Unanswered Questions tagged with AWS Config

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

  • 1
  • 2
  • 12 / page

AWS Config Gard Rule Evaluation

Hello folks I am having a hard time understanding how AWS guard rules that fail and pass are evaluated when used with Config. I wanted to replicate an existing rule that detects public S3 buckets: https://github.com/aws-cloudformation/cloudformation-guard/blob/901d40a6f01553d14adf9ab398c7eec55c2b5a36/guard/resources/rules-dir/s3_bucket_public_read_prohibited.guard I realized that this rule applies to a cloudformation template. I wanted to apply it to a Config recorded object so i adapted the rule to: ``` rule isPublicAccessBlockConfigurationBlockSecure when isPublicAccessBlockConfigurationBlockPresent { supplementaryConfiguration.PublicAccessBlockConfiguration exists supplementaryConfiguration.PublicAccessBlockConfiguration.blockPublicAcls == true supplementaryConfiguration.PublicAccessBlockConfiguration.blockPublicPolicy == true supplementaryConfiguration.PublicAccessBlockConfiguration.ignorePublicAcls == true supplementaryConfiguration.PublicAccessBlockConfiguration.restrictPublicBuckets == true } ``` When testing this locally (cfn-guard) i got a fail on an open bucket with an explanation along the lines: ``` Property traversed until [/supplementaryConfiguration] in data [PublicBucketAccess-test-fail.json] is not compliant with [PublicBucketAccess.guard/absentPublicAccessBlockConfigurationBlock] due to retrieval error. ``` I was under the assumption that if there is a retrieval error, Config marks the resource as non-compliant but it either provides no results or marks it as compliant and does not give any error. However, when i changed to: ``` rule isBucketToBeSecured when resourceType == "AWS::S3::Bucket" { ...some checks... } rule isPublicAccessBlockConfigurationBlockPresent when isBucketToBeSecured { supplementaryConfiguration.PublicAccessBlockConfiguration exists } rule isPublicAccessBlockConfigurationBlockSecure when isPublicAccessBlockConfigurationBlockPresent { supplementaryConfiguration.PublicAccessBlockConfiguration.blockPublicAcls == true supplementaryConfiguration.PublicAccessBlockConfiguration.blockPublicPolicy == true supplementaryConfiguration.PublicAccessBlockConfiguration.ignorePublicAcls == true supplementaryConfiguration.PublicAccessBlockConfiguration.restrictPublicBuckets == true } ``` It now works. Does anyone know why Config has such a strange evaluation mechanism where a failure to retrieve a key gives no compliance results or marks the resources as good to go? Also, is there a cleaner way to test for the existence of a key before trying to access subkeys without causing a failure. When i used: ``` rule taggedBucketIsSecure2 when resourceType == "AWS::S3::Bucket" { let publicAccessBlockConfiguration = supplementaryConfiguration.PublicAccessBlockConfiguration when %publicAccessBlockConfiguration exists { supplementaryConfiguration.PublicAccessBlockConfiguration.blockPublicAcls == true supplementaryConfiguration.PublicAccessBlockConfiguration.blockPublicPolicy == true supplementaryConfiguration.PublicAccessBlockConfiguration.ignorePublicAcls == true supplementaryConfiguration.PublicAccessBlockConfiguration.restrictPublicBuckets == true } } ``` I got: ``` Rule [PublicBucketAccess.guard/taggedBucketIsSecure2] is not applicable for template [PublicBucketAccess-test-fail.json] ``` I assume the problem is that since when does not evaluate to true, it skips the evaluation and instead of marking the resource as non-compliant it either fails or marks it as compliant. Thanks in advance
0
answers
0
votes
27
views
asked 3 months ago

AWS Control Tower 3.0 creates two Config Aggregators - why?

I created a new organization using AWS Control Tower (version 3.0). It seems that it has created two aggregators: * An accounts aggregator under the audit account named control `aws-controltower-GuardrailsComplianceAggregator`. This aggregator is defined to collect from specific accounts (all member accounts, excluding the management account), and from all regions. However, at least in my case, the authorizations given from these accounts to aggregation seem messed up - each account was only set up to authorize aggregation from 5 regions, and the aggregator indeed identifies the aggregation from some accounts and regions as failed as a result. FYI, I currently created my control tower landing zone on a single region, not sure why this setup happened. * An organization aggregator in the management account named `aws-controltower-ConfigAggregatorForOrganizations`. This organization aggregator automatically collects from all accounts and regions in the organization, and it is working well. Any idea why both aggregators were defined? I know that until a recent version of the landing zone, there was no support for organization aggregators. But now that it has been added, why keep the account-specific aggregator in the audit account (that seems to be misconfigured anyway)? On the flip side, given that the best practice is to use the audit account for, well, auditing - why is the organization aggregator defined on the management account and not the audit account? Doesn't that mean that to enjoy its aggregation I need to login to the management account? Thanks,
0
answers
0
votes
56
views
Spock
asked 3 months ago
0
answers
0
votes
39
views
asked 4 months ago

