Conformance packs

Deploy components for the lab

In this lab, we will be deploying the Amazon S3 Operational Best Practices with remediation actions conformance pack. This pack contains following Config Rules.

  • S3BucketPublicReadProhibited with remediation action
  • S3BucketPublicWriteProhibited with remediation action
  • S3BucketServerSideEncryptionEnabled with remediation action
  • S3BucketLoggingEnabled with remediation action
  • S3BucketReplicationEnabled
  • S3BucketSSLRequestsOnly

Prerequisites

We will create prerequisite resources required for the “Amazon S3 Operational Best Practices with Remediation Actions” conformance pack. This includes a service-linked role for conformance packs, a remediation action role, and an S3 logging bucket.

Deploying this Conformance Pack can disrupt access to data if installed in a production environment. Never deploy these conformance packs without proper testing in a safe test environment first!

Before proceeding, you must create a CloudFormation stack that includes the resources required for this lab, as well as download a Conformance Pack template for use in the next step.

File name Purpose Template download
conforms-prerequisite-resources.yaml Creates the resources used in this lab Download the lab CloudFormation template
Operational-Best-Practices-for-Amazon-S3-with-Remediation.yaml Creates the Conformance Pack Download the Conformance Pack template

The stack will create these resources for you:

Lab Architecture Diagram

To create this stack, open the CloudFormation Console and then click on Create Stack, and then With new resources (standard).

Create stack

When prompted for the template, click on Upload a template file, and then provide the path to the file you just downloaded.

Specify template location

On the next pages, give the stack a unique name (such as Conforms), and enter the same S3 bucket as the one you created in the Setup section.

Please wait several minutes before proceeding as the resources created above take a short time to initialize.

Deploy conformance pack

Before we can deploy the conformance pack, we will need to edit it. Conformance packs that AWS provides represent collated best practices, however they are not “one size fits all” and need some tailoring before being leveraged.

  1. Edit the Operational-Best-Practices-for-Amazon-S3-with-Remediation.yaml file so we can make it usable with your lab environment. You will need to replace the <Account-Id> entries with the proper account number for your account (without dashes). You will find this entry on these line numbers:
    • 43
    • 80
    • 139
    • 179
  2. Go to the Config Console, and then click on Conformance packs.
  3. Click on Deploy conformance pack on the top right of the page. Deploy Conformance Pack
  4. Under template details, select Upload template, and then select the Upload a template. Click Choose file, upload your modified template, and finallly click Next.
  5. Give the conformance pack a name that is meaningful to you.
  6. This conformance pack will require a parameter to function. Click Add parameter and then add a new key called S3TargetBucketNameForEnableLogging.
    • The value for this will be the name of the s3serversideloggingbucket created by the CloudFormation stack you deployed in the prerequisites. Copy the name of the bucket into the value field.
  7. Click Next, and finally click Deploy conformance pack. Conformance Pack 2

View compliance remediation

We will check compliance status for each rule in conformance pack and associated resources. Conformance Packs can also be deployed to an AWS Organization; however, this is out of scope for this lab.

  1. Once the conformance pack is deployed, click on conformance pack name to drill down into details. You can view list of rules and their compliance status. Conformance Pack 3
  2. Click on a rule name to see its details.
  3. Expand Resources in Scope section to see resources in scope and their compliance status. If there are any existing non-compliant resources, you can manually remediate them or wait for auto-remediation to complete. Conformance Pack 4
  4. To see auto-remediation in action on a new resource, create a new S3 bucket using S3 Console. Config will discover the resource and mark it as non-compliant if it is not following S3 best practices.
  5. Go back to conformance pack details and select a rule with remediation action.
  6. Expand Resources in Scope section to see newly created resource with its compliance status. If the resource is non-compliant, the auto-remediation action will apply to resource within few minutes.
  7. Refresh the page to see updated resource compliance status.