8.1

8.1 Manually create encryption prevention, detection and remediation workflow in Console

Review and ensure that you have setup your development environment before going through the steps below.

Create an AWS Config Recorder

NOTE: If you have already enabled Config on your AWS account, you do not need to go through these instructions.

1. Go to the Config console.
2. If it is your first time using Config, click the Get Started button.
3. Select the Include global resources (e.g., AWS IAM resources) checkbox.
4. In the Amazon S3 bucket section, select the Create a bucket radio button.
5. In the AWS Config role section, select the Use an existing AWS Config service-linked role radio button.
6. Click the Next button.
7. Click the Skip button on the AWS Config rules page.
8. Click the Confirm button on the Review page.

NOTE: The above creates one Config Recorder and one Config Delivery Channel.

Create an S3 Bucket for CloudTrail Trail

1. Go to the S3 console.
2. Click the Create bucket button.
3. Enter ceoa-8-cloudtrail-ACCOUNTID in the Bucket name field. Replace ACCOUNTID with the results of the following command: aws sts get-caller-identity --output text --query 'Account'.
4. Click Next on the Configure Options screen.
5. Click Next on the Set Permissions screen.
6. Click Create bucket on the Review screen.

Create an Unencrypted CloudTrail Trail

1. Go to the CloudTrail console
2. Click the Create trail button.
3. Enter ceoa-8-cloudtrail in the Trail name field.
4. Choose the checkbox next to Select all S3 buckets in your account in the Data events section.
5. Choose the No radio button for the Create a new S3 bucket field in the Storage location section.
6. Choose the S3 bucket you just created from the S3 bucket dropdown.
7. Click the Create button.

Create an IAM Policy and Role for Lambda

1. Go to the IAM console.
2. Click on Policies.
3. Click Create policy.
4. Click the JSON tab.
5. Copy and replace the contents below into the JSON text area.
6. Click the Review policy button.
7. Enter ceoa-8-cloudtrail-policy in the *Name field.
8. Click the Create policy button.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudtrail:*",
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "*"
        }
    ]
}

9. Click on Roles.
10. Click the Create role button.
11. Click Lambda from the Choose the service that will use this role section.
12. Click the Next: Permissions button.
13. Click ceoa-8-cloudtrail-policy in the Filter policies search field.
14. Select the checkbox next to ceoa-8-cloudtrail-policy and click on the Next: Tags button.
15. Click the Next: Review button.
16. Enter ceoa-8-cloudtrail-role in the Role name field.
17. Click the Create role button.

Create a Lambda function

1. Go to the Lambda console.
2. Click the Create function button.
3. Keep the Author from scratch radio button selected and enter ceoa-8-lambda-cloudtrail in the Function name field.
4. Choose Node.js 10.x for the Runtime.
5. Under Permissions choose the Choose or create an execution role.
6. Under Execution role, choose Use an existing role.
7. In the Existing role dropdown, choose ceoa-8-cloudtrail-role.
8. Click the Create function button.
9. Scroll to the Function code section and within the index.js pane, copy and replace the code from below.

var AWS = require('aws-sdk');

exports.handler = function(event) {
  console.log("request:", JSON.stringify(event, undefined, 2));

    var cloudtrail = new AWS.CloudTrail({apiVersion: '2013-11-01'});
    var resource = event['detail']['requestParameters']['evaluations'];
    console.log("evaluations:", JSON.stringify(resource, null, 2));
    
  
for (var i = 0, len = resource.length; i < len; i++) {
  if (resource[i]["complianceType"] == "NON_COMPLIANT")
  {
      console.log(resource[i]["complianceResourceId"]);
      var params = {
        KmsKeyId: resource[i]["complianceResourceId"]
      };

      cloudtrail.updateTrail(params, function(err, data) {
        if (err) console.log(err, err.stack); // an error occurred
        else     console.log(data);           // successful response
      });
  }
}


};

10. Click the Save button.

Create a Config Rule (Managed Rule which runs Lambda function)

1. Go to the Config console.
2. Click Rules.
3. Click the Add rule button.
4. In the filter box, type cloud-trail-encryption-enabled.
5. Choose the cloud-trail-encryption-enabled rule.
6. Click the Save button.

Cloudwatch Event Rule

1. Go to the CloudWatch console.
2. Click on Rules.
3. Click the Create rule button.
4. Choose Event pattern in the Event Source section.
5. In the Event Pattern Preview section, click Edit.
6. Copy the contents from below and replace in the Event pattern text area.
7. Click the Save button.
8. Click the Add target button.
9. Choose Lambda function.
10. Select the ceoa-8-lambda-cloudtrail function you previously created.
11. Click the Configure details button.
12. Enter ceoa-8-cloudtrail-cwe in the Name field.
13. Click the Create rule button.

{
  "source":[
    "aws.config"
  ],
  "detail":{
    "requestParameters":{
      "evaluations":{
        "complianceType":[
          "NON_COMPLIANT"
        ]
      }
    },
    "additionalEventData":{
      "managedRuleIdentifier":[
        "CLOUD_TRAIL_ENCRYPTION_ENABLED"
      ]
    }
  }
}

Verify Compliance

1. Go to the Config console.
2. Click on Rules.
3. Select the cloud-trail-encryption-enabled rule.
4. Click the Re-evaluate button.
5. Go back to Rules in the Config console.
6. Go to the CloudTrail console and choose the ceoa-8-cloudtrail trail and ensure that trail is encrypted.
7. Go back to Rules in the Config console and confirm that the cloud-trail-encryption-enabled rule is Compliant.

Additional Resources

• AWS::Config::ConfigRule properties

Cleanup

Go to Cleanup to remove any resources you created in this sublesson.