AWS Config Log File Deliverity Should Be Configured
More Info:
Ensure that the log files (history files and snapshots) generated by AWS Config are delivered without any failures to designated S3 bucket in order to store logging data for auditing purposes.Risk Level
MediumAddress
SecurityCompliance Standards
CBPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “AWS Config Log File Delivery Should Be Configured” in AWS, you can follow the below steps:
- Open the AWS Management Console and navigate to the AWS Config service.
- Click on the “Settings” button in the left-hand menu.
- Scroll down to the “Resource Types to Record” section and click on the “Edit” button.
- Check the box next to “AWS::S3::Bucket” to enable logging for S3 buckets.
- Click on the “Save” button to save the changes.
Using CLI
Using CLI
To remediate the misconfiguration of AWS Config Log File Delivery, please follow the below steps:Step 1: Open the AWS CLI and run the following command to create an S3 bucket that will store the AWS Config logs:Note: Replace Note: Create a file named Step 3: Run the following command to attach the required policy to the IAM role:Step 4: Run the following command to enable AWS Config and specify the S3 bucket and IAM role:Note: Replace This should return a JSON object that includes the details of the delivery channel you just created.By following the above steps, you can remediate the misconfiguration of AWS Config Log File Delivery.
<bucket-name> with a unique name for your S3 bucket and <region> with the region where you want to create the bucket.Step 2: Run the following command to create an IAM role that AWS Config will use to access the S3 bucket:trust-policy.json with the following content:<bucket-name> with the name of the S3 bucket you created in Step 1 and <account-id> with your AWS account ID.Step 5: Verify that AWS Config is enabled and the S3 bucket and IAM role are configured correctly by running the following command:Using Python
Using Python
To remediate the AWS Config Log File Delivery misconfiguration using Python, you can follow these steps:Note: Replace
- Import the necessary AWS SDK libraries in your Python script. For example, you can use the
boto3library to interact with AWS services.
- Create a
boto3client for AWS Config service.
- Check if the AWS Config Log File Delivery is enabled or not.
- If AWS Config Log File Delivery is not enabled, create a new delivery channel.
my-delivery-channel and my-s3-bucket with your own delivery channel name and S3 bucket name respectively.- Verify that the AWS Config Log File Delivery is enabled.
- Run the Python script to remediate the AWS Config Log File Delivery misconfiguration.