[For instructions on setting up for Configuration Audit in Threat Stack, use this document]
Threat Stack Configuration Auditing feature allows AWS users to check their infrastructure (AWS) configuration against industry best practices curated by Threat Stack security engineers.
How does it Work ?
Threat Stack comes with a set of best practices for AWS Cloud Security pre-configured. After you integrate Threat Stack with your AWS account (instructions here), you can initiate an audit of the configurations in your account on demand and then schedule regular daily audits.
The following are the major functions of the feature:
- Configuration Auditing for users with multiple AWS Profiles
- Audit the AWS configuration for violations
- View summary of violations
- View details of each violation
- Suppress specific resources for further configuration checks
- Enable/disable/edit configuration audit rules
Multiple AWS Profiles from the Dashboard page
You can now see the rules evaluated for all profiles on the Dashboard page in the Configuration Auditing section of the Overview area.
Ex: Shows evaluation for 2 AWS profiles.
AWS Profiles on the CONFIG AUDIT page
On the CONFIG AUDIT page, if you have multiple AWS profiles you see a graphic at the top of the page that displays your top 5 AWS Profiles by number of violations. Hovering over a segment displays a short summary of results for that profile. Click the Show Results for Only This Profile button to filter all results by the specific profile.
The below example highlights the page filters and the circled Filter (expand/collapse) button. You can click the Filter button to open or close all filters.
Audit the AWS Configuration for Violations
View Summary Results of Violations
View Details of Violations
Step 1. Click on Information icon to view the description of the violation.
Step 2: Click on a violation to display a preview of that violation.
Step 3: Click on Resource details to view detailed views of resources and suppressions.
Suppress Results of Violations on Details screen
Step 1: Click on Fire Extinguisher icon to display the suppression modal.
Step 2: Click the Fire Extinguisher icon to display the suppression modal. Now you can add a reason and a suppression.
Configuration Audit Rules
You can find the Configuration Auditing Rules, and any other rules, on the RULESETS page. You can also access them from the left-side Rule Details fly-in. You can can change the rule severity, enable & disable rules, and edit rules - similar to how you can modify the host rules.