Edit the AWS Configuration Auditing Rules

 

Prerequisite: The Configuration Auditing Feature Overview article.

Introduction

Configuration Auditing Policies is a special rule set associated with the Configuration Auditing feature.

NOTE: You cannot assign Configuration Auditing Policies to any other servers.

This rule set contains the policies that your AWS resources are checked against when you perform a Configuration Auditing assessment. You can edit certain aspects of policies, and add suppressions for specific resources, to make them more meaningful to your organization.

Threat Stack provides a guided interface for editing AWS Configuration Auditing rules.

This article shows you how to:

  • Edit an existing Configuration Auditing rule
  • Clone and modify an existing Configuration Auditing rule
  • Add a suppression to a Configuration Auditing rule

Config_Ruleset_Page.png

Configuration Auditing Rule Overview

Configuration Auditing rules are structured to match the syntax of the AWS API:

  1. The first row represents the AWS Service being evaluated.
  2. The second row represents the AWS Resource type being evaluated.
  3. Beneath that is a series of properties and operators that match the structure of the AWS API.

2_Policy_Definition.png

See the “Supported Resource” section at the end of this article for additional information and Amazon documentation.

Edit a Configuration Auditing Rule

To edit a configuration audit rule, navigate to the Rulesets page:

1. Expand the Configuration Auditing Policies section.

2. Select the rule to edit. The rule details display on the right side.

3_edit_rule.png

3. In the Details section, you can edit the following fields:

  • Rule Name
  • Rule Description

4_config_details.png

4. In the Policy Definition section, you can change the follow criteria:

a. AWS Service

b. AWS Resource Type

c. Properties and operators

5_Policy_Definition_.png

5. To save your modifications, click the Update button in the Details and Policy Definition sections, depending on what you edited.

NOTE: To edit suppressions you have to go to the Config Audit page and add suppressions. See the “Add a Suppression” section below for instructions.

Clone & Modify a Configuration Auditing Rule

To clone an existing configuration auditing rule, navigate to the Rulesets page:

1. Scroll to the Configuration Auditing Policies section.

2. Click the + New Rule button, the + Add Rule section displays on the right.

3. Select the Clone Existing Rule option and click the Next: Details button.

4. In the Select existing rules to clone field, search and select the rule to clone.

5. Click the Clone 1 Rule button, the rule clones and adds to the Configuration Auditing Policies section.

Cloning_Steps_-_vid.gif

To modify the rule you cloned, scroll and select the cloned rule:

1. The rule details display on the right side.

A_1_cloned_details.png

2. In the Details section, you can edit the following fields:

  • Rule Name
  • Rule Description

A_2_edit_details.png

3. In the Policy Definition section, you can change the follow criteria:

a. AWS Service

b. AWS Resource Type

c. Properties and operators

A_3_policy_definition.png

4. To save your modifications, click the Update button in the Details and Policy Definition sections, depending on what you edited.

A_4_update_button.png

NOTE: To edit or add suppressions you have to go to the Config Audit page and add suppressions from there. See the second to last section of this article for instructions.

Add a Suppression to a Configuration Auditing Rule

To add a suppression to an existing configuration auditing rule, navigate to the Config Audit page:

1. Click the AWS Service name to open the resource section.

2. Select a Rule by clicking on the row, the Rule Overview section displays at the bottom of the page.

3. Click the Go to Resource Details button, the Resource Details page displays.

B_1_config_audit.png

4. Click the Suppress button for the violation you want to suppress, the Add New Configuration Auditing Policy Suppression page displays.

B_2_suppress.png

5. Review the violation and select your Reason for suppressing option.

B_3_reason.png

6. Click the Add New Suppression button.

B_4_add_button.png

The page closes and a confirmation message displays on the bottom right confirming your suppression.

B_5_confirmation.png

Supported Resource Types

Service Resource Type Documentation Link
EC2 Security Groups Summary This is a Threat Stack resource type. It returns a count of the number of Security Groups in an AWS account.
EC2 Default Security Group Click here
EC2 Security Group Click here 
EC2 Volume Click here
RDS DB Instance Click here
RDS DB Security Groups Click here
RDS DB EC2 Security Groups Click here
CloudTrail CloudTrail Bucket Policy Click here
CloudTrail CloudTrail Bucket ACL Click here
CloudTrail CloudTrail Bucket Logging Click here
CloudTrail Trail Click here
S3 Bucket Policy Click here
S3 Bucket ACL Click here
IAM Password Policy Click here
IAM User Click here
IAM User (Credential Report) Click here
IAM Account Summary Click here

 

Have more questions? Submit a request

0 Comments

Article is closed for comments.