Conformance packs
Deploy components for the lab
In this lab, we will be deploying the Amazon S3 Operational Best Practices with remediation actions conformance pack. This pack contains following Config Rules.
S3BucketPublicReadProhibitedwith remediation actionS3BucketPublicWriteProhibitedwith remediation actionS3BucketServerSideEncryptionEnabledwith remediation actionS3BucketLoggingEnabledwith remediation actionS3BucketReplicationEnabledS3BucketSSLRequestsOnly
Prerequisites
We will create prerequisite resources required for the “Amazon S3 Operational Best Practices with Remediation Actions” conformance pack. This includes a service-linked role for conformance packs, a remediation action role, and an S3 logging bucket.
Deploying this Conformance Pack can disrupt access to data if installed in a production environment. Never deploy these conformance packs without proper testing in a safe test environment first!
Before proceeding, you must create a CloudFormation stack that includes the resources required for this lab, as well as download a Conformance Pack template for use in the next step.
| File name | Purpose | Template download |
|---|---|---|
conforms-prerequisite-resources.yaml |
Creates the resources used in this lab | Download the lab CloudFormation template |
Operational-Best-Practices-for-Amazon-S3-with-Remediation.yaml |
Creates the Conformance Pack | Download the Conformance Pack template |
The stack will create these resources for you:
To create this stack, open the CloudFormation Console and then click on Create Stack, and then With new resources (standard).
When prompted for the template, click on Upload a template file, and then provide the path to the file you just downloaded.
On the next pages, give the stack a unique name (such as Conforms), and enter the same S3 bucket as the one you created in the Setup section.
Please wait several minutes before proceeding as the resources created above take a short time to initialize.
Deploy conformance pack
Before we can deploy the conformance pack, we will need to edit it. Conformance packs that AWS provides represent collated best practices, however they are not “one size fits all” and need some tailoring before being leveraged.
- Edit the
Operational-Best-Practices-for-Amazon-S3-with-Remediation.yamlfile so we can make it usable with your lab environment. You will need to replace the<Account-Id>entries with the proper account number for your account (without dashes). You will find this entry on these line numbers:4380139179
- Go to the Config Console, and then click on Conformance packs.
- Click on Deploy conformance pack on the top right of the page.
- Under template details, select Upload template, and then select the Upload a template. Click Choose file, upload your modified template, and finallly click Next.
- Give the conformance pack a name that is meaningful to you.
- This conformance pack will require a parameter to function. Click Add parameter and then add a new key called
S3TargetBucketNameForEnableLogging.- The value for this will be the name of the
s3serversideloggingbucketcreated by the CloudFormation stack you deployed in the prerequisites. Copy the name of the bucket into the value field.
- The value for this will be the name of the
- Click Next, and finally click Deploy conformance pack.
View compliance remediation
We will check compliance status for each rule in conformance pack and associated resources. Conformance Packs can also be deployed to an AWS Organization; however, this is out of scope for this lab.
- Once the conformance pack is deployed, click on conformance pack name to drill down into details. You can view list of rules and their compliance status.
- Click on a rule name to see its details.
- Expand Resources in Scope section to see resources in scope and their compliance status. If there are any existing non-compliant resources, you can manually remediate them or wait for auto-remediation to complete.
- To see auto-remediation in action on a new resource, create a new S3 bucket using S3 Console. Config will discover the resource and mark it as non-compliant if it is not following S3 best practices.
- Go back to conformance pack details and select a rule with remediation action.
- Expand Resources in Scope section to see newly created resource with its compliance status. If the resource is non-compliant, the auto-remediation action will apply to resource within few minutes.
- Refresh the page to see updated resource compliance status.