AWS Cloud Operations Blog

Automate continuous compliance at scale in AWS

AWS Config continuously monitors and records your AWS resource configurations. You can use the service to automate the evaluation and remediation of recorded configurations against desired configurations. You also can review changes in configurations and relationships between AWS resources and dive into the history of a resource configuration.

AWS Config conformance packs provide a general-purpose compliance framework designed to help you create security, operational or cost-optimization governance checks using AWS Config managed or custom rules and remediation actions.

The basis of a well-architected multi-account AWS environment is AWS Organizations, an AWS service that you can use to centrally manage and govern multiple accounts. When you combine AWS Organizations with the capabilities of AWS Config and AWS CloudFormation, you can efficiently manage and automate configuration compliance at scale for hundreds of member accounts.

Using the solution outlined in this blog post, you can automate the setup of custom AWS Config conformance packs and AWS Systems Manager (SSM) remediation runbooks across your AWS Organization. In addition, you can automate the deployment of a custom AWS Config conformance pack that includes built-in remediations using those SSM runbooks in your organization. The automation of an org wide custom Config conformance pack deployment provides your AWS Organization with an automated setup to maintain a continuous compliance posture. In the org wide deployment of your custom conformance pack, as a managed Config rule detects non compliance with a compliance standard, the SSM remediation kicks in so that you are always in a continuous compliance posture as it relates to the compliance standard.

Solution Overview

The solution outlined in this blog post demonstrates an AWS Organization wide automated setup and deployment of a custom Config conformance pack with remediations for these PCI controls-

  • PCI.AutoScaling.1 Auto scaling groups associated with a load balancer should use health checks
  • PCI.CloudTrail.3 CloudTrail log file validation should be enabled
  • PCI.CloudTrail.4 CloudTrail trails should be integrated with CloudWatch Logs
  • PCI.CodeBuild.2 CodeBuild project environment variables should not contain clear text credentials
  • PCI.EC2.2 VPC default security group should prohibit inbound and outbound traffic
  • PCI.EC2.3 Unused EC2 security groups should be removed
  • PCI.EC2.4 Unused EC2 EIPs should be removed
  • PCI EC2.5 Security groups should not allow ingress from 0.0.0.0/0 to port 22
  • PCI.IAM.3 IAM policies should not allow full * administrative privileges
  • PCI.KMS.1 Customer master key (CMK) rotation should be enabled
  • PCI.Lambda.1 Lambda functions should prohibit public access
  • PCI.RDS.1 RDS snapshots should prohibit public access
  • PCI.RDS.2 RDS DB Instances should prohibit public access
  • PCI.Redshift.1 Amazon Redshift clusters should prohibit public access
  • PCI.S3.1 S3 buckets should prohibit public write access
  • PCI.S3.2 S3 buckets should prohibit public read access

The following diagram illustrates the architecture of our solution:

 A custom Config Conformance pack with manage config rule and custom SSM remediation runbook

Figure 1: A custom Config Conformance pack with manage config rule and custom SSM remediation runbook

Prerequisites

You must first complete the following pre-requisites to operationalize configuration compliance in AWS across an organization

  1. Enable Config in AWS Organizations
    1. Option 1 – Use CloudFormation Stacksets – In the CloudFormation console, choose StackSets. On the Create StackSets page, select the option to ‘Use a sample template‘ and select the ‘Enable AWS Config’ template. Since you are using AWS Organizations use service-managed permissions to deploy this template as a stackset
    2. Option 2 – Use Systems Manager Quick Setup – With Quick Setup, a capability of AWS Systems Manager, you can quickly create a configuration recorder powered by AWS Config across your organization. Follow the steps outlined in SSM Quick Setup to set up AWS Config recording with AWS Systems Manager Quick Setup in an organization.
  2. Register a delegated administrator account for AWS Config
    1. From the management account of your organization, run the register-delegated-administrator command for Config. In the following AWS CLI command, replace <delegated account id> with any AWS account ID that you have chosen as the delegated administrator account ID of organization – $ aws register-delegated-administrator —service-principal config.amazonaws.com--account-id <delegated account id>
  3. Set up a S3 Delivery bucket in the delegated administrator account for Conformance Pack artifacts
    1. For AWS Config to be able to store conformance pack artifacts, you will need to provide an Amazon S3 bucket in the delegated administrator account. This bucket name must start with the prefix ‘awsconfigconforms’. Each account in the organization must have access to this bucket. AWS Config recommends having limited permissions to the Amazon S3 bucket policy. To limit access, you can use this S3 policy that uses the PrincipalOrgID and PrincipalArn conditions. The policy allows only accounts in an organization to have access to the bucket. You can find your organization id from the AWS Organizations console under the Settings tab.
    2. Navigate to the AWS S3 console, select the bucket you created with the prefix ‘awsconfigconforms’, select the Permissions tab, edit the Bucket policy and copy/paste this S3 bucket policy
  4. I have already provided you with CloudFormation template that provisions custom AWS Systems Manager remediation runbooks for several Payment Card Industry (PCI) Config rules.
    1. From your management account, navigate to the AWS CloudFormation console, select StackSets on the left panel, select Create StackSet, select Upload a template file and then launch the aws-pci-confpack-ssmautomation-v1.yml as a CloudFormation stackset. Follow the instructions here to deploy this template as a stackset throughout your AWS Organization using service managed permissions.

