More Info:

Ensure that the log files (history files and snapshots) generated by AWS Config are delivered without any failures to designated S3 bucket in order to store logging data for auditing purposes.

Risk Level

Medium

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “AWS Config Log File Delivery Should Be Configured” in AWS, you can follow the below steps:
  1. Open the AWS Management Console and navigate to the AWS Config service.
  2. Click on the “Settings” button in the left-hand menu.
  3. Scroll down to the “Resource Types to Record” section and click on the “Edit” button.
  4. Check the box next to “AWS::S3::Bucket” to enable logging for S3 buckets.
  5. Click on the “Save” button to save the changes.
This will enable AWS Config to log all changes made to S3 buckets in your AWS account. You can also configure logging for other resource types by checking the appropriate boxes in the “Resource Types to Record” section.

To remediate the misconfiguration of AWS Config Log File Delivery, please follow the below steps:Step 1: Open the AWS CLI and run the following command to create an S3 bucket that will store the AWS Config logs:
aws s3 mb s3://<bucket-name> --region <region>
Note: Replace <bucket-name> with a unique name for your S3 bucket and <region> with the region where you want to create the bucket.Step 2: Run the following command to create an IAM role that AWS Config will use to access the S3 bucket:
aws iam create-role --role-name AWSConfigServiceRole --assume-role-policy-document file://trust-policy.json
Note: Create a file named trust-policy.json with the following content:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "config.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
Step 3: Run the following command to attach the required policy to the IAM role:
aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/service-role/AWSConfigRole --role-name AWSConfigServiceRole
Step 4: Run the following command to enable AWS Config and specify the S3 bucket and IAM role:
aws configservice put-delivery-channel --delivery-channel '{"s3BucketName":"<bucket-name>","snsTopicARN":"","configSnapshotDeliveryProperties":{"deliveryFrequency":"Six_Hours"}}' --name default --s3-key-prefix logs/ --role-arn arn:aws:iam::<account-id>:role/AWSConfigServiceRole
Note: Replace <bucket-name> with the name of the S3 bucket you created in Step 1 and <account-id> with your AWS account ID.Step 5: Verify that AWS Config is enabled and the S3 bucket and IAM role are configured correctly by running the following command:
aws configservice describe-delivery-channels
This should return a JSON object that includes the details of the delivery channel you just created.By following the above steps, you can remediate the misconfiguration of AWS Config Log File Delivery.
To remediate the AWS Config Log File Delivery misconfiguration using Python, you can follow these steps:
  1. Import the necessary AWS SDK libraries in your Python script. For example, you can use the boto3 library to interact with AWS services.
import boto3
  1. Create a boto3 client for AWS Config service.
config_client = boto3.client('config')
  1. Check if the AWS Config Log File Delivery is enabled or not.
response = config_client.describe_delivery_channels()
if len(response['DeliveryChannels']) == 0:
    print("AWS Config Log File Delivery is not enabled.")
else:
    print("AWS Config Log File Delivery is enabled.")
  1. If AWS Config Log File Delivery is not enabled, create a new delivery channel.
response = config_client.put_delivery_channel(
    DeliveryChannel={
        'name': 'my-delivery-channel', # replace with your own delivery channel name
        's3BucketName': 'my-s3-bucket', # replace with your own S3 bucket name
        'configSnapshotDeliveryProperties': {
            'deliveryFrequency': 'One_Hour' # or 'Three_Hours', 'Six_Hours', 'Twelve_Hours', 'TwentyFour_Hours'
        }
    }
)
print("AWS Config Log File Delivery is enabled now.")
Note: Replace my-delivery-channel and my-s3-bucket with your own delivery channel name and S3 bucket name respectively.
  1. Verify that the AWS Config Log File Delivery is enabled.
response = config_client.describe_delivery_channels()
if len(response['DeliveryChannels']) == 0:
    print("AWS Config Log File Delivery is not enabled.")
else:
    print("AWS Config Log File Delivery is enabled.")
  1. Run the Python script to remediate the AWS Config Log File Delivery misconfiguration.
This should enable the AWS Config Log File Delivery and remediate the misconfiguration.

Additional Reading: