AWS Config

  • Updated on Mar 4, 2025
  • Published on May 14, 2023
Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

Overview

Table name: aws_config

AWS Config is a service that helps organizations assess, audit, and evaluate the configuration of their AWS resources. It provides a detailed view of the configuration of AWS resources and how they are related, enabling organizations to identify potential security risks, compliance issues, and operational problems.

AWS Config continuously monitors and records changes to the configuration of AWS resources, such as EC2 instances, S3 buckets, and security groups, among others. It also tracks resource relationships and dependencies, allowing organizations to quickly identify the root cause of any issues that arise.

Send data to Hunters

AWS Config has several features, for Hunters the most interesting one is the logging of resource configurations.

To configure AWS Config in the optimal way for Hunters complete these steps:

1. Enable AWS Config

To enable AWS Config for the region:

  1. Open the AWS Config service and click Get Started.
    image

  2. Under General settings, perform the following:
    a. Leave the default Record all resources supported in this region selected (this is important for data comprehensiveness).
    b. Select the Include global resources (e.g., AWS IAM resources) option.
    c. For AWS Config role, pick your preferred role permissions (by default, AWS will generate a role for you).

  3. Under Delivery method, for Amazon S3 bucket, pick the bucket you wish to send Config logs to (either an existing bucket or a new one). If you pick an existing bucket, you must make sure the bucket's policy allows the role to write logs to it.
    image

  4. On the next step (Rules), click Next without selecting anything, and click Confirm.
    After ~1 minute, Config should be enabled for the region.
    After some ~20-30 minutes, ConfigHistory files should start being logged to the S3 destination you picked. However, this is not enough, as configuration snapshot delivery must also be configured (see below).

💡Tip

You can later enter the Settings tab in the Config service and modify the data retention period for which the Config files are stored.

The default retention period is 7 years, but this is less critical for Hunters, as we ingest data in close to real-time. This can be modified to whichever retention period you wish (but must be at least two days).

2. Enable periodic configuration snapshot delivery

This step is required for AWS to periodically write configuration snapshots of all resources to S3. This data is essential for adding context to automatic investigations of threat signals detected in the control plane or data plane. This can not be configured through the AWS web console, so you need to manually configure this using AWS CLI.

  1. The following command shows the existing delivery channel configuration: aws --region <REGION> configservice describe-delivery-channels
    You should see something like:

    {  
    "DeliveryChannels": [  
        {  
            "name": "default",  
            "s3BucketName": "<CONFIG_BUCKET_NAME>"  
        }  
    ]  
}

  2. You then need to call put-delivery-channel, with all the parameters that are already configured as shown above, and an additional parameter with the frequency with which AWS Config should take the resource configuration snapshots.
    An example command looks like:
    aws --region <REGION> configservice put-delivery-channel —delivery-channel name="default",s3BucketName="\<CONFIG_BUCKET_NAME>",configSnapshotDeliveryProperties={deliveryFrequency="TwentyFour_Hours"}
    If your existing delivery channel configuration also contained any of the variables s3KeyPrefix, s3KmsKeyArn or snsTopicARN, you must also pass them in the put-delivery-channel command, otherwise they will