Conformance packs
Deploy components for the lab
In this lab, we will be deploying the Amazon S3 Operational Best Practices with remediation actions conformance pack. This pack contains following Config Rules.
S3BucketPublicReadProhibitedwith remediation actionS3BucketPublicWriteProhibitedwith remediation actionS3BucketReplicationEnabledS3BucketSSLRequestsOnlyS3BucketServerSideEncryptionEnabledwith remediation actionS3BucketLoggingEnabledwith remediation action
Prerequisites
We will create prerequisite resources required for the “Amazon S3 Operational Best Practices with Remediation Actions” conformance pack. This includes a service-linked role for conformance packs, a remediation action role, and an S3 logging bucket.
Important: deploying this Conformance Pack can disrupt access to data if installed in a production environment. Never deploy these conformance packs without proper testing in a safe test environment first!
Before proceeding, you must create a CloudFormation stack that includes the resources required for this lab. Click here to deploy this stack into your account:
The stack will create these resources for you:
Enter a stack name, and keep the settings with default values. Click through all the way to Create stack.
Deploy conformance pack
Before we can deploy the conformance pack, we will need to edit it. Conformance packs that AWS provides represent collated best practices, however they are not “one size fits all” and need some tailoring before being leveraged.
First, download the conformance pack template from this link.
Next edit this file so we can make it usable with your lab environment. You will need to replace the
<Account-Id>entries with the proper account number for your account (without dashes). You will find this entry on these line numbers:4380139179
Go to the Config Console, and then click on Conformance packs.
Click on Deploy conformance pack on the top right of the page.
Under template details, select Upload template, and then select the Upload a template. Click Choose file, upload your modified template, and finallly click Next.
Give the conformance pack a name that is meaningful to you.
This conformance pack will require a parameter to function. Click Add parameter and then add a new key called
S3TargetBucketNameForEnableLogging.- The value for this will be the name of the
s3serversideloggingbucketcreated by the CloudFormation stack you deployed in the prerequisites. Copy the name of the bucket into the value field.
- The value for this will be the name of the
Click Next, and finally click Deploy conformance pack.
View compliance remediation
We will check compliance status for each rule in conformance pack and associated resources. Conformance Packs can also be deployed to an AWS Organization; however, this is out of scope for this lab.
- Once the conformance pack is deployed, click on conformance pack name to drill down into details. You can view list of rules and their compliance status.
- Click on a rule name to see its details.
- Expand Resources in Scope section to see resources in scope and their compliance status. If there are any existing non-compliant resources, you can manually remediate them or wait for auto-remediation to complete.
- To see auto-remediation in action on a new resource, create a new S3 bucket using S3 Console. Config will discover the resource and mark it as non-compliant if it is not following S3 best practices.
- Go back to conformance pack details and select a rule with remediation action.
- Expand Resources in Scope section to see newly created resource with its compliance status. If the resource is non-compliant, the auto-remediation action will apply to resource within few minutes.
- Refresh the page to see updated resource compliance status.
This completes the basic labs for Config. From here, you can clean up resources created by visiting the cleanup steps.