8.1

8.1 Manually create encryption prevention, detection and remediation workflow in Console

Review and ensure that you have setup your development environment before going through the steps below.

Create an AWS Config Recorder

NOTE: If you have already enabled Config on your AWS account, you do not need to go through these instructions.

1. Go to the Config console.
2. If it is your first time using Config, click the Get Started button.
3. Select the Include global resources (e.g., AWS IAM resources) checkbox.
4. In the Amazon S3 bucket section, select the Create a bucket radio button.
5. In the AWS Config role section, select the Use an existing AWS Config service-linked role radio button.
6. Click the Next button.
7. Click the Skip button on the AWS Config rules page.
8. Click the Confirm button on the Review page.

NOTE: The above creates one Config Recorder and one Config Delivery Channel.

Create an S3 Bucket for CloudTrail Trail

1. Go to the S3 console.
2. Click the Create bucket button.
3. Enter ceoa-8-cloudtrail-ACCOUNTID in the Bucket name field. Replace ACCOUNTID with the results of the following command: aws sts get-caller-identity --output text --query 'Account'.
4. Click Next on the Configure Options screen.
5. Click Next on the Set Permissions screen.
6. Click Create bucket on the Review screen.

Create an Unencrypted CloudTrail Trail

1. Go to the CloudTrail console
2. Click the Create trail button.
3. Enter ceoa-8-cloudtrail in the Trail name field.
4. Choose the checkbox next to Select all S3 buckets in your account in the Data events section.
5. Choose the No radio button for the Create a new S3 bucket field in the Storage location section.
6. Choose the S3 bucket you just created from the S3 bucket dropdown.
7. Click the Create button.

Create an IAM Policy and Role for Lambda

1. Go to the IAM console.
2. Click on Policies.
3. Click Create policy.
4. Click the JSON tab.
5. Copy and replace the contents below into the JSON text area.
6. Click the Review policy button.
7. Enter ceoa-8-cloudtrail-policy in the *Name field.
8. Click the Create policy button.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudtrail:*",
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "*"
        }
    ]
}

9. Click on Roles.
10. Click the Create role button.
11. Click Lambda from the Choose the service that will use this role section.
12. Click the Next: Permissions button.
13. Click ceoa-8-cloudtrail-policy in the Filter policies search field.
14. Select the checkbox next to ceoa-8-cloudtrail-policy and click on the Next: Tags button.
15. Click the Next: Review button.
16. Enter ceoa-8-cloudtrail-role in the Role name field.
17. Click the Create role button.

Create a Lambda function

1. Go to the Lambda console.
2. Click the Create function button.
3. Keep the Author from scratch radio button selected and enter ceoa-8-lambda-cloudtrail in the Function name field.
4. Choose Node.js 10.x for the Runtime.
5. Under Permissions choose the Choose or create an execution role.
6. Under Execution role, choose Use an existing role.
7. In the Existing role dropdown, choose ceoa-8-cloudtrail-write-role.
8. Click the Create function button.
9. Scroll to the Function code section and within the index.js pane, copy and replace the code from below.

var AWS = require('aws-sdk');

exports.handler = function(event) {
  console.log("request:", JSON.stringify(event, undefined, 2));

    var s3 = new AWS.S3({apiVersion: '2006-03-01'});
    var resource = event['detail']['requestParameters']['evaluations'];
    console.log("evaluations:", JSON.stringify(resource, null, 2));
    
  
for (var i = 0, len = resource.length; i < len; i++) {
  if (resource[i]["complianceType"] == "NON_COMPLIANT")
  {
      console.log(resource[i]["complianceResourceId"]);
      var params = {
        Bucket: resource[i]["complianceResourceId"]
      };

      s3.deleteBucketPolicy(params, function(err, data) {
        if (err) console.log(err, err.stack); // an error occurred
        else     console.log(data);           // successful response
      });
  }
}


};

10. Click the Save button.

Create a Config Rule (Managed Rule which runs Lambda function)

1. Go to the Config console.
2. Click Rules.
3. Click the Add rule button.
4. In the filter box, type s3-bucket-public-write-prohibited.
5. Choose the s3-bucket-public-write-prohibited rule.
6. Click the Save button.

Cloudwatch Event Rule

1. Go to the CloudWatch console.
2. Click on Rules.
3. Click the Create rule button.
4. Choose Event pattern in the Event Source section.
5. In the Event Pattern Preview section, click Edit.
6. Copy the contents from below and replace in the Event pattern text area.
7. Click the Save button.
8. Click the Add target button.
9. Choose Lambda function.
10. Select the ceoa-8-lambda-s3 function you previously created.
11. Click the Configure details button.
12. Enter ceoa-8-s3-write-cwe in the Name field.
13. Click the Create rule button.

{
  "source":[
    "aws.config"
  ],
  "detail":{
    "requestParameters":{
      "evaluations":{
        "complianceType":[
          "NON_COMPLIANT"
        ]
      }
    },
    "additionalEventData":{
      "managedRuleIdentifier":[
        "S3_BUCKET_PUBLIC_WRITE_PROHIBITED"
      ]
    }
  }
}

Verify Compliance

1. Go to the Config console.
2. Click on Rules.
3. Select the s3-bucket-public-write-prohibited rule.
4. Click the Re-evaluate button.
5. Go back to Rules in the Config console.
6. Go to the S3 console and choose the ceoa-8-s3-violation-ACCOUNTID bucket.
7. Click on the Permissions tab.
8. Click on the Bucket Policy and ensure that bucket policy has been removed.
9. Go back to Rules in the Config console and confirm that the s3-bucket-public-write-prohibited rule is Compliant.

Additional Resources

• AWS::Config::ConfigRule properties

Cleanup

Go to Cleanup to remove any resources you created in this sublesson.