Use the Conformity Knowledge Base AI to help improve your Cloud Posture

AWS Custom Rule

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: CS-001

Ensure that all the evaluation results returned for the Amazon Config rules created within your AWS account are compliant. AWS Config rules represent your desired configuration settings. You can use the predefined rules available in your AWS account (also known as managed rules) or you can define your own custom rules to suit your needs. Rules can be targeted at specific resources (by ID, e.g. "sg-0b2abb7c"), specific types of resources (e.g. "EC2 security group"), or at resources tagged in a particular way (e.g. "Stage": "Production"). Rules are executed when those resources are created or changed, but can also be evaluated on a periodic basis (hourly, daily, monthly, etc). The Config service evaluates whether your AWS resource configurations comply with the defined rules and return the necessary evaluation results. Each evaluation result indicates which AWS resources were evaluated by the rule, when each resource was last evaluated and whether each resource complies with the rule. The rule evaluation results are available within your Cloud Conformity account as result of Real-Time Threat Monitoring and Analysis (RTMA) seamless integration with Amazon Config service. With RTMA-Config integration, the noncompliant evaluation results are highlighted on your Cloud Conformity dashboard and alert notifications are sent via established communication channels. The communication channels for sending alert notifications can be easily configured in your Cloud Conformity account. The list of supported communication channels are Email, SMS, Slack, JIRA, PagerDuty and ServiceNow.

This rule can help you with the following compliance standards:

  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Sustainability
Security
Reliability
Performance
efficiency
Cost
optimisation
Operational
excellence

Using Amazon Config and Cloud Conformity for compliance checks will help you avoid misconfigurations and close security gaps by defining the desired and the most secure configuration settings for your AWS resources.

Note 1: The evaluation results for custom AWS Config rules, created using Lambda functions, would be available on your Cloud Conformity dashboard as well. Noncompliant results from custom rules would also trigger Cloud Conformity alert notifications.
Note 2: As example, this conformity rule will demonstrate how to find and reconfigure AWS resources based on noncompliant evaluation results returned by an AWS Config managed rule named "restricted-ssh". This managed rule checks whether security groups that are in use within your AWS account disallow unrestricted incoming SSH traffic on port 22.


Audit

To check for noncompliant Config rule evaluation results, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Config dashboard at https://console.aws.amazon.com/config/.

03 In the left navigation panel, select Rules.

04 On the Rules page, select Noncompliant option from Compliance status dropdown list and click Filter to list only the AWS Config rules that return noncompliant evaluation results.

05 Click on the name (link) of the rule that you want to examine to access the rule details page.

06 Within Re-evaluate rule configuration section, click Re-evaluate button to evaluate again the current status of your AWS resources against the selected Config rule. The process may take a few minutes.

07 Once the re-evaluation is completed, check Resources evaluated list to determine the compliance status for the checked AWS resources. If the list contains one or more resources with the Compliance status set to Noncompliant:

Compliance status set to NonCompliant

the selected Amazon Config rule returns noncompliant evaluation results, therefore there are resource configurations within your AWS account that don't comply with your desired configuration settings.

08 Based on the information returned at the previous step you can locate the misconfigured AWS resources, referenced by noncompliant evaluation results, and use the selected rule requirements to make a plan and implement the recommended fix (see Remediation/Resolution section).

09 Repeat steps no. 3 – 8 to check for noncompliant evaluation results returned for other Amazon Config rules available in the current region.

10 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-config-rules command (OSX/Linux/UNIX) using custom query filters to list the names of the existing AWS Config rules, currently available in the selected region:

aws configservice describe-config-rules
	--region us-east-1
	--output table
	--query 'ConfigRules[*].ConfigRuleName'

02 The command output should return a table that contains the names of all the rules created in the selected region:

---------------------------
|   DescribeConfigRules   |
+-------------------------+
|  restricted-ssh         |
|  desired-instance-type  |
|  ec2-instances-in-vpc   |
+-------------------------+

03 Run get-compliance-details-by-config-rule command (OSX/Linux/UNIX) using the name of the rule that you want to examine to list the noncompliant evaluation results (if any) for the selected AWS Config rule. The following command example lists the noncompliant results for an AWS Config rule named "restricted-ssh", a managed rule that checks all the security groups provisioned in your AWS account and highlight the ones that allow unrestricted incoming SSH traffic on port 22:

aws configservice get-compliance-details-by-config-rule
	--region us-east-1
	--config-rule-name restricted-ssh
	--compliance-types NON_COMPLIANT

04 The command output should return an array that contains information about each noncompliant evaluation result returned by the selected rule (if all the results are compliant, the EvaluationResults array should be empty):

{
    "EvaluationResults": [
        {
            "EvaluationResultIdentifier": {
                "OrderingTimestamp": 1519296799.567,
                "EvaluationResultQualifier": {
                    "ResourceType": "AWS::EC2::SecurityGroup",
                    "ResourceId": "sg-abcd1234",
                    "ConfigRuleName": "restricted-ssh"
                }
            },
            "ResultRecordedTime": 1519299685.452,
            "ConfigRuleInvokedTime": 1519299685.254,
            "ComplianceType": "NON_COMPLIANT"
        },
        {
            "EvaluationResultIdentifier": {
                "OrderingTimestamp": 1519296799.567,
                "EvaluationResultQualifier": {
                    "ResourceType": "AWS::EC2::SecurityGroup",
                    "ResourceId": "sg-aabbccdd",
                    "ConfigRuleName": "restricted-ssh"
                }
            },
            "ResultRecordedTime": 1519299685.39,
            "ConfigRuleInvokedTime": 1519299685.287,
            "ComplianceType": "NON_COMPLIANT"
        },

        ...


