Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Enable AWS Config Rule

Ensure compliance by enabling AWS Config to monitor resources.

RuleAWS Config should be enabled
FrameworkPCI v3.2.1
Severity
Medium

Rule Description

The rule requires AWS Config to be enabled with the appropriate settings to meet the compliance requirements for Payment Card Industry Data Security Standard (PCI DSS) version 3.0.

Troubleshooting Steps

If AWS Config is not already enabled or the configuration settings do not comply with PCI v3 standards, the following troubleshooting steps can be followed:

  2. 1.

    Verify AWS Config Status: Check the status of AWS Config to ensure it is enabled for the AWS account. If it is not enabled, follow the remediation steps provided below.

  4. 2.

    Validate Compliance Rules: Review the specific compliance rules for PCI v3 and ensure they are properly configured within AWS Config. If any rules are missing or misconfigured, update them accordingly.

  6. 3.

    Review AWS Config Recorder: Verify if the AWS Config recorder is configured properly and capturing all the required resource configurations. If not, adjust the recorder settings to include the necessary resources.

  8. 4.

    Check Rule Evaluation Frequency: Review the rule evaluation frequency for AWS Config. Ensure that it is set to a frequency that meets the compliance requirements, such as evaluating the rules at least once every 24 hours.

  10. 5.

    Verify Rule Non-Compliance Notifications: Ensure that the appropriate notifications are configured to alert stakeholders when any PCI v3 rule is violated.

  12. 6.

    Validate Rule Remediation Options: Familiarize yourself with the available remediation options for AWS Config rules. Understand how to automatically remediate non-compliant resources or have a plan in place to manually fix any non-compliant configurations.

Necessary Codes

If you need to enable or configure AWS Config to meet PCI v3 compliance requirements, the following AWS CLI commands can be used:

  2. 1.
    To enable AWS Config:
aws configservice put-configuration-recorder --configuration-recorder-name default --recording-group allSupported --resource-types "AWS::EC2::Instance" "AWS::S3::Bucket" "AWS::RDS::DBInstance" "AWS::IAM::Role" "AWS::VPC::VPC"

This command enables the AWS Config recorder with the default configuration for capturing all supported resource types in the AWS account.

  2. 1.
    To set the rule evaluation frequency:
aws configservice put-delivery-channel --delivery-channel {your-delivery-channel-name} --config-snapshot-delivery-properties "deliveryFrequency=TwentyFour_Hours"

Replace {your-delivery-channel-name} with the name of your AWS Config delivery channel. This command sets the frequency for evaluating AWS Config rules to once every 24 hours.

  2. 1.
    To specify additional resources for recording:
aws configservice put-configuration-recorder --configuration-recorder-name default --recording-group allSupported --include-global-resource-types --resource-types "AWS::CloudTrail::Trail"

This command adds the "AWS::CloudTrail::Trail" resource type for recording in addition to the default resource types.

Step-by-step Guide for Remediation

To enable and configure AWS Config for PCI v3 compliance, follow these step-by-step instructions:

  2. 1.

    Sign in to the AWS Management Console.

  4. 2.

    Open the AWS Config console.

  6. 3.

    Check the status of AWS Config. If it is not enabled, proceed to step 7; otherwise, continue to step 4.

  8. 4.

    Review the compliance rules for PCI v3 and verify their configuration. If any rules are missing or misconfigured, follow the AWS Config documentation to update them accordingly.

  10. 5.

    Check the AWS Config recorder settings. Ensure that it includes all the necessary resources for PCI v3 compliance. If changes are required, follow the AWS Config documentation to adjust the recorder settings.

  12. 6.

    Review the rule evaluation frequency. Make sure it is set to evaluate the rules at least once every 24 hours. If adjustments are necessary, follow the AWS Config documentation to modify the frequency.

  14. 7.

    Enable AWS Config if it is not already enabled. You can use the provided AWS CLI command or follow the AWS Config documentation for enabling AWS Config through the console.

  16. 8.

    Specify additional resources for recording, if needed. Utilize the provided AWS CLI command or refer to the AWS Config documentation for adding specific resource types.

  18. 9.

    Verify that appropriate notifications are configured for rule non-compliance. Ensure that stakeholders are notified when any PCI v3 rule is violated.

  20. 10.

    Familiarize yourself with AWS Config remediation options. Understand how to automatically remediate non-compliant resources or have a plan in place to manually fix them.

Following these steps will enable and configure AWS Config to meet the PCI v3 compliance requirements.

Is your System Free of Underlying Vulnerabilities?
Find Out Now