In this lab, we will be deploying the Amazon S3 Operational Best Practices with remediation actions conformance pack. This pack contains following Config Rules.
S3BucketPublicReadProhibitedwith remediation action
S3BucketPublicWriteProhibitedwith remediation action
S3BucketServerSideEncryptionEnabledwith remediation action
S3BucketLoggingEnabledwith remediation action
We will create prerequisite resources required for the “Amazon S3 Operational Best Practices with Remediation Actions” conformance pack. This includes a service-linked role for conformance packs, a remediation action role, and an S3 logging bucket.
Deploying this Conformance Pack can disrupt access to data if installed in a production environment. Never deploy these conformance packs without proper testing in a safe test environment first!
Before proceeding, you must create a CloudFormation stack that includes the resources required for this lab, as well as download a Conformance Pack template for use in the next step.
|File name||Purpose||Template download|
||Creates the resources used in this lab||Download the lab CloudFormation template|
||Creates the Conformance Pack||Download the Conformance Pack template|
The stack will create these resources for you:
To create this stack, open the CloudFormation Console and then click on Create Stack, and then With new resources (standard).
When prompted for the template, click on Upload a template file, and then provide the path to the file you just downloaded.
On the next pages, give the stack a unique name (such as
Conforms), and enter the same S3 bucket as the one you created in the Setup section.
Please wait several minutes before proceeding as the resources created above take a short time to initialize.
Before we can deploy the conformance pack, we will need to edit it. Conformance packs that AWS provides represent collated best practices, however they are not “one size fits all” and need some tailoring before being leveraged.
Operational-Best-Practices-for-Amazon-S3-with-Remediation.yamlfile so we can make it usable with your lab environment. You will need to replace the
<Account-Id>entries with the proper account number for your account (without dashes). You will find this entry on these line numbers:
s3serversideloggingbucketcreated by the CloudFormation stack you deployed in the prerequisites. Copy the name of the bucket into the value field.
We will check compliance status for each rule in conformance pack and associated resources. Conformance Packs can also be deployed to an AWS Organization; however, this is out of scope for this lab.