Hi all, let’s monitor S3 buckets, whenever a bucket is publicly accessible for read or write then AWS SNS should send a notification,
What is AWS config??
AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.
How we are going to use AWS config to monitor S3 buckets???
whenever S3 buckets becomes public (read/ write), enabled object based public accessible policy, then AWS config should notify the bucket, and it should trigger a notification
Pre-requisites:
- IAM role with SSM
- SNS topic, subscription
- AWS config
- S3 buckets
IAM role with SSM:
we will create a IAM role with pass role policy
- Goto IAM role, create role → systems manager → Amazon SSM automation role → update tag → mention the role name → create role (name: amazon-ssm-role)
- Now we need create policy to pass the role
IAM → policy → create policy → services IAM → PassRole →Resource ARN (role: amazon-ssm-role) → create policy (name: amazon-ssm-passrole-policy)
policy.json file looks like as below
{
“Version”: “2012–10–17”,
“Statement”: [
{
“Sid”: “VisualEditor0”,
“Effect”: “Allow”,
“Action”: “iam:PassRole”,
“Resource”: “arn:aws:iam::***:role/amazon-ssm-role”
}
]
} - attach ssm passrole policy to the amazon-ssm-role
Create SNS topics and subscriptions:
Here we will create 2 topics, one is for Read access enabled publicly notifications, other is for write access enabled publicly notification.
Goto AWS console → SNS
- Topic → create topic → standard → Name :aws-config-s3bucket-read-public-monitoring-s3-buckets-notofications → Access policy (edit as shown below)
{
“Version”: “2008–10–17”,
“Id”: “Policy_ID”,
“Statement”: [
{
“Sid”: “AWSConfigSNSPolicy”,
“Effect”: “Allow”,
“Principal”: {
“Service”: “config.amazonaws.com”,
“AWS”: “arn:aws:iam::***:role/amazon-ssm-role”
},
“Action”: “SNS:Publish”,
“Resource”: “arn:aws:sns:us-east-1:***:aws-config-s3bucket-read-public-monitoring-s3-buckets-notofications”
}
]
}
create topic
2. Now we will create another topic to get notifications whenever a bucket is enabled with write access public, we will create topic as shown as the above with slight changes in Resource ARN, policy will be
- {
“Version”: “2008–10–17”,
“Id”: “Policy_ID”,
“Statement”: [
{
“Sid”: “AWSConfigSNSPolicy”,
“Effect”: “Allow”,
“Principal”: {
“Service”: “config.amazonaws.com”,
“AWS”: “arn:aws:iam::***:role/amazon-ssm-role”
},
“Action”: “SNS:Publish”,
“Resource”: “arn:aws:sns:us-east-1:***:aws-config-s3-bucket-write-access-enabled-notification”
}
]
}
create topic
Now we will create subscriptions for each topic to send the mails to the recipient
goto subscriptions → create subscriptions → Topic ARN → protocol (email) → end point (recipient mail ID) → create subscriptions
like this we will create 2 subscriptions, one is to get notified whenever bucket read public accessible, other will be notified whenever bucket write public enabled.
once we have created subscriptions, it will send verification mail, and we need to verify it.
Test the SNS topics:
Manually we will trigger the mails to check whether we are able to send the mails properly or not.
- select topic → click on publish message → enter the required fields → publish message
Create AWS Config:
- Goto AWS console → AWS config → settings → select resources as S3 buckets → Create new role → Delivery method create new S3 bucket → Next
2. in AWS managed rules search for “s3-bucket-public-read-prohibited” and select → confirm
3. Goto rules in config → select the rule → Actions → manage remediation → select automatic → Remediation action will be SNS → Resource ID parameter will be message → under parameters we need to update the ARN of read notification SNS → under role we need to update amazon-ssm-role ARN → save changes
4. same as above point we will create other config rule for the write notification (we need to update the Write notification SNS topic ARN) and save the changes
Test scenarios:
- Create a test bucket with read/ write
- Goto S3 bucket, create a new bucket, disable block all public access → create bucket
3. Now goto bucket and its permissions update the policy as shown below
{
“Version”: “2012–10–17”,
“Statement”: [
{
“Sid”: “PublicRead”,
“Effect”: “Allow”,
“Principal”: “*”,
“Action”: [
“s3:GetObject”,
“s3:PutObject”,
“s3:*Object”,
“s3:GetObjectVersion”
],
“Resource”: “arn:aws:s3:::testing-aws-config-scenarios/*”
}
]
}
4. goto bucket ACLs → edit → select every one public read → save
5. Goto AWS config Rules
Now we are testing for public read enable notifications:
a. select read notification rule
b. goto actions → re-evaluate → at the bottom in resources in scope it will show the bucket name and it should send the mail with the bucket name
same as the above you can check for write accessible AWS config rules
References: