By using AWS re:Post, you agree to the Terms of Use
/AWS Config/

Questions tagged with AWS Config

Sort by most recent
  • 1
  • 90 / page

Browse through the questions and answers listed below or filter and sort to narrow down your results.

What is the relationship between AWS Config retention period and AWS S3 Lifecycle policy?

I found here: https://aws.amazon.com/blogs/mt/configuration-history-configuration-snapshot-files-aws-config/ " AWS Config delivers three types of configuration files to the S3 bucket: Configuration history (A configuration history is a collection of the configuration items for a given resource over any time period. ) Configuration snapshot OversizedChangeNotification" However, in this docs: https://docs.aws.amazon.com/ja_jp/config/latest/developerguide/delete-config-data-with-retention-period.html It only said that retention period delete the "ConfigurationItems" (A configuration item represents a point-in-time view of the various attributes of a supported AWS resource that exists in your account. ) In this docs: https://docs.aws.amazon.com/config/latest/developerguide/config-concepts.html#config-history: "The components of a configuration item include metadata, attributes, relationships, current configuration, and related events. AWS Config creates a configuration item whenever it detects a change to a resource type that it is recording. " I wonder that: Is ConfigurationItems a subset of Configuration history? Is the things that saved to S3 equal to ConfigurationItems? If not, where is ConfigurationItems stored? And if things stored in S3, is ConfigurationItems deleted or become damaged? I am setting AWS S3 lifcycle is expire objects in 300 days and AWS Config retention period is 7 years. Therefore, I am wondering what is the relationship between those 2? Because S3 lifecycle period is 300 days, will AWS Config data is deleted in 300 days? Thank you so much!
1
answers
0
votes
13
views
asked 2 days ago

Config Advanved Query Editor - Return ConfigRuleName

I am using the AWS Config Service across multiple Accounts within my Organization. My goal is to write a query which will give me a full list of non-compliant resources in all regions, in all accounts. I have an Aggregator which has the visibility for this task. The Advanced Query I am using is similar to the AWS [Example in the docs:](https://docs.aws.amazon.com/config/latest/developerguide/example-query.html) ``` SELECT configuration.targetResourceId, configuration.targetResourceType, configuration.complianceType, configuration.configRuleList, accountId, awsRegion WHERE configuration.configRuleList.complianceType = 'NON_COMPLIANT' ``` However, the ConfigRuleName is nested within `configuration.configRuleList` - as there could be multiple config rules, (hence the list) assigned to `configuration.targetResourceId` How can I write a query that picks apart the JSON list returned this way? Because the results returned do not export to csv for example very well at all. Exporting a JSON object within a csv provides an unsuitable method if we wanted to import this into a spreadsheet for example, for viewership. I have tried to use `configuration.configRuleList.configRuleName` and this only returns `-` even when the list has a single object within. If there is a better way to create a centralised place to view all my Org's Non-Compliant Resources, I would like to learn about it. Thanks in Advance.
0
answers
0
votes
5
views
asked 12 days ago

Manual remediation config works, automatic remediation config fails

SOLVED! There was a syntax problem in the runbook, that is not detected when manually remediating. In the content of the remediation doc (that was created using Cloudformation), I used a parameter declaration: parameters: InstanceID: type: 'AWS::EC2::Instance::Id' It should be: parameters: InstanceID: type: String ===================================================================================== I have a remediation runbook that creates Cloudwatch alarms for the metric 'CPUUtilization' for any EC2 instances that have none defined. The runbook is configured as a remediation document for a config rule that checks for the absence of such alarms. When I configure the remediation on the rule as manual, all goes well. When I configure the remediation with the exact same runbook as automatic, the remediation fails with this error (snippet): "StepDetails": [ { "Name": "Initialization", "State": "FAILED", "ErrorMessage": "Invalid Automation document content for Create-CloudWatch-Alarm-EC2-CPUUtilization", "StartTime": "2022-05-09T17:30:02.361000+02:00", "StopTime": "2022-05-09T17:30:02.361000+02:00" } ], This is the remediation configuration for the automatic remediation. The only difference with the manual remediation configuration is obviously the value for key "Automatic" being "false" { "RemediationConfigurations": [ { "ConfigRuleName": "rul-ensure-cloudwatch-alarm-ec2-cpuutilization-exists", "TargetType": "SSM_DOCUMENT", "TargetId": "Create-CloudWatch-Alarm-EC2-CPUUtilization", "TargetVersion": "$DEFAULT", "Parameters": { "AutomationAssumeRole": { "StaticValue": { "Values": [ "arn:aws:iam::123456789012:role/rol_ssm_full_access_to_cloudwatch" ] } }, "ComparisonOperator": { "StaticValue": { "Values": [ "GreaterThanThreshold" ] } }, "InstanceID": { "ResourceValue": { "Value": "RESOURCE_ID" } }, "Period": { "StaticValue": { "Values": [ "300" ] } }, "Statistic": { "StaticValue": { "Values": [ "Average" ] } }, "Threshold": { "StaticValue": { "Values": [ "10" ] } } }, "Automatic": true, "MaximumAutomaticAttempts": 5, "RetryAttemptSeconds": 60, "Arn": "arn:aws:config:eu-west-2:123456789012:remediation-configuration/rul-ensure-cloudwatch-alarm-ec2-cpuutilization-exists/5e3a81a7-fc55-4cbe-ad75-6b27be8da79a" } ] } The error message is rather cryptic, I can't find documentation on possible root causes. Any suggestions would be very welcome! Thanks!
1
answers
0
votes
10
views
asked 20 days ago

Unable to create new OpsItems from EventBridge when using Input Transformer for deduplication and adding category and severity values

Apologize to all for the duplicate post. I created my login under the wrong account when I initially posted this question. I’m able to generate a new OpsItem for any EC2, SecurityGroup, or VPC configuration change using an EventBridge rule with the following event pattern. { "source": "aws.config", "detail-type": "Config Configuration Item Change", "detail": { "messageType": "ConfigurationItemChangeNotification", "configurationItem": { "resourceType": "AWS::EC2::Instance", "AWS::EC2::SecurityGroup", "AWS::EC2::VPC" } } } The rule and target work great when using Matched event for the Input but I noticed that launching one EC2 using the AWS wizard creates at least three OpsItems, one for each resourceType. Therefore I’d like to implement a deduplication string to cut down on the number of OpsItems generated to one if possible and I’d also like to attach a category and severity to the new OpsItem. I’m trying to use an Input Transformer as recommended by the AWS documentation but even the most simplest of Input Transformers when applied prevent any new OpsItems from being generated. When I've tested, I've also ensured that all previous OpsItems were resolved. Can anyone tell me what might be blocking the creation of any new OpsItems when using this Input Transformer configuration? Here’s what I have configured now. Input path { "awsAccountId": "$.detail.configurationItem.awsAccountId", "awsRegion": "$.detail.configurationItem.awsRegion", "configurationItemCaptureTime": "$.detail.configurationItem.configurationItemCaptureTime", "detail-type": "$.detail-type", "messageType": "$.detail.messageType", "notificationCreationTime": "$.detail.notificationCreationTime", "region": "$.region", "resourceId": "$.detail.configurationItem.resourceId", "resourceType": "$.detail.configurationItem.resourceType", "resources": "$.resources", "source": "$.source", "time": "$.time" } Input template { "awsAccountId": "<awsAccountId>", "awsRegion": "<awsRegion>", "configurationItemCaptureTime": "<configurationItemCaptureTime>", "resourceId": "<resourceId>", "resourceType": "<resourceType>", "title": "Template under ConfigDrift-EC2-Dedup4", "description": "Configuration Drift Detected.", "category": "Security", "severity": "3", "origination": "EventBridge Rule - ConfigDrift-EC2-Dedup", "detail-type": "<detail-type>", "source": "<source>", "time": "<time>", "region": "<region>", "resources": "<resources>", "messageType": "<messageType>", "notificationCreationTime": "<notificationCreationTime>", "operationalData": { "/aws/dedup": { "type": "SearchableString", "value": "{\"dedupString\":\"ConfigurationItemChangeNotification\"}" } } } Output when using the AWS supplied Sample event called “Config Configuration Item Change” { "awsAccountId": "123456789012", "awsRegion": "us-east-1", "configurationItemCaptureTime": "2022-03-16T01:10:50.837Z", "resourceId": "fs-01f0d526165b57f95", "resourceType": "AWS::EFS::FileSystem", "title": "Template under ConfigDrift-EC2-Dedup4", "description": "Configuration Drift Detected.", "category": "Security", "severity": "3", "origination": "EventBridge Rule - ConfigDrift-EC2-Dedup", "detail-type": "Config Configuration Item Change", "source": "aws.config", "time": "2022-03-16T01:10:51Z", "region": "us-east-1", "resources": "arn:aws:elasticfilesystem:us-east-1:123456789012:file-system/fs-01f0d526165b57f95", "messageType": "ConfigurationItemChangeNotification", "notificationCreationTime": "2022-03-16T01:10:51.976Z", "operationalData": { "/aws/dedup": { "type": "SearchableString", "value": "{"dedupString":"ConfigurationItemChangeNotification"}" } } }
1
answers
0
votes
4
views
asked 22 days ago

