Rule: AWS Config Should Be Enabled
This rule ensures that AWS Config is enabled to maintain compliance.
| Rule | AWS Config should be enabled |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ High |
AWS Config Rule Description: Enable AWS Config for NIST Cybersecurity Framework (CSF) v1
This AWS Config rule ensures that AWS Config is enabled for compliance with the NIST Cybersecurity Framework (CSF) version 1. The NIST CSF provides a comprehensive framework for organizations to manage and improve their cybersecurity risk management processes. By enabling AWS Config with this rule, organizations can automate the assessment of their AWS resources against the security controls outlined in the NIST CSF v1.
Rule Details:
- Rule Identifier: NIST-CSF-Enable-Config
- Compliance Standard: NIST Cybersecurity Framework (CSF) v1
- Description: Ensure that AWS Config is enabled to assess the compliance of AWS resources against the security controls defined in the NIST CSF v1.
Troubleshooting Steps (if necessary):
If the AWS Config rule evaluation fails:
- 1.Verify that AWS Config is enabled in your AWS account.
- 2.Ensure that the AWS Config service is active and running without any errors.
- 3.Check the AWS Config rule settings to verify that the correct rule is selected and associated with NIST CSF v1 compliance.
- 4.If AWS Config is not enabled, follow the remediation steps provided below.
Remediation Steps:
To enable AWS Config for compliance with the NIST CSF v1, follow these step-by-step instructions:
- 1.Open the AWS Management Console and sign in to your AWS account with appropriate credentials.
- 2.Navigate to the AWS Config service by searching for "Config" in the AWS Management Console search bar.
- 3.On the AWS Config homepage, click on "Get started" if you haven't enabled AWS Config yet.
- 4.Choose the region where you want to enable AWS Config and click on "Next".
- 5.Review the AWS Config details and confirm the settings for recording, storing, and delivering configuration changes. Configuration Recorder should be enabled.
- 6.Under "AWS Config rules," click on "Add or remove AWS Config rules."
- 7.In the "Add rule" section, search for the rule "nist-csf-v1" and click on the checkbox next to it.
- 8.Click on "Save" to associate the NIST CSF v1 rule with AWS Config.
- 9.Review the rule settings and click on "Next."
- 10.Configure the settings for Amazon S3 bucket and Amazon SNS topic, which will be used by AWS Config for recording and sending configuration changes notifications. Click on "Next."
- 11.Review the details and click on "Confirm" to enable AWS Config with the NIST CSF v1 rule.
- 12.AWS Config will now start recording and assessing your AWS resources against the security controls defined in the NIST CSF v1.
Relevant CLI Command (if applicable):
This remediation guide primarily focuses on using the AWS Management Console. However, if you prefer to use the AWS CLI, the following command can help enable AWS Config:
aws configservice put-config-rule --config-rule file://nist-csf-v1-rule.json
Make sure to replace the
nist-csf-v1-rule.jsonIt is important to note that the above command assumes the AWS CLI is properly configured with the required permissions to enable AWS Config and apply the NIST CSF v1 rule.
By following these steps, you can enable AWS Config to assess the compliance of your AWS resources against the security controls outlined in the NIST Cybersecurity Framework (CSF) version 1. Regularly monitoring and remediating any non-compliant resources will help strengthen the security posture of your AWS environment.