Rule: AWS Config Should Be Enabled
This rule ensures AWS Config is enabled to maintain high security standards.
| Rule | AWS Config should be enabled |
| Framework | General Data Protection Regulation (GDPR) |
| Severity | ✔ High |
Rule Description
The rule ensures that AWS Config is enabled to comply with the General Data Protection Regulation (GDPR). AWS Config provides a detailed record of the configuration of AWS resources in your account, helping you ensure compliance and security.
Enabling AWS Config for GDPR ensures that you have visibility into any changes made to your resources, allowing you to detect and investigate unauthorized modifications, and track the history of your resource configurations.
Troubleshooting Steps
- 1.
Check AWS Config Configuration: Verify if AWS Config is already enabled in your account. You can do this by logging into the AWS Management Console and navigating to the AWS Config service. Ensure that the configuration is active and capturing the necessary resource types.
- If AWS Config is not enabled, proceed to the next steps.
- If AWS Config is already enabled, you can skip the remediation steps and consider the rule compliant.
- 2.
Ensure the AWS Config Service Role Exists: Confirm whether you have a service role created for AWS Config. The service role allows AWS Config to access the necessary resources and services to perform its functions.
- If the service role for AWS Config does not exist, proceed to step 3.
- If the service role already exists, skip to step 4.
- 3.
Create a Service Role for AWS Config:
- Open the AWS Management Console and go to the IAM service.
- Click on "Roles" from the left-hand menu.
- Click on "Create role".
- Choose "AWS service" as the trusted entity and select "Config" from the list.
- Click on "Next: Permissions".
- Select the necessary policies for AWS Config based on your requirements (e.g., AWSConfigRole, AmazonS3ReadOnlyAccess, etc.).
- Follow the on-screen instructions to review and create the role.
- 4.
Enable AWS Config for GDPR compliance:
- Open the AWS Management Console and go to the AWS Config service.
- Click on "Get started" or "Settings" tab if already enabled.
- Click on "Enable AWS Config".
- Choose the desired resource types to be recorded (e.g., Amazon EC2 instances, Amazon S3 buckets, etc.).
- Review the settings and click on "Save".
Remediation
Follow the steps below to enable AWS Config for GDPR compliance:
- 1.
Create a Service Role for AWS Config:
- Open the AWS Management Console and navigate to the IAM service.
- Click on "Roles" from the left-hand menu.
- Click on "Create role".
- Choose "AWS service" as the trusted entity and select "Config" from the list.
- Click on "Next: Permissions".
- Select the necessary policies for AWS Config based on your requirements (e.g., AWSConfigRole, AmazonS3ReadOnlyAccess, etc.).
- Follow the on-screen instructions to review and create the role.
- 2.
Enable AWS Config for GDPR Compliance:
- Open the AWS Management Console and go to the AWS Config service.
- Click on "Get started" or "Settings" tab if already enabled.
- Click on "Enable AWS Config".
- Choose the desired resource types to be recorded (e.g., Amazon EC2 instances, Amazon S3 buckets, etc.).
- Review the settings and click on "Save".
After completing these steps, AWS Config will be enabled for GDPR compliance. It will start recording the configuration changes for the selected resource types in your AWS account, allowing you to monitor and ensure compliance with GDPR regulations.