Part 1 - Create Config Rules to Alert on Public S3 Buckets
In this step we will create a config rule using an AWS Managed rule that will evaluate if S3 Buckets are Public Read
1. Let’s go to the AWS Config Console, once there click on Rules on the left side of the console.
2. Click on Add Rule
3. In the Add Rule Screen in the Filter section type s3-bucket-public, click on the s3-bucket-public-read-prohibited rule.
4. Under the Trigger Section take notice of the Trigger Type, it set to trigger on configuration change and Periodic. This means that this rule will evaluate when a change is made and also on a schedule. For this lab lets Change the frequency to 1 hour, leave the rest of the settings to default.
5. Click Save
Next, we will create a config rule using an AWS Managed rule that will evaluate if S3 Buckets are Public Write
6. Let’s go to the AWS Config Console, once there click on Rules on the left side of the console.
7. Click on Add Rule
8. In the Add Rule Screen in the Filter section type s3-bucket-public, click on the s3-bucket-public-write-prohibited rule.
9. Under the Trigger Section take notice of the Trigger Type as mentioned previously this will trigger on changes and on a schedule. Change the frequency to 1 hour, leave the rest of the settings to default.
10. Click Save
You can create config Rules to monitor a number of items within your infrastructure. Beside utilizing AWS managed Config rules you can also create custom rules using Lambda Functions. Located here in Github are same sample config rules you can create and implement in AWS Lambda.
Now that we have rules which will evaluate if we have Public access, let us now create a CloudWatch Event so that we can trigger automated remediation.
Create CloudWatch Event Rules to trigger Lambda or AWS Systems Manager Automation
Now we will create the triggers for the Lambda Function deployed by the Cfn. The Lambda Function will Block Public Access to the S3 Bucket once it become non-compliant.
Note: This step needs to be done correctly for the Lambda to Trigger.
11. Go to CloudWatch Console, and Under Events on the left side click on Rules
- Click **Create rule**
- Under Event Source
- Select the radio button next to **Event Pattern**
- Service Name: **Config**
- Event Type: **Config Rules Compliance Change**
- Select the radio button next to **Specific message type**
- From the Drop Down Select **ComplianceChangeNotification**
- Select radio button next to **Specific rule name**
- Type s3-bucket-public-read-prohibited
- Click the Plus to add Another Rule Name
- Type s3-bucket-public-write-prohibited
- Under Targets
- Select the StackName-EnforceS3NoPublicAccess* Lambda Function, which is the function deployed by the CloudFormation. Feel Free to take a look at the function code in Lambda.
12. Click Configure details
- Configure rule details
- Name: S3BlockPublicAccess
- State: Check Enabled Box
- Click Create Rule
Testing our enforcement of No Public Access
13. Check what our S3 Public Bucket Access Settings are set to for the bucket that you previously created, it should be off.
14. Go to the S3 Bucket that was created when deploying the lab, and set it for public reads.
15. You can wait after setting the bucket to public or Go to our Config rule for s3-bucket-public-read-prohibited and re-evaluate the rule. Refresh the screen and make sure the bucket comes up as Noncompliant.
16. Go Back to the S3 Bucket and review the Public Acccess settings, Did the setting change?
17. Update the PublicApp Tag from no to yes, reset Public Access Settings back to off and retry. What happens?