Config Advanved Query Editor - Return ConfigRuleName

I am using the AWS Config Service across multiple Accounts within my Organization. My goal is to write a query which will give me a full list of non-compliant resources in all regions, in all accounts. I have an Aggregator which has the visibility for this task. The Advanced Query I am using is similar to the AWS [Example in the docs:](https://docs.aws.amazon.com/config/latest/developerguide/example-query.html) ``` SELECT configuration.targetResourceId, configuration.targetResourceType, configuration.complianceType, configuration.configRuleList, accountId, awsRegion WHERE configuration.configRuleList.complianceType = 'NON_COMPLIANT' ``` However, the ConfigRuleName is nested within `configuration.configRuleList` - as there could be multiple config rules, (hence the list) assigned to `configuration.targetResourceId` How can I write a query that picks apart the JSON list returned this way? Because the results returned do not export to csv for example very well at all. Exporting a JSON object within a csv provides an unsuitable method if we wanted to import this into a spreadsheet for example, for viewership. I have tried to use `configuration.configRuleList.configRuleName` and this only returns `-` even when the list has a single object within. If there is a better way to create a centralised place to view all my Org's Non-Compliant Resources, I would like to learn about it. Thanks in Advance.
0
answers
0
votes
43
views
asked 7 months ago

Unable to create new OpsItems from EventBridge when using Input Transformer for deduplication and adding category and severity values

I’m able to generate a new OpsItem for any EC2, SecurityGroup, or VPC configuration change using an EventBridge rule with the following event pattern. { "source": ["aws.config"], "detail-type": ["Config Configuration Item Change"], "detail": { "messageType": ["ConfigurationItemChangeNotification"], "configurationItem": { "resourceType": ["AWS::EC2::Instance", "AWS::EC2::SecurityGroup", "AWS::EC2::VPC"] } } } The rule and target work great when using Matched event for the Input but I noticed that launching one EC2 using the AWS wizard creates at least three OpsItems, one for each resourceType. Therefore I’d like to implement a deduplication string to cut down on the number of OpsItems generated to one if possible and I’d also like to attach a category and severity to the new OpsItem. I’m trying to use an Input Transformer as recommended by the AWS documentation but even the most simplest of Input Transformers when applied prevent any new OpsItems from being generated. When I've tested, I've also ensured that all previous OpsItems were resolved. Can anyone tell me what might be blocking the creation of any new OpsItems when using this Input Transformer configuration? Here’s what I have configured now. Input path { "awsAccountId": "$.detail.configurationItem.awsAccountId", "awsRegion": "$.detail.configurationItem.awsRegion", "configurationItemCaptureTime": "$.detail.configurationItem.configurationItemCaptureTime", "detail-type": "$.detail-type", "messageType": "$.detail.messageType", "notificationCreationTime": "$.detail.notificationCreationTime", "region": "$.region", "resourceId": "$.detail.configurationItem.resourceId", "resourceType": "$.detail.configurationItem.resourceType", "resources": "$.resources", "source": "$.source", "time": "$.time" } Input template { "awsAccountId": "<awsAccountId>", "awsRegion": "<awsRegion>", "configurationItemCaptureTime": "<configurationItemCaptureTime>", "resourceId": "<resourceId>", "resourceType": "<resourceType>", "title": "Template under ConfigDrift-EC2-Dedup4", "description": "Configuration Drift Detected.", "category": "Security", "severity": "3", "origination": "EventBridge Rule - ConfigDrift-EC2-Dedup", "detail-type": "<detail-type>", "source": "<source>", "time": "<time>", "region": "<region>", "resources": "<resources>", "messageType": "<messageType>", "notificationCreationTime": "<notificationCreationTime>", "operationalData": { "/aws/dedup": { "type": "SearchableString", "value": "{\"dedupString\":\"ConfigurationItemChangeNotification\"}" } } } Output when using the AWS supplied Sample event called “Config Configuration Item Change” { "awsAccountId": "123456789012", "awsRegion": "us-east-1", "configurationItemCaptureTime": "2022-03-16T01:10:50.837Z", "resourceId": "fs-01f0d526165b57f95", "resourceType": "AWS::EFS::FileSystem", "title": "Template under ConfigDrift-EC2-Dedup4", "description": "Configuration Drift Detected.", "category": "Security", "severity": "3", "origination": "EventBridge Rule - ConfigDrift-EC2-Dedup", "detail-type": "Config Configuration Item Change", "source": "aws.config", "time": "2022-03-16T01:10:51Z", "region": "us-east-1", "resources": "arn:aws:elasticfilesystem:us-east-1:123456789012:file-system/fs-01f0d526165b57f95", "messageType": "ConfigurationItemChangeNotification", "notificationCreationTime": "2022-03-16T01:10:51.976Z", "operationalData": { "/aws/dedup": { "type": "SearchableString", "value": "{"dedupString":"ConfigurationItemChangeNotification"}" } } }
0
answers
0
votes
23
views
asked 7 months ago
  • 1
  • 2
  • 12 / page