DEV Community

James Monek for AWS Community Builders

Posted on • Originally published at jamesmonek.com

Compliance Checking in AWS

Storing protected data such as HIPAA in the cloud requires extra attention to ensure the data is not compromised. Using the NIST 800-171 framework provides guidance for controls that can help facilitate the protection of HIPAA and other protected data sets. AWS Audit Manager is a good starting point for auditing your environment against NIST 800-171 but I wanted to learn more about NIST and building controls in AWS to protect data. To do this, I wanted to use AWS Config service to monitor for compliance for controls and to use AWS Simple Notification Service to send alerts to via email and Slack. To accomplish this, AWS provides operational best practices for using AWS Config service to continuous monitor many NIST 800-171 controls. From this, I pulled controls that are applicable for services being utilized to host and analyze data in AWS.

AWS Config Service

AWS Config provides services to assess and audit configurations for AWS resources. We all have read articles about S3 buckets being misconfigured and exposing data to the public. AWS Config can monitor for buckets that are configured for public access. If bucket should be misconfigured or changed to allow public access, AWS Config will report this compliance violation and you can set up remediation to automatically change the settings back.

Lets build out Cloudfomation template that checks for compliance for blocking public access and for EBS volumes that are not encrypted.

Check for the S3 bucket public access

# S3 Compliance checks

  ConfigRuleBucketReadProhibited:
    Type: "AWS::Config::ConfigRule"
    Properties:
      ConfigRuleName: "s3-bucket-public-read-prohibited"
      Scope:
        ComplianceResourceTypes:
          - "AWS::S3::Bucket"
      Description: "A Config rule that checks that your Amazon S3 buckets do not allow public read access. If an Amazon S3 bucket policy or bucket ACL allows public read access, the bucket is noncompliant."
      Source:
        Owner: "AWS"
        SourceIdentifier: "S3_BUCKET_PUBLIC_READ_PROHIBITED"
  ConfigRuleBucketWriteProhibited:
    Type: "AWS::Config::ConfigRule"
    Properties:
      ConfigRuleName: "s3-bucket-public-write-prohibited"
      Scope:
        ComplianceResourceTypes:
          - "AWS::S3::Bucket"
      Description: "A Config rule that checks that your Amazon S3 buckets do not allow public write access. If an Amazon S3 bucket policy or bucket ACL allows public write access, the bucket is noncompliant."
      Source:
        Owner: "AWS"
        SourceIdentifier: "S3_BUCKET_PUBLIC_WRITE_PROHIBITED"
  ConfigRuleS3PublicAccess:
    Type: "AWS::Config::ConfigRule"
    Properties:
      ConfigRuleName: "s3-account-level-public-access-blocks"
      Scope:
        ComplianceResourceTypes:
          - "AWS::S3::AccountPublicAccessBlock"
      Description: "A Config rule that checks whether the required public access block settings are configured from account level. The rule is only NON_COMPLIANT when the fields set below do not match the corresponding fields in the configuration item."
      InputParameters:
        IgnorePublicAcls: "True"
        BlockPublicPolicy: "True"
        BlockPublicAcls: "True"
        RestrictPublicBuckets: "True"
      Source:
        Owner: "AWS"
        SourceIdentifier: "S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS"
  ConfigRuleBucketPublicAccessProhibited:
    Type: "AWS::Config::ConfigRule"
    Properties:
      ConfigRuleName: "s3-bucket-level-public-access-prohibited"
      Scope:
        ComplianceResourceTypes:
          - "AWS::S3::Bucket"
      Description: "Checks if Amazon Simple Storage Service (Amazon S3) buckets are publicly accessible. This rule is NON_COMPLIANT if an Amazon S3 bucket is not listed in the excludedPublicBuckets parameter and bucket level settings are public."
      Source:
        Owner: "AWS"
        SourceIdentifier: "S3_BUCKET_LEVEL_PUBLIC_ACCESS_PROHIBITED"
Enter fullscreen mode Exit fullscreen mode

Check that EBS Volumes are encrypted

#EC2 and EBS Compliance Checks
  ConfigRuleEncryptedVolumes:
    Type: "AWS::Config::ConfigRule"
    Properties:
      ConfigRuleName: "encrypted-volumes"
      Scope:
        ComplianceResourceTypes:
          - "AWS::EC2::Volume"
      Description: "A Config rule that checks whether the EBS volumes that are in an attached state are encrypted."
      Source:
        Owner: "AWS"
        SourceIdentifier: "ENCRYPTED_VOLUMES"
Enter fullscreen mode Exit fullscreen mode

Notification for compliance changes

Now that we have some compliance checking rules, weโ€™ll want to notify us when resources are out of compliance. To do this, we will use a combination of AWS EventBridge and Simple Notification Service.

EventBridge is a serverless event bus that we will use to detect changes to AWS Config. To get started, we will create an event rule to detect when a compliance changes. Portion of the cloud formation template is below and the particular section to note is the EventPattern.

  EventRule:
    Type: "AWS::Events::Rule"
    Properties:
      Name: "detect-config-changes"
      Description: "A CloudWatch Event Rule that detects changes to AWS Config and publishes change events to an SNS topic for notification."
      State: "ENABLED"
      Targets:
        - Arn:
            Ref: "SnsTopic"
          Id: "target-id1"
      EventPattern:
        detail-type:
          - "Config Rules Compliance Change"
        source:
          - "aws.config"
Enter fullscreen mode Exit fullscreen mode

Next, we will want to build out the SNS Topic to send us an email to alert us of compliance changes. The SNS Topic section creates the subscription, where as, the TopicPolicy section provides permissions to publish the notification.

