
AWS Config is a service that can be used to determine if any changes have been made to certain resources. For example, let's say all of your S3 Buckets should NOT be public accessible. Check out my article Get S3 Bucket Public Access using AWS CLI. In this simple Getting Started article, I'll show how I setup AWS Config to detect if any of my S3 Buckets had public access allowed.
In the AWS Config console, I selected Get started. Since this is just meant to be a simple Getting Started article, and I know I'm only checking my S3 Buckets, i got with Specific resource types and select AWS S3 Bucket. The reason I go with Continuous is because this is part of testing / getting started / proof of concept, and I'm going to update my S3 Bucket public access and see if AWS Config detects the change.
AWS Config uses S3 to keep track of stuff. So I create a new S3 Bucket.
And then for the rules I go with s3-bucket-level-public-access-prohibited and Confirm to create the AWS Config.
Give it a moment, refresh the AWS Config console, and Compliance status should list how many of your S3 Buckets are compliant (meaning they have public access disabled) and how many are noncompliant (meaning they are publically accessible).
So far, so good. But we do not want to have to remember to check the AWS Config console for noncompliance. Let's update the Rule to publish a message to a Simple Notification Service (SNS) Topic when AWS Config finds noncompliance. Check out these articles for the steps on how to create and subscribe to an SNS Topic.
- FreeKB - Amazon Web Services (AWS) - Create Simple Notification Service (SNS) Topics using the AWS CLI
- FreeKB - Amazon Web Services (AWS) - Subscribe to a Simple Notification Service (SNS) Topic using the AWS CLI
Next, let's create a runbook that will be used to publish a messages to the SNS Topic. Check out my article Publish message to Simple Notification Service (SNS) Topic when AWS Config Resource is noncompliant.
Did you find this article helpful?
If so, consider buying me a coffee over at