        {
            "EvaluationResultIdentifier": {
                "OrderingTimestamp": 1519296799.567,
                "EvaluationResultQualifier": {
                    "ResourceType": "AWS::EC2::SecurityGroup",
                    "ResourceId": "sg-1234abcd",
                    "ConfigRuleName": "restricted-ssh"
                }
            },
            "ResultRecordedTime": 1519299684.856,
            "ConfigRuleInvokedTime": 1519299684.744,
            "ComplianceType": "NON_COMPLIANT"
        },
        {
            "EvaluationResultIdentifier": {
                "OrderingTimestamp": 1519296799.567,
                "EvaluationResultQualifier": {
                    "ResourceType": "AWS::EC2::SecurityGroup",
                    "ResourceId": "sg-aaaabbbb",
                    "ConfigRuleName": "restricted-ssh"
                }
            },
            "ResultRecordedTime": 1519299684.967,
            "ConfigRuleInvokedTime": 1519299684.854,
            "ComplianceType": "NON_COMPLIANT"
        }
    ]
}

If the EvaluationResults array returned by the command output contains one or more objects (results), as shown in the example above, the selected Amazon Config rule returns noncompliant evaluation results, therefore the configuration of the AWS resources referenced by the evaluation results don't comply with your desired configuration settings.

05 Based on the information returned at the previous step you can find the misconfigured AWS resources, referenced by noncompliant evaluation results, and use the selected rule requirements to make a plan and implement the recommended fix.

06 Repeat steps no. 3 – 5 to check for noncompliant evaluation results returned for other Amazon Config rules available in the current region.

07 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 6 to perform the audit process for other regions.

Remediation / Resolution

To reconfigure an AWS resource, referenced by a noncompliant evaluation result, in order to comply with the needed configuration settings, perform the following actions:

Note: As example, this section will provide step by step instructions on how to solve a noncompliant evaluation result returned by a managed AWS Config rule, (i.e. "restricted-ssh") by updating the inbound configuration of a security group to restrict SSH access to specific (trusted) IP address or IP range.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Config dashboard at https://console.aws.amazon.com/config/.

03 In the left navigation panel, select Rules.

04 Click on the name (link) of the audited rule (see Audit section part I to identify the right Config rule) to access its noncompliant evaluation results.

05 On the rule details page, within Resources evaluated section, choose the security group highlighted as noncompliant evaluation result and click the external link button available in the Manage resource column to access the selected EC2 security group.

06 Select the Inbound tab from the dashboard bottom panel and click the Edit button.

07 In the Edit inbound rules dialog box, change the traffic Source for the inbound rule that allows unrestricted access through TCP port 22 by performing one of the following actions:

  1. Select My IP from the Source dropdown list to allow inbound traffic only from your machine (from your IP address).
  2. Select Custom from the Source dropdown list and enter one of the following options based on your access requirements:
    • A specific (trusted) IP address (IPv4) with the suffix set to /32, e.g. 192.168.75.10/32.
    • An IP address range (IPv4) in CIDR notation, for example 192.168.75.0/24.
    • The name or ID of another trusted security group available in the same AWS region.

08 Click Save to apply the changes. The SSH access is now restricted to the specific IP address/range or security group.

09 Repeat steps no. 5 – 8 to reconfigure other EC2 security groups highlighted as noncompliant evaluation results by the selected AWS Config rule (i.e. "restricted-ssh").

10 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run describe-security-groups command (OSX/Linux/UNIX) using the ID of the EC2 security group that you want to reconfigure as identifier (see Audit section part II to identify the right resource) to expose the name of the security group highlighted as noncompliant evaluation result:

aws ec2 describe-security-groups
	--region us-east-1
	--group-ids sg-abcd1234
	--query 'SecurityGroups[*].GroupName'

02 The command output should return the name of the specified EC2 security group:

[
    "cc-production-env-sg"
]

03 Run revoke-security-group-ingress command (OSX/Linux/UNIX) to remove the inbound rule that allows unrestricted access through TCP port 22, from the specified security group (the command does not return an output):

aws ec2 revoke-security-group-ingress
	--region us-east-1
	--group-name cc-production-env-sg
	--protocol tcp
	--port 22
	--cidr 0.0.0.0/0

04 Run authorize-security-group-ingress command (OSX/Linux/UNIX) to add the inbound rule removed at the previous step with a different set of parameters in order to restrict SSH access to specific entities. To add custom inbound rules to the selected security group, use one of the following options (the command does not return an output):

  1. Add an inbound rule that allows SSH access to a specific IP address (IPv4) via port 22:
    aws ec2 authorize-security-group-ingress
    	--region us-east-1
    	--group-name cc-production-env-sg
    	--protocol tcp
    	--port 22
    	--cidr 192.168.75.10/32
    
  2. Add an inbound rule that allows SSH access to a specific IP address range (IPv4) via port 22:
    aws ec2 authorize-security-group-ingress
    	--region us-east-1
    	--group-name cc-production-env-sg
    	--protocol tcp
    	--port 22
    	--cidr 192.168.75.0/24
    
  3. Add an inbound rule that allows SSH access to another (trusted) EC2 security group in the same AWS region via port 22:
    aws ec2 authorize-security-group-ingress
    	--region us-east-1
    	--group-name cc-production-env-sg
    	--protocol tcp
    	--port 22
    	--source-group cc-prod-bastion-sg
    

    The SSH access is now restricted to the specific IP address/range or security group.

References

Publication date Feb 23, 2018