Control: 3.3 Ensure AWS Config is enabled in all regions

Description

CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevent public access to the CloudTrail logs.

Allowing public access to CloudTrail log content may aid an adversary in identifying weaknesses in the affected account's use or configuration.

Remediation

To implement AWS Config configuration:

From Console:

Select the region you want to focus on in the top right of the console
Click Services
Click Config
If a Config recorder is enabled in this region, you should navigate to the Settings page from the navigation menu on the left hand side. If a Config recorder is not yet enabled in this region then you should select "Get Started".
Select "Record all resources supported in this region"
Choose to include global resources (IAM resources)
Specify an S3 bucket in the same account or in another managed AWS account
Create an SNS Topic from the same AWS account or another managed AWS account

From Command Line:

Ensure there is an appropriate S3 bucket, SNS topic, and IAM role per the AWS Config Service prerequisites.
Run this command to create a new configuration recorder:

aws configservice put-configuration-recorder --configuration-recorder
name=default,roleARN=arn:aws:iam::012345678912:role/myConfigRole --recordinggroup allSupported=true,includeGlobalResourceTypes=true

Create a delivery channel configuration file locally which specifies the channel attributes, populated from the prerequisites set up previously:

{
 "name": "default",
 "s3BucketName": "my-config-bucket",
 "snsTopicARN": "arn:aws:sns:us-east-1:012345678912:my-config-notice",
 "configSnapshotDeliveryProperties":{
 "deliveryFrequency": "Twelve_Hours"
 }
}

Run this command to create a new delivery channel, referencing the json configuration file made in the previous step:

aws configservice put-delivery-channel --delivery-channel
file://deliveryChannel.json

Start the configuration recorder by running the following command:

aws configservice start-configuration-recorder --configuration-recorder-name
default

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cis_v300_3_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cis_v300_3_3 --share

SQL

This control uses a named query:

-- pgFormatter-ignore
-- Get count for any region with all matching criteria
with global_recorders as (
  select
    count(*) as global_config_recorders
  from
    aws_config_configuration_recorder
  where
    recording_group -> 'IncludeGlobalResourceTypes' = 'true'
    and recording_group -> 'AllSupported' = 'true'
    and status ->> 'Recording' = 'true'
    and status ->> 'LastStatus' = 'SUCCESS'
)
select
  'arn:aws::' || a.region || ':' || a.account_id as resource,
  case
  -- When any of the region satisfies with above CTE
  -- In left join of <aws_config_configuration_recorder> table, regions now having
  -- 'Recording' and 'LastStatus' matching criteria can be considered as OK
    when
      g.global_config_recorders >= 1
      and status ->> 'Recording' = 'true'
      and status ->> 'LastStatus' = 'SUCCESS'
    then 'ok'
  -- Skip any regions that are disabled in the account.
    when a.opt_in_status = 'not-opted-in' then 'skip'
    else 'alarm'
  end as status,
  -- Below cases are for citing respective reasons for control state
  case
    when a.opt_in_status = 'not-opted-in' then a.region || ' region is disabled.'
    else
  case
    when recording_group -> 'IncludeGlobalResourceTypes' = 'true' then a.region || ' IncludeGlobalResourceTypes enabled,'
    else a.region || ' IncludeGlobalResourceTypes disabled,'
  end ||
  case
    when recording_group -> 'AllSupported' = 'true' then ' AllSupported enabled,'
    else ' AllSupported disabled,'
  end ||
  case
    when status ->> 'Recording' = 'true' then ' Recording enabled'
    else ' Recording disabled'
  end ||
  case
    when status ->> 'LastStatus' = 'SUCCESS' then ' and LastStatus is SUCCESS.'
    else ' and LastStatus is not SUCCESS.'
  end
  end as reason
  , a.region, a.account_id
from
  global_recorders as g,
  aws_region as a
  left join aws_config_configuration_recorder as r on r.account_id = a.account_id and r.region = a.name;