使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post

Many buckets created by AWSConfig StackSet (required for SecurityHub)

0

Hi,

Enabling SecurityHub on my accounts. Thus asked to enable AWS Config on all accounts in all regions. Found the AWSConfig StackSet that does this automatically. Great automation, but is it expected that I get buckets for all regions in my accounts? That's around 20 buckets already and the regular S3 quota in an account is 100. One account runs into bucket limits now. It seems odd Config logs occupy 20% of S3 quota...

I do have a Config Aggregator enabled in the security-tooling account, but that doesn't seem to help.

Can anyone confirm this is expected, or advise a best practice to do it another way?

Thanks!

  • AWS-User-8416516
    2 年前

    I do have a separate log-archive account, too. Best to have the logs here, even, I think, if possible. Yet even then with around 20 buckets per account, can only host 5 accounts until limit of 100 is reached (?) There must be a better way.

主题
安全、身份和合规性管理与治理
标签
AWS 安全中心AWS ConfigAWS OrganizationsAWS CloudTrail
语言
English
AWS-User-8416516
已提问 2 年前307 查看次数
1 回答
0
已接受的回答

Hi,

Thanks for reaching out to us. I understand that you're concerned about having to enable an S3 bucket per region, to meet the compliance requirement for CIS AWS Foundations Benchmark controls 2.5 – Ensure AWS Config is enabled for an AWS account.

You are able to use one S3 bucket for all regions per account to meet the compliance requirement. You do not need to use individual buckets per region. The audit steps performed by Security Hub service to evaluate compliance is outlined in the document below and step 6 (in page 72) for remediation mentions the following:

"Specify an S3 bucket in the same account or in another managed AWS account"

  • chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/viewer.html?pdfurl=https%3A%2F%2Fd1.awsstatic.com%2Fwhitepapers%2Fcompliance%2FAWS_CIS_Foundations_Benchmark.pdf&clen=1742687&chunk=true

Therefore, you may incorporate this solution into your implementation.

I hope this clears your concerns. Let us know if you have any further questions that we can answer!

AWS
支持工程师
Sumukhi_P
已回答 2 年前
  • AWS-User-8416516
    2 年前

    Thank you. That clears my concerns. It's just the StackSet example which automates this for all regions that creates all the different buckets then, but I can (manually, or by changing the stackset settings perhaps) consolidate it into a single bucket per account, that's good to know. Thanks!

  • AWS-User-8416516
    2 年前

    Hi, can I follow up on your answer. This works well for AWS Config and AWS CloudTrail, which can record their logs/trails in one bucket (and subfolders for regions). However, when I enable server access logging for S3 and VPC Flow Logging (both security requirements), I cannot specify a bucket in a different region in the S3 Permissions Tab. This means I have to have server access logging buckets for each region in my account plus VPC flow logging buckets for each region? Can I consolidate this in fewer buckets? Thanks!

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容