AWS Config - Supplementary ============ Here you will find the mentioned Resources for my talk at AWS UG Munich Meetup in July 2019 at the Cloudreach office. Feel free to comment and even add things. ## Links - [AWS Config best practices](https://aws.amazon.com/blogs/mt/aws-config-best-practices/) in AWS Management Tools Blog - [How to Use AWS Config to Monitor for and Respond to Amazon S3 Buckets Allowing Public Access](https://aws.amazon.com/blogs/security/how-to-use-aws-config-to-monitor-for-and-respond-to-amazon-s3-buckets-allowing-public-access/) in AWS Security Blog - [AWS Config Rules Repository](https://github.com/awslabs/aws-config-rules) - [Permissions for the IAM role assigned to AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html) - [Permissions for the Amazon SNS Topic](https://docs.aws.amazon.com/config/latest/developerguide/sns-topic-policy.html) ## Cloudformation example ``` yaml Description: > Deploy compliance checks using AWS Config. It deploys region specific rules. In a global region (us-east-1) it deploys additionally global rules. Conditions: isGlobalRegion: !Equals [!Ref 'AWS::Region', 'us-east-1'] Resources: ConfigRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - sts:AssumeRole Principal: Service: - config.amazonaws.com ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AWSConfigRole Policies: - PolicyName: S3ConfigDataWriter PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: 's3:PutObject*' Resource: - !Join ['/', [ !GetAtt DeliveryBucket.Arn, '*' ]] - Effect: Allow Action: 's3:GetBucketAcl' Resource: - !GetAtt DeliveryBucket.Arn Recorder: Type: AWS::Config::ConfigurationRecorder Properties: RoleARN: !GetAtt ConfigRole.Arn RecordingGroup: !If - isGlobalRegion ############### Global Recorder - AllSupported: true IncludeGlobalResourceTypes: true ############### Regional Recorder - ResourceTypes: - AWS::EC2::Volume - AWS::S3::Bucket - AWS::RDS::DBInstance - AWS::RDS::DBSnapshot DeliveryChannel: Type: AWS::Config::DeliveryChannel Properties: ConfigSnapshotDeliveryProperties: DeliveryFrequency: TwentyFour_Hours S3BucketName: !Ref DeliveryBucket DeliveryBucket: Type: AWS::S3::Bucket DeletionPolicy: Retain Properties: BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 ############### GLOBAL RULEZ RootMFAEnabledCheckRule: Condition: isGlobalRegion DependsOn: Recorder Type: AWS::Config::ConfigRule Properties: MaximumExecutionFrequency: TwentyFour_Hours Source: Owner: AWS SourceIdentifier: ROOT_ACCOUNT_MFA_ENABLED CloudTrailEnabledCheckRule: Condition: isGlobalRegion DependsOn: Recorder Type: AWS::Config::ConfigRule Properties: MaximumExecutionFrequency: TwentyFour_Hours Source: Owner: AWS SourceIdentifier: CLOUD_TRAIL_ENABLED InputParameters: s3BucketName: global-cloudtrail-logs ################ REGIONAL RULEZ S3EncryptionAtRestCheckRule: DependsOn: Recorder Type: AWS::Config::ConfigRule Properties: Source: Owner: AWS SourceIdentifier: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED RDSEncryptionAtRestCheckRule: DependsOn: Recorder Type: AWS::Config::ConfigRule Properties: Source: Owner: AWS SourceIdentifier: RDS_STORAGE_ENCRYPTED EBSEncryptionAtRestCheckRule: DependsOn: Recorder Type: AWS::Config::ConfigRule Properties: Source: Owner: AWS SourceIdentifier: ENCRYPTED_VOLUMES BucketPublicReadProhibitedCheckRule: DependsOn: Recorder Type: AWS::Config::ConfigRule Properties: Scope: ComplianceResourceTypes: - AWS::S3::Bucket Source: Owner: AWS SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED ``` ###### tags: `public` `talk` `aws`