Unable to create new OpsItems from EventBridge when using Input Transformer for deduplication and adding category and severity values

I’m able to generate a new OpsItem for any EC2, SecurityGroup, or VPC configuration change using an EventBridge rule with the following event pattern. { "source": ["aws.config"], "detail-type": ["Config Configuration Item Change"], "detail": { "messageType": ["ConfigurationItemChangeNotification"], "configurationItem": { "resourceType": ["AWS::EC2::Instance", "AWS::EC2::SecurityGroup", "AWS::EC2::VPC"] } } } The rule and target work great when using Matched event for the Input but I noticed that launching one EC2 using the AWS wizard creates at least three OpsItems, one for each resourceType. Therefore I’d like to implement a deduplication string to cut down on the number of OpsItems generated to one if possible and I’d also like to attach a category and severity to the new OpsItem. I’m trying to use an Input Transformer as recommended by the AWS documentation but even the most simplest of Input Transformers when applied prevent any new OpsItems from being generated. When I've tested, I've also ensured that all previous OpsItems were resolved. Can anyone tell me what might be blocking the creation of any new OpsItems when using this Input Transformer configuration? Here’s what I have configured now. Input path { "awsAccountId": "$.detail.configurationItem.awsAccountId", "awsRegion": "$.detail.configurationItem.awsRegion", "configurationItemCaptureTime": "$.detail.configurationItem.configurationItemCaptureTime", "detail-type": "$.detail-type", "messageType": "$.detail.messageType", "notificationCreationTime": "$.detail.notificationCreationTime", "region": "$.region", "resourceId": "$.detail.configurationItem.resourceId", "resourceType": "$.detail.configurationItem.resourceType", "resources": "$.resources", "source": "$.source", "time": "$.time" } Input template { "awsAccountId": "<awsAccountId>", "awsRegion": "<awsRegion>", "configurationItemCaptureTime": "<configurationItemCaptureTime>", "resourceId": "<resourceId>", "resourceType": "<resourceType>", "title": "Template under ConfigDrift-EC2-Dedup4", "description": "Configuration Drift Detected.", "category": "Security", "severity": "3", "origination": "EventBridge Rule - ConfigDrift-EC2-Dedup", "detail-type": "<detail-type>", "source": "<source>", "time": "<time>", "region": "<region>", "resources": "<resources>", "messageType": "<messageType>", "notificationCreationTime": "<notificationCreationTime>", "operationalData": { "/aws/dedup": { "type": "SearchableString", "value": "{\"dedupString\":\"ConfigurationItemChangeNotification\"}" } } } Output when using the AWS supplied Sample event called “Config Configuration Item Change” { "awsAccountId": "123456789012", "awsRegion": "us-east-1", "configurationItemCaptureTime": "2022-03-16T01:10:50.837Z", "resourceId": "fs-01f0d526165b57f95", "resourceType": "AWS::EFS::FileSystem", "title": "Template under ConfigDrift-EC2-Dedup4", "description": "Configuration Drift Detected.", "category": "Security", "severity": "3", "origination": "EventBridge Rule - ConfigDrift-EC2-Dedup", "detail-type": "Config Configuration Item Change", "source": "aws.config", "time": "2022-03-16T01:10:51Z", "region": "us-east-1", "resources": "arn:aws:elasticfilesystem:us-east-1:123456789012:file-system/fs-01f0d526165b57f95", "messageType": "ConfigurationItemChangeNotification", "notificationCreationTime": "2022-03-16T01:10:51.976Z", "operationalData": { "/aws/dedup": { "type": "SearchableString", "value": "{"dedupString":"ConfigurationItemChangeNotification"}" } } }
0
answers
0
votes
1
views
asked 22 days ago

Control Tower - Disable Compliance Change Notifications

Hello, we are using Control Tower and we have subscribed email (Slack) notifications to `aws-controltower-AggregateSecurityNotifications` SNS Topics. We are receiving Control Tower drift notifications and AWS Config compliance change notifications as described in https://docs.aws.amazon.com/controltower/latest/userguide/compliance.html We are interested especially in Control Tower drift notifications. Unfortunately AWS Config compliance change notifications are too noisy, it notifies on all compliance, noncompliance, and not_applicable events. The noise is caused by rule `AWSControlTower_AWS-GR_ENCRYPTED_VOLUMES` which triggers COMPLIANT notification each time new EC2 node with EBS is provisioned and NOT_APPLICABLE when the node is shut down. We are interested only in non-compliant notifications, is it possible to change the behaviour? Or alternatively is it possible to disable at all sending AWS Config compliance change notifications to aws-con`troltower-AggregateSecurityNotifications` topic? So only Control Tower drift notifications would be send to this topic. I've noticed that Event Rules which are forwarding compliance notifications changes are deployed by stackset `AWSControlTowerBP-BASELINE-CLOUDWATCH` from management account to all accounts and there is possibility to disable these notifications by parameter `EnableConfigRuleChangeNotification`. Since the stackset is managed by ControlTower I am not sure if we can change these settings? Could you please guide us what is the recommended approach? thanks Martin
1
answers
0
votes
14
views
asked a month ago