  SnsTopic:
    Type: "AWS::SNS::Topic"
    Properties:
      Subscription:
        - Endpoint: "aws-notifications-list@example.com"
          Protocol: "email"
      TopicName: "sns-topic"
  TopicPolicy:
    Type: AWS::SNS::TopicPolicy
    Properties:
      PolicyDocument:
        Id: HDWTopicPolicy
        Statement:
          - Sid: AllowServices
            Effect: Allow
            Principal:
              Service: events.amazonaws.com
            Action: 'sns:Publish'
            Resource:
              - !Ref SnsTopic
Enter fullscreen mode Exit fullscreen mode

Putting this all together

The final CloudFormation templates are below. The first stack creates the AWS Config rules and the other creates the EventBridge and SNS notifications.

AWS Config CloudFormation Template

AWSTemplateFormatVersion: "2010-09-09"
Description: "AWS Config Checks"
Resources:
#EC2 and EBS Compliance Checks
  ConfigRuleEncryptedVolumes:
    Type: "AWS::Config::ConfigRule"
    Properties:
      ConfigRuleName: "encrypted-volumes"
      Scope:
        ComplianceResourceTypes:
          - "AWS::EC2::Volume"
      Description: "A Config rule that checks whether the EBS volumes that are in an attached state are encrypted."
      Source:
        Owner: "AWS"
        SourceIdentifier: "ENCRYPTED_VOLUMES"
# S3 Compliance checks
  ConfigRuleBucketReadProhibited:
    Type: "AWS::Config::ConfigRule"
    Properties:
      ConfigRuleName: "s3-bucket-public-read-prohibited"
      Scope:
        ComplianceResourceTypes:
          - "AWS::S3::Bucket"
      Description: "A Config rule that checks that your Amazon S3 buckets do not allow public read access. If an Amazon S3 bucket policy or bucket ACL allows public read access, the bucket is noncompliant."
      Source:
        Owner: "AWS"
        SourceIdentifier: "S3_BUCKET_PUBLIC_READ_PROHIBITED"
  ConfigRuleBucketWriteProhibited:
    Type: "AWS::Config::ConfigRule"
    Properties:
      ConfigRuleName: "s3-bucket-public-write-prohibited"
      Scope:
        ComplianceResourceTypes:
          - "AWS::S3::Bucket"
      Description: "A Config rule that checks that your Amazon S3 buckets do not allow public write access. If an Amazon S3 bucket policy or bucket ACL allows public write access, the bucket is noncompliant."
      Source:
        Owner: "AWS"
        SourceIdentifier: "S3_BUCKET_PUBLIC_WRITE_PROHIBITED"
  ConfigRuleS3PublicAccess:
    Type: "AWS::Config::ConfigRule"
    Properties:
      ConfigRuleName: "s3-account-level-public-access-blocks"
      Scope:
        ComplianceResourceTypes:
          - "AWS::S3::AccountPublicAccessBlock"
      Description: "A Config rule that checks whether the required public access block settings are configured from account level. The rule is only NON_COMPLIANT when the fields set below do not match the corresponding fields in the configuration item."
      InputParameters:
        IgnorePublicAcls: "True"
        BlockPublicPolicy: "True"
        BlockPublicAcls: "True"
        RestrictPublicBuckets: "True"
      Source:
        Owner: "AWS"
        SourceIdentifier: "S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS"
  ConfigRuleBucketPublicAccessProhibited:
    Type: "AWS::Config::ConfigRule"
    Properties:
      ConfigRuleName: "s3-bucket-level-public-access-prohibited"
      Scope:
        ComplianceResourceTypes:
          - "AWS::S3::Bucket"
      Description: "Checks if Amazon Simple Storage Service (Amazon S3) buckets are publicly accessible. This rule is NON_COMPLIANT if an Amazon S3 bucket is not listed in the excludedPublicBuckets parameter and bucket level settings are public."
      Source:
        Owner: "AWS"
        SourceIdentifier: "S3_BUCKET_LEVEL_PUBLIC_ACCESS_PROHIBITED"
Parameters: {}
Metadata: {}
Conditions: {}
Enter fullscreen mode Exit fullscreen mode

EventBridge and SNS Notifications

AWSTemplateFormatVersion: "2010-09-09"
Description: "Create SNS topic to send alerts and notifications to aws-notifications-list@example.com"
# Create SNSTopic to send email to aws-notifications-list@example.com
Resources:
  SnsTopic:
    Type: "AWS::SNS::Topic"
    Properties:
      Subscription:
        - Endpoint: "aws-notifications-list@example.com"
          Protocol: "email"
      TopicName: "sns-topic"
  TopicPolicy:
    Type: AWS::SNS::TopicPolicy
    Properties:
      PolicyDocument:
        Id: HDWTopicPolicy
        Statement:
          - Sid: AllowServices
            Effect: Allow
            Principal:
              Service: events.amazonaws.com
            Action: 'sns:Publish'
            Resource:
              - !Ref SnsTopic
      Topics:
        - !Ref SnsTopic
# Create CloudWatch Event Rule to notify of config changes
  EventRule:
    Type: "AWS::Events::Rule"
    Properties:
      Name: "detect-config-changes"
      Description: "A CloudWatch Event Rule that detects changes to AWS Config and publishes change events to an SNS topic for notification."
      State: "ENABLED"
      Targets:
        - Arn:
            Ref: "SnsTopic"
          Id: "target-id1"
      EventPattern:
        detail-type:
          - "Config Rules Compliance Change"
        source:
          - "aws.config"
Parameters: {}
Metadata: {}
Conditions: {}
Enter fullscreen mode Exit fullscreen mode

Whatโ€™s next?

There are two additional items Iโ€™ll be looking to expand on. One is to add functionality for SNS to post the event in a Slack Channel when a resource comes out of compliance. Lastly, Iโ€™ll look to clean up JSON output to be more readable for the notifications.

Top comments (0)