turbot/steampipe-mod-aws-compliance

Control: 1 AWS Config should be enabled

Description

AWS Config rule: None. To run this check, Security Hub runs through audit steps prescribed for it in Securing Amazon Web Services. No AWS Config managed rules are created in your AWS environment for this check.

This control checks whether AWS Config is enabled in the account for the local Region and is recording all resources.

It does not check for change detection for all critical system files and content files, as AWS Config supports only a subset of resource types.

The AWS Config service performs configuration management of supported AWS resources in your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items, and any configuration changes between resources.

Remediation

To configure AWS Config settings

  1. Open the AWS Config console.
  2. Choose the Region to configure AWS Config in.
  3. If you have not used AWS Config before, choose Get started.
  4. On the Settings page, do the following:
    1. Under Resource types to record, choose Record all resources supported in this region and Include global resources (e.g., AWS IAM resources).
    2. Under Amazon S3 bucket, either specify the bucket to use or create a bucket and optionally include a prefix.
    3. Under Amazon SNS topic, either select an Amazon SNS topic from your account or create one. For more information about Amazon SNS, see the Amazon Simple Notification Service Getting Started Guide.
    4. Under AWS Config role, either choose Create AWS Config service-linked role or choose Choose a role from your account and then choose the role to use.
  5. Choose Next.
  6. On the AWS Config rules page, choose Skip.
  7. Choose Confirm.

For more information about using AWS Config from the AWS CLI, see the AWS Config Developer Guide.

You can also use an AWS CloudFormation template to automate this process. For more information, see the AWS CloudFormation User Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_config_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_config_1 --share

SQL

This control uses a named query:

-- pgFormatter-ignore
-- Get count for any region with all matching criteria
with global_recorders as (
select
count(*) as global_config_recorders
from
aws_config_configuration_recorder
where
recording_group -> 'IncludeGlobalResourceTypes' = 'true'
and recording_group -> 'AllSupported' = 'true'
and status ->> 'Recording' = 'true'
and status ->> 'LastStatus' = 'SUCCESS'
)
select
'arn:aws::' || a.region || ':' || a.account_id as resource,
case
-- When any of the region satisfies with above CTE
-- In left join of <aws_config_configuration_recorder> table, regions now having
-- 'Recording' and 'LastStatus' matching criteria can be considered as OK
when
g.global_config_recorders >= 1
and status ->> 'Recording' = 'true'
and status ->> 'LastStatus' = 'SUCCESS'
then 'ok'
-- Skip any regions that are disabled in the account.
when a.opt_in_status = 'not-opted-in' then 'skip'
else 'alarm'
end as status,
-- Below cases are for citing respective reasons for control state
case
when a.opt_in_status = 'not-opted-in' then a.region || ' region is disabled.'
else
case
when recording_group -> 'IncludeGlobalResourceTypes' = 'true' then a.region || ' IncludeGlobalResourceTypes enabled,'
else a.region || ' IncludeGlobalResourceTypes disabled,'
end ||
case
when recording_group -> 'AllSupported' = 'true' then ' AllSupported enabled,'
else ' AllSupported disabled,'
end ||
case
when status ->> 'Recording' = 'true' then ' Recording enabled'
else ' Recording disabled'
end ||
case
when status ->> 'LastStatus' = 'SUCCESS' then ' and LastStatus is SUCCESS.'
else ' and LastStatus is not SUCCESS.'
end
end as reason
, a.region, a.account_id
from
global_recorders as g,
aws_region as a
left join aws_config_configuration_recorder as r on r.account_id = a.account_id and r.region = a.name;

Tags