AWS Config PutConformancePack -- 500 InternalFailure error, null error message

I have been working with AWS config for conformance pack compliance and as of today it is no longer allowing me to deploy a conformance pack via an s3 template upload. The error occurs only when deploying via s3 template, using a sample pack is fine. I have been using the same s3 bucket and IAM user for some time to perform these tasks and have not changed anything regarding permissions. Config has read access to the bucket and the bucket policy I am using is the one noted in the docs for allowing Config access, I am deploying in the same region as the bucket (us-east-1), and the IAM user account I am using in the code has the relevant permissions outlined in the docs. I have even tried making the bucket completely public but still no dice. The failure is happening both via the AWS Java SDKv2 and in the portal. Error Message: `null (Service: AmazonConfig; Status Code: 500; Error Code: InternalFailure; Request ID: d116e7a3-c268-423c-a28a-8f2802e92125; Proxy: null)` Java Error: `null (Service: Config, Status Code: 500, Request ID: e7174ac8-cfae-49b4-a64c-08667f2db10b, Extended Request ID: null) software.amazon.awssdk.services.config.model.ConfigException: null (Service: Config, Status Code: 500, Request ID: e7174ac8-cfae-49b4-a64c-08667f2db10b, Extended Request ID: null)` Dev Console Message: `{"payload":null,"message":"null (Service: AmazonConfig; Status Code: 500; Error Code: InternalFailure; Request ID: d116e7a3-c268-423c-a28a-8f2802e92125; Proxy: null)","errorCode":"InternalFailure","statusCode":"STARLING_FAILED"}` The lack of description is not giving me much to go off of, this error is not listed in the AWS docs for putConformancePack anywhere beyond this section in the "common issues" for Config: **InternalFailure The request processing has failed because of an unknown error, exception or failure. HTTP Status Code: 500** There is a CloudTrail configured and it is logging Config events but no events are registering when uploading via s3 uri, the events only appear when deploying using Sample Templates. Has anyone seen this/have any ideas on how to debug it?
0
answers
0
votes
4
views
asked 4 months ago

S3 HeadBucket AccessDenied Events from AWS Config are logged by CloudTrail

We are receiving some events in Cloudtrail every day that AWS Config cannot execute the HeadBucket-Event to its S3 bucket. See Cloudtrail event below. AWS Config has full access to that S3 bucket and events are logged fine. How can we avoid this event in Cloudtrail? Or maybe this is a bug in AWS? ``` "eventVersion": "1.05", "userIdentity": { "type": "AWSService", "invokedBy": "config.amazonaws.com" }, "eventTime": "2019-06-28T07:04:33Z", "eventSource": "s3.amazonaws.com", "eventName": "HeadBucket", "awsRegion": "eu-central-1", "sourceIPAddress": "config.amazonaws.com", "userAgent": "config.amazonaws.com", "errorCode": "AccessDenied", "errorMessage": "Access Denied", "requestParameters": { "bucketName": "o-op-c3s-config-XXXXXXX", "Host": "o-op-c3s-config-XXXXXXX.s3.eu-central-1.amazonaws.com" }, "responseElements": null, "additionalEventData": { "SignatureVersion": "SigV4", "CipherSuite": "ECDHE-RSA-AES128-SHA", "bytesTransferredIn": 0, "AuthenticationMethod": "AuthHeader", "x-amz-id-2": "XXXXXXXX", "bytesTransferredOut": 243 }, "requestID": "7F64F2B43ECBAF50", "eventID": "d73d8811-7ef7-49fd-8ee7-fc132478ed2e", "readOnly": true, "resources": [ { "type": "AWS::S3::Object", "ARNPrefix": "arn:aws:s3:::o-op-c3s-config-XXXXXXX/" }, { "accountId": "XXXXXXX", "type": "AWS::S3::Bucket", "ARN": "arn:aws:s3:::o-op-c3s-config-XXXXX" } ], "eventType": "AwsApiCall", "recipientAccountId": "XXXXXXX", "sharedEventID": "24fbb551-99e9-41f7-96ef-f1ca01769e9f", "vpcEndpointId": "vpce-XXXXXX" } ```
4
answers
0
votes
42
views
asked 3 years ago
  • 1
  • 90 / page