance requirement. You do not need to use individual buckets per region. The audit steps performed by Security Hub service to evaluate compliance is outlined in the document below and step 6 (in page 72) for remediation mentions the following:

"Specify an S3 bucket in the same account or in another managed AWS account"

  • chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/viewer.html?pdfurl=https%3A%2F%2Fd1.awsstatic.com%2Fwhitepapers%2Fcompliance%2FAWS_CIS_Foundations_Benchmark.pdf&clen=1742687&chunk=true

Therefore, you may incorporate this solution into your implementation.

I hope this clears your concerns. Let us know if you have any further questions that we can answer!

AWS
SUPPORT ENGINEER
Sumukhi_P
answered 2 years ago
  • AWS-User-8416516
    2 years ago

    Thank you. That clears my concerns. It's just the StackSet example which automates this for all regions that creates all the different buckets then, but I can (manually, or by changing the stackset settings perhaps) consolidate it into a single bucket per account, that's good to know. Thanks!

  • AWS-User-8416516
    2 years ago

    Hi, can I follow up on your answer. This works well for AWS Config and AWS CloudTrail, which can record their logs/trails in one bucket (and subfolders for regions). However, when I enable server access logging for S3 and VPC Flow Logging (both security requirements), I cannot specify a bucket in a different region in the S3 Permissions Tab. This means I have to have server access logging buckets for each region in my account plus VPC flow logging buckets for each region? Can I consolidate this in fewer buckets? Thanks!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content