More Info:

AWS Config configuration changes should be monitored using CloudWatch alarms.

Risk Level

Medium

Address

Security

Compliance Standards

SOC2, AWSWAF, HITRUST, CISAWSF, PCI, GDPR, APRA, MAS, NISTCSF, CBP, NIST4

Triage and Remediation

Remediation

Using Console

AWS Config Changes Alarm is triggered when certain critical changes are made to the AWS Config settings. To ensure compliance, follow these steps to create a CloudWatch alarm to monitor AWS Config changes:
  1. Sign in to the AWS Management Console.
  2. Navigate to the CloudWatch dashboard at: https://console.aws.amazon.com/cloudwatch/.
  3. In the left navigation panel, select Logs.
  4. Select the log group created for your CloudTrail event logs and click Create Metric Filter.
  5. On the Define Logs Metric Filter page, enter the following pattern in the Filter Pattern box: 
{
    ($.eventSource = config.amazonaws.com) && (($.eventName = StopConfigurationRecorder)||($.eventName = DeleteDeliveryChannel)||($.eventName = PutDeliveryChannel)||($.eventName = PutConfigurationRecorder))
}
  1. Review the metric filter configuration and click Assign Metric.
  2. On the Create Metric Filter and Assign a Metric page:
    • In the Filter Name box, enter a unique name like AWSConfigChanges.
    • In the Metric Namespace box, type CloudTrailMetrics.
    • In the Metric Name box, type ConfigEventCount.
    • Click Show advanced metric settings, then enter 1 in the Metric Value box.
  3. Review the details and click Create Filter to generate the metric filter.
  4. On the next page, click Create Alarm.
  5. In the Create Alarm dialog box:
    • Provide a unique name and short description for the alarm.
    • Under Whenever: Metric Name, select >= from the dropdown and enter 1 as the threshold value.
    • Under Actions, click the + Notification button and choose the SNS topic for alarm notifications.
    • Set the Period to 5 Minutes and Statistic to Sum.
  6. Review the configuration and click Create Alarm. Once created, the alarm will be listed on the Alarms page.

The AWS Config Changes Alarm checks for specific configuration changes within your AWS account and triggers alerts. You can use the following AWS CLI commands to create the necessary metric filter and alarm:
  1. Run the following command to create a CloudWatch metric filter and associate it with the appropriate CloudTrail log group:
aws logs put-metric-filter
    --region us-east-1
    --log-group-name CloudTrail/CloudWatchLogGroup
    --filter-name AWSConfigChanges
    --filter-pattern '{ ($.eventSource = config.amazonaws.com) && (($.eventName = StopConfigurationRecorder)||($.eventName = DeleteDeliveryChannel)||($.eventName = PutDeliveryChannel)||($.eventName = PutConfigurationRecorder)) }'
    --metric-transformations metricName=ConfigEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
  1. Run the following command to create the CloudWatch alarm:
aws cloudwatch put-metric-alarm
    --region us-east-1
    --alarm-name AWSConfigChangesAlarm
    --alarm-description "Triggered by AWS Config changes."
    --metric-name ConfigEventCount
    --namespace CloudTrailMetrics
    --statistic Sum
    --comparison-operator GreaterThanOrEqualToThreshold
    --evaluation-periods 1
    --period 300
    --threshold 1
    --actions-enabled
    --alarm-actions arn:aws:sns:us-east-1:123456789012
  1. If the rule is non-compliant, create an alarm for AWS Config changes using the AWS CLI:
aws cloudwatch put-metric-alarm --alarm-name AWS-Config-Changes-Alarm --alarm-description "Alarm for AWS Config Changes" --metric-name ConfigurationChanges --namespace AWS/Config --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --alarm-actions <your-SNS-topic-ARN>
Note: Replace <your-SNS-topic-ARN> with the ARN of the SNS topic you want to receive the alarm notifications.
  1. Once completed, verify the alarm setup by listing the alarms:
aws cloudwatch describe-alarms --alarm-names AWSConfigChangesAlarm
  1. Finally, check whether the AWS Config Changes Alarm is triggered and working as expected:
aws configservice get-compliance-details-by-config-rule --config-rule-name AWS-Config-Changes-Alarm

You can also automate the monitoring of AWS Config changes by setting up a Python-based Lambda function that triggers based on a CloudWatch alarm. Here’s an example:
  1. Create an AWS Lambda function and use Python 3.x as the runtime.
  2. Assign the necessary AWS Config trigger permissions to the Lambda function.
  3. Use the following Python code to monitor and act on configuration changes: 
import boto3

def lambda_handler(event, context):
    cloudwatch = boto3.client('cloudwatch')

    # Logic to handle AWS Config changes
    if 'detail' in event and 'eventName' in event['detail']:
        event_name = event['detail']['eventName']

        if event_name in ['StopConfigurationRecorder', 'DeleteDeliveryChannel', 'PutDeliveryChannel', 'PutConfigurationRecorder']:
            response = cloudwatch.put_metric_alarm(
                AlarmName='AWSConfigChangesAlarm',
                ComparisonOperator='GreaterThanOrEqualToThreshold',
                EvaluationPeriods=1,
                MetricName='ConfigEventCount',
                Namespace='CloudTrailMetrics',
                Period=300,
                Statistic='Sum',
                Threshold=1,
                ActionsEnabled=True,
                AlarmActions=['arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmSNSTopic'],
                AlarmDescription='Triggered by AWS Config changes.'
            )
            return response
        else:
            print("Event is not related to AWS Config changes.")
    else:
        print("No event details found.")
  1. Test and deploy the Lambda function. Ensure that the necessary permissions and triggers are configured correctly.
By following these steps, you can automate the monitoring of AWS Config changes using Python and CloudWatch.

Additional Reading: