Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Config Delivery Failing

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: Config-004

Ensure that the log files (history files and snapshots) generated by Amazon Config are delivered without any failures to the designated S3 bucket in order to store logging data for auditing purposes.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security
Operational
excellence

Amazon Config tracks changes within the configuration of your AWS cloud resources and it regularly saves this data to log files that are send to an S3 bucket that you specify. When Amazon Config is not able to deliver log files to its recipient due to delivery errors or misconfigurations (usually involving the access policies configured for the associated IAM role), the service is unable to send the recorded information to the designated bucket, therefore you lose the ability to audit the configuration changes made within your AWS cloud account.


Audit

To determine if Amazon Config is able to deliver log files to the specified S3 bucket, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Config console at https://console.aws.amazon.com/config/.

03 In the main navigation panel, under AWS Config, choose Settings.

04 If the Amazon Config console displays the following error message: AWS Config doesn't have sufficient permissions to send configuration information to the specified S3 bucket. Update the role or bucket permissions and try again., the Config service fails to deliver the recorded information to the designated S3 bucket due to permission errors. If the error message is not displayed in the console, continue the Audit process with the next step.

05 Check the value of the AWS Config role attribute, displayed in the General settings section, to determine the name of the service role associated with Amazon Config. If there is no value listed for the AWS Config role attribute, there is no service role associated with Amazon Config in the selected AWS region, therefore the service fails to deliver the logging data to the designated S3 bucket due to permission errors.

06 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-configuration-recorder-status command (OSX/Linux/UNIX) to describe the current status of the Amazon Config recorder:

aws configservice describe-configuration-recorder-status
  --region us-east-1

02 The command output should return the requested configuration recorder status:

{
	"ConfigurationRecordersStatus": [
		{
			"name": "default",
			"lastStartTime": "2022-11-29T09:29:37.870000+00:00",
			"lastStopTime": "2022-11-29T09:27:47.662000+00:00",
			"recording": true,
			"lastStatus": "FAILURE",
			"lastStatusChangeTime": "2022-11-29T10:29:48.522000+00:00",
			"lastErrorCode": "AccessDenied",
			"lastErrorMessage": "AWS Config does not have sufficient permissions to record one or more AmazonIdentityManagement resources using <service-role-arn>"
		}
	]
}

If the describe-configuration-recorder-status command output returns "FAILURE" for the "lastStatus" attribute and the "AccessDenied" error is triggered, as shown in the output example above, the Amazon Config service fails to deliver the recorded information to the designated recipient due to permission errors.

03 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

Amazon Config fails to deliver log files to the designated S3 bucket when it doesn't have sufficient permissions to complete this operation. To send information to Amazon S3, the Config service needs to assume an IAM role that manages the permissions required to access the designated S3 bucket. To update Amazon Config service configuration in order to solve the permissions issue, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Resources": {
		"ConfigurationRecorder": {
			"Type": "AWS::Config::ConfigurationRecorder",
			"Properties": {
				"Name": "default",
				"RecordingGroup": {
					"AllSupported": true,
					"IncludeGlobalResourceTypes": true
				},
				"RoleARN": "arn:aws:iam::123456789012:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig"
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Resources:
	ConfigurationRecorder:
		Type: AWS::Config::ConfigurationRecorder
		Properties:
		Name: default
		RecordingGroup:
			AllSupported: true
			IncludeGlobalResourceTypes: true
		RoleARN: arn:aws:iam::123456789012:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_config_configuration_recorder" "configuration-recorder" {
	name     = "default"
	recording_group {
		all_supported                 = true
		include_global_resource_types = true
	}
	role_arn = "arn:aws:iam::123456789012:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig"
}

resource "aws_config_configuration_recorder_status" "configuration-recorder-status" {
	is_enabled = true
	name       = aws_config_configuration_recorder.configuration-recorder.name
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Config console at https://console.aws.amazon.com/config/.

03 In the main navigation panel, under AWS Config, choose Settings.

04 Choose Edit to access the configuration settings available for Amazon Config in the selected AWS region.

05 In the General settings section, select Use an existing AWS Config service-linked role for AWS Config role. This enables Amazon Config to use a new, dedicated service-linked role named AWSServiceRoleForConfig, that the service can use to call other AWS services on your behalf.

06 Choose Save to apply the changes.

07 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run describe-configuration-recorders command (OSX/Linux/UNIX) with custom query filters to describe the name of the active recorder used by the Amazon Config service:

aws configservice describe-configuration-recorders
  --region us-east-1
  --query 'ConfigurationRecorders[*].name'

02 The command output should return the requested recorder name:

[
	"default"
]

03 Run put-configuration-recorder command (OSX/Linux/UNIX) using the name of the recorder returned at previous step and the ARN of the dedicated service-linked role that Amazon Config uses to call other AWS services on your behalf as the command parameters, to replace the misconfigured service role assigned to the Config recorder (the command does not produce an output):

aws configservice put-configuration-recorder
  --region us-east-1
  --configuration-recorder name=default,roleARN= arn:aws:iam::123456789012:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig

References

Publication date Oct 17, 2016