In this lab, we will be deploying the Amazon S3 Operational Best Practices with remediation actions conformance pack. This pack contains following Config Rules.
S3BucketPublicReadProhibitedwith remediation action
S3BucketPublicWriteProhibitedwith remediation action
S3BucketServerSideEncryptionEnabledwith remediation action
S3BucketLoggingEnabledwith remediation action
We will create prerequisite resources required for the “Amazon S3 Operational Best Practices with Remediation Actions” conformance pack. This includes a service-linked role for conformance packs, a remediation action role, and an S3 logging bucket.
Important: deploying this Conformance Pack can disrupt access to data if installed in a production environment. Never deploy these conformance packs without proper testing in a safe test environment first!
Before proceeding, you must create a CloudFormation stack that includes the resources required for this lab. Click here to deploy this stack into your account:
The stack will create these resources for you:
Enter a stack name, and keep the settings with default values. Click through all the way to Create stack.
Before we can deploy the conformance pack, we will need to edit it. Conformance packs that AWS provides represent collated best practices, however they are not “one size fits all” and need some tailoring before being leveraged.
First, download the conformance pack template from this link.
Next edit this file so we can make it usable with your lab environment. You will need to replace the
<Account-Id> entries with the proper account number for your account (without dashes). You will find this entry on these line numbers:
Go to the Config Console, and then click on Conformance packs.
Click on Deploy conformance pack on the top right of the page.
Under template details, select Upload template, and then select the Upload a template. Click Choose file, upload your modified template, and finallly click Next.
Give the conformance pack a name that is meaningful to you.
This conformance pack will require a parameter to function. Click Add parameter and then add a new key called
s3serversideloggingbucketcreated by the CloudFormation stack you deployed in the prerequisites. Copy the name of the bucket into the value field.
Click Next, and finally click Deploy conformance pack.
We will check compliance status for each rule in conformance pack and associated resources. Conformance Packs can also be deployed to an AWS Organization; however, this is out of scope for this lab.
This completes the basic labs for Config. From here, you can clean up resources created by visiting the cleanup steps.