Ensure that the configuration recorder is set to 'on' and set S3 Bucket and SNS topic as your delivery channel

AWS Config uses the configuration recorder to detect changes in your resource configurations and capture these changes as configuration items. You must create a configuration recorder before AWS Config can track your resource configurations. As AWS Config continually records the changes that occur to your AWS resources, it sends notifications and updated configuration states through the delivery channel. You can manage the delivery channel to control where AWS Config sends configuration updates. You can have only one delivery channel per region per AWS account, and the delivery channel is required to use AWS Config.

Risk Level: Low
Cloud Entity: AWS Config
CloudGuard Rule ID: D9.AWS.MON.16
Covered by Spectral: Yes
Category: Management Tools

GSL LOGIC

ConfigSetting where recordingIsOn=true should have deliveryChannel.s3BucketName and deliveryChannel.snsTopicARN

REMEDIATION

From Portal
Use following steps to set configuration recorder on. You can follow reference section for more details.

  1. Create the Amazon S3 bucket.
  2. Create the SNS topic.
  3. Create the KMS Key.
  4. Create the delivery channel.

Use below steps to start configuration recorder:

  1. Open the AWS Config console.
  2. In the navigation pane, choose Settings.
  3. In Recording is off, choose Turn on, and then choose Continue.

From Command Line
Step 1: Use following command to create a delivery channel:
a. Using a text editor, copy and paste the following example template, and then save it as a JSON file. You can change the deliveryFrequency value to match your use case. If you choose not to activate encryption, omit the s3KmsKeyArn value from the JSON file.

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you are using the most recent AWS CLI version.

{
"name": "default",
"s3BucketName": "targetBucketName",
"s3KeyPrefix": "Optionalprefix",
"snsTopicARN": "arn:aws:sns:region:account_ID:targetTopicName",
"s3KmsKeyArn": "arn:aws:kms:region:account_ID:KmsKey",
"configSnapshotDeliveryProperties": {
"deliveryFrequency": "Twelve_Hours"
}
}

Note: The s3KeyPrefix must be provided if the S3 bucket policy restricts PutObject to a certain prefix, rather than the default.

b. Run the following AWS CLI command:

aws configservice put-delivery-channel --delivery-channel file://deliveryChannel.json

c. Run the following AWS CLI command to confirm that the Delivery Channel created:

aws configservice describe-delivery-channels

Step 2. Use below command to Start the configuration recorder.

aws configservice start-configuration-recorder --configuration-recorder-name configRecorderName

References

  1. https://docs.aws.amazon.com/config/latest/developerguide/stop-start-recorder.html
  2. https://docs.aws.amazon.com/config/latest/developerguide/manage-delivery-channel.html
  3. https://aws.amazon.com/premiumsupport/knowledge-center/recreate-config-delivery-channel

AWS Config

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. With Config, you can review changes in configurations and relationships between AWS resources, dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines. This enables you to simplify compliance auditing, security analysis, change management, and operational troubleshooting.

Compliance Frameworks

  • AWS CCPA Framework
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ITSG-33
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset