AWS Config

Config Service Delivery Bucket Missing

This plugin ensures that AWS Config service is referencing an active S3 bucket.

Risk Level: High

Description

This plugin ensures that AWS Config service is referencing an active Amazon S3 bucket. S3 buckets referenced by AWS Config saves all configuration history for auditing and assessment purposes. This plugin verifies if the S3 bucket specified has not been deleted.

About the Service

AWS Glue: AWS Config simplifies assessment, auditing and evaluation of the AWS resources’ configurations. It provides a detailed report on the relationship between various AWS resources based on their configuration. Apart from monitoring, AWS Config also determines the overall compliance based on the settings specified in your internal policies.

Impact

AWS Config can have two delivery channels - Amazon S3 bucket topic and Amazon SNS Topic. In absence of an active S3 bucket, all the configuration changes cannot be recorded. 

Without configuration history, critical configuration changes that can make the AWS resource publicly accessible will be missed. 

Steps to Reproduce

Using AWS Console-

  1. Log In to your AWS Console.
  2. Open the AWS Config console. You can use this link (https://console.aws.amazon.com/config) to navigate directly if already logged in. 
  3. Scroll down and select Settings from the left navigation pane.
  4. From Under the Delivery method settings, copy the name of the S3 bucket name the config service is referencing to.
  5. Now, on a separate tab, open the Amazon S3 console (https://s3.console.aws.amazon.com/s3). In the search bar, paste the S3 bucket name copied before. If there are no results found, the vulnerability exists.
  6. Repeat steps 3 to 5 for all the regions you want to investigate.

Steps for Remediation

Update the config service referenced S3 bucket to an active bucket.

  1. Log In to your AWS Console.
  2. Open the AWS Config console. You can use this link (https://console.aws.amazon.com/config) to navigate directly if already logged in. 
  3. Scroll down and select Settings from the left navigation pane.
  4. Click on the Edit button from the top right corner.
  5. From the Delivery Method, select Choose a bucket from your account and from the drop down menu, choose the bucket where you want to save the configuration changes recorded. Alternatively, you can also Create a new bucket for it.
  6. Click on Save after making all the changes.
  7. Repeat steps 3 to 6 for all the vulnerable regions.