Setup

Deploy a custom Config Conformance Pack in an organization

In your delegated administrator account-

  1. Create an S3 bucket. Upload the aws-pci-conformancepack-v1.yml custom conformance pack template that you want to deploy in your organization to this bucket. Follow instructions here to create an S3 bucket and upload a file to the S3 bucket from the AWS console. Note down the S3 URI of the uploaded template
    • In order to obtain the S3 URI of the uploaded template, navigate to the S3 console and select the bucket you just created, select the object (the template that you uploaded to the bucket) and select Copy S3 URI. You will use the S3 URI as the TemplateS3Uri parameter in the next step.
  2. Navigate to the AWS cloudformation console, select Stacks on the left panel, select Create Stacks, select Upload a template file and launch the aws-pci-customconfpack-org.yml template from your delegated administrator account. This template automates org wide deployment of custom conformance packs. Provide the following parameters:
    • DeliveryS3Bucket: The name of the Amazon S3 bucket where AWS Config stores artifacts for org wide deployment of conformance pack templates. Obtain this value from Step 3 of the prerequisites section.
    • OrganizationConformancePackName: Name of the custom config conformance pack for e.g. “org-pci-custom-confpack-remediations”
    • TemplateS3Uri: S3 URI that points to the location in S3 of the custom conformance pack template that you want to deploy in your AWS Organization.

Deploy a custom Config Conformance Pack with remediations in an organization

In your delegated administrator account-

  1. Replace the accountID used in all the AutomationAssumeRole parameters within the aws-pci-conformancepack-remediations-v1.yml custom Config Conformance Pack with SSM remediations template with the AWS AccountID of your delegated administrator account.
  2. Create an S3 bucket or simply use the same S3 bucket from the earlier step when you deployed a custom Conformance Pack. Upload the aws-pci-conformancepack-remediations-v1.yml custom conformance pack template that you want to deploy in your organization to this bucket. Follow instructions here to upload a file to the S3 bucket from the AWS console. Note down the S3 URI of the uploaded template.
    1. In order to obtain the S3 URI of the uploaded template, navigate to the S3 console and select the bucket you just created, select the object (the template that you uploaded to the bucket) and select Copy S3 URI. You will use the S3 URI as the TemplateS3Uri parameter in the next step.
  3. Navigate to the AWS cloudformation console, select Stacks on the left panel, select Create Stacks, select Upload a template file and launch the aws-pci-customconfpack-org.yml template from your delegated administrator account. This template automates org wide deployment of custom conformance packs. Provide the following parameters:
      1. DeliveryS3Bucket: The name of the Amazon S3 bucket where AWS Config stores artifacts for org wide deployment of conformance pack templates. Obtain this value from Step 3 of the prerequisites section.
      2. OrganizationConformancePackName: Name of the custom config conformance pack for e.g. “org-pci-custom-confpack-remediations”
      3. TemplateS3Uri: S3 URI that points to the location in S3 of the custom conformance pack template that you want to deploy in your AWS Organization.

Test and Validate

Validate successful deployment of the custom Config conformance pack in your organization

From the delegated account of your organization. run the configservice describe-organization-conformance-pack-statuses CLI. Replace the <custom confpack name> with the name of your custom Config Conformance pack

$ aws configservice describe-organization-conformance-pack-statuses —organization-conformance-pack-name="<custom confpack name>"

Launch an “attack” and validate compliance

Log in as an AWS administrator in the managed account:

  1. Conduct a misconfiguration by providing unrestricted SSH access to an EC2 Security Group. Choose Security Groups in the Amazon EC2 console. Choose the Security group ID of the default VPC. Choose Edit inbound rules. Select Add rule. Select SSH as the Type and 0.0.0.0/0 as the CIDR
  2. Navigate to the AWS Systems Manager console, select Automation in the left panel, and then check the execution of the PCI-Org-Custom-RestrictSecurityGroup automation document. Since we have launched the custom conformance pack with remediations, our compliance posture triggers a AWS Config Managed rule with an integrated AWS Systems Manager remediation runbook — ‘PCI-Org-Custom-RestrictSecurityGroup’. This provides automated detection and automated remediation for the PCI.EC2.2 compliance violation — ‘VPC default security group should prohibit inbound and outbound traffic’. Monitor the execution status in the Systems Manager Automation console for the automation execution, and verify its successful automation status.
  3. Finally, navigate back to the EC2 console, choose Security Groups, and choose the Security group ID of the default VPC. Validate the managed account compliance posture by verifying that the inbound rule that provided unrestricted SSH access to this EC2 Security Group has been removed.

Cleanup

To clean up your account and avoid recurring charges perform the following:

  1. Delete the deployed custom Config conformance packs in your organization
    1. From the delegated account of your organization. run the configservice delete-organization-conformance-pack CLI for each of the deployed custom config conformance packs.
      1. Replace the <custom confpack name> with the name of your custom Config Conformance pack: $ aws configservice delete-organization-conformance-pack —organization-conformance-pack-name="<custom confpack name>"
  2. Delete the deployed Systems Manager remediations stackset from your organization
    1. From the management account, first delete stack instances from your  aws-pci-confpack-ssmautomation-v1.yml stackset and then delete the stackset by following instructions here.

Conclusion

In this blog post, I’ve provided you with a running implementation of setting up compliance at scale in AWS. We automated the setup of custom AWS Config conformance packs and AWS Systems Manager (SSM) remediation runbooks across an AWS Organization to address a PCI use case. You can apply this solution to manage and automate configuration compliance at scale for hundreds of member accounts in your AWS Organization. For more information on this topic, please watch the Automate continuous compliance at scale in AWS video that we recently released on this topic.

About the author:

Kanishk Mahajan

Kanishk Mahajan is Principal, WW Cross-Service Solutions Architect at AWS where he specializes in cloud operations, resilience, migrations and modernization and security.