DEV Community

Cover image for 4 Steps to Auto Remediate Account level S3 Access Settings

4 Steps to Auto Remediate Account level S3 Access Settings

Welcome to the first blog for 2023 !!

In this post, I wanted to narrate the steps involved in setting up AWS Config - Auto Remediate configuration for AWS account level s3 public access settings.

As we know, to learn more about the services, the right place to look into is AWS documentation and hence I am only giving breif explanation on what-is-what and jumping straight away into the use case(Relieved :-) ?)

AWS Config
is a service which records, monitors the configuration changes of the AWS Resources

Purpose of AWS Config Rules & Remediation
If you are using cloud and in AWS, hosting applications or utilizing resources on AWS cloud, then ultimately account & its resources are to be maintained and monitored, to avoid any mis-happenings like deletion of resources, launching of unnecessary resources

There are 2 ways ("Preventive" & "Detective" Rules) to have the AWS Environment, monitored for checking compliance. As the word says, "Preventive" rules are implemented or configured to stop certain configurations from being implemented. On the other side, "Detective" rules are the ones which needs monitoring of certain "config settings" to not to be modified, as it would compromise the environment.

Well, with that background, let us implement one of the compliance detection & auto remediation here

AWS S3
is a storage service in AWS cloud where any objects could be stored with encryption, lifecycle definitions.

Vital part of ensuring security for the data or objects stored in S3 is to restrict public access to buckets in S3 at individual resource(bucket) level & at AWS account level.

How-To: Account level public access restriction on S3 Objects

By default, the account level public access is restricted with the settings under S3. While this setting is one time activity, what if, any user or application, which has access, modifies this "public access to all at account level"? This is compromising the environment's compliance and data security

So here comes, AWS Config, which tracks & monitors the change that is happening against specific categories, by way of Rule definitions

We can achieve the "Capture & Remediate" in 4 simple steps and here are they

Step 1:
Configure AWS Config Detective Rule - "S3-Account-Level-Public-Access-Blocks"

(i) Select the appropriate AWS Managed Config Rule

Image description

(ii) Configure the S3 bucket where the logs for this rule(execution logs & details) for this rule & click on "Confirm" to get the rule created

Image description

(iii) Now the rule is listed under the AWS Config Rules View

Image description

Step 2:
Setup auto remediation for rule "S3-Account-Level-Public-Access-Blocks"

(iv) In order to complete, the Config Rule creation, We need a role to action against the services that are configured. So create a role in your aws account as shown here. I have taken AWSS3FullAccess here

Image description

(v) The Remediation action for restricting account level S3 public access is "AWSConfigRemediation-ConfigureS3PublicAccessBlock"

Image description

Step 3:
Run config rules evaluation, post modifying the AWS S3 account level access to "On" mode

(vi) Manually change the "Block Public Access" at account level to "No" (uncheck all the block public access options)

Image description

(vii) Rule Config & Compliance status view from "AWS Config - Rule View"

Image description

Step 4:
Observe the status being reported as "Non-compliant" and also auto-remediated to "Compliant" state

(viii) While the Rule is evaluated observe the status of rule execution. (In case of any errors, check the logs from the S3 bucket configured while defining the rule)

Image description

(ix) Post the auto remediation, the "Block All Public Access" is now set to "On" !! Success !!

Image description

(x) Next, rule defined is now in "Compliant" state post the successfull action remediation

Image description

(xi) Also, the buckets are now "not public"

Image description

Note: Re-setting a config change looks simple, makes people think that "would have done manually in minutes...why automation" but in case of hundreds or thousands of AWS Accounts, AWS Config - Auto Remediation is the true saviour

Happy Config Tracking !!

Top comments (0)