Versions Compared

Old Version 8

changes.mady.by.user Paul Allen

Saved on

compared with

New Version Current

changes.mady.by.user Paul Allen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

er

Table of Contents

...

Introduction

...

  1. You should now be viewing "your" IAM user in the the IAM console.
  2. Click on the Tags tab.
    Image Added

  3. Click on Add tags.
  4. Add a tag with the following settings, and click Save changes:  
    1. Key: cit:config:251-MED-no-iam-users-except-whitelist
    2. Value: exception
      Image Added

      Image Added
Note

At this point in a typical Config workflow, you would find the 251-MED-no-iam-users-except-whitelist Config Rule and trigger re-evaluation of the rule to confirm that your whitelisting had the desired effect (i.e. making the IAM user compliant for that rule). However, the Config API has a very, very threshold for the number of times that you can invoke revaluations. Therefore, the exercise leading leader will trigger re-evaluation just a few times during this hands-on session.

...

  1. Click on Resources from the left-hand navigation panel in the Config console.
  2. In the Resource identifier search field, enter "your" S3 bucket name using this pattern my-bucketpublic-web-site-NETID, and hit "enter" on your keyboard.
    Image Added

  3. Config should show one search result, listing an S3 bucket user named like my-bucketpublic-web-site-NETID. That bucket will be labelled as non-compliant.
  4. Click on the bucket name to drill into the Config details for that resource.
  5. Review the Rules at the bottom of the page. They will show that the bucket is
    1. compliant with respect to the 003-CRIT-s3-bucket-public-write-prohibited rule, but
    2. non-compliant with respect to the 153-HIGH-s3-bucket-public-read-prohibited rule.
      Image Added

  6. In the top right of the details page, click on Manage Resource. This will take you to the S3 console for that bucket.

...

  1. In the S3 console, with "your" bucket selected, click on the Properties tab and scroll down to Tags.
    Image Added
  2. Click Edit in the tags section.
  3. Click on Add tag.
    Image Added

  4. Add a tag with the following details, and click on Save changes:
    1. Key: cit:config:153-HIGH-s3-bucket-public-read-prohibited
    2. Value: exception
      Image Added

  5. On resulting bucket Properties page confirm that your new tag is shown as one of the bucket tags.
    Image Added

Part 3 – Wait for Config Rule re-evaluation

...

  • In all likelihood one, if not both, of "your" resources remain flagged as non-compliant. (sad)
  • One reason for this is that Config evaluations operate on snapshots of resource configurations, not from an instantaneous reading of the resource details. 
  • Another factor that seems to come into play is that Config evaluation results themselves are cached and sometimes you may be looking at results from the previous evaluation.
  • The secret for maintaining your sanity with Config is to check back with Config for new results on the day after you make resource configuration changes. What you see after 24 hours is typically a meaningful set of results.


Info

If you wanted to force Config to evaluate a Rule within your own AWS account, you would use the Re-evaluate action, as shown below.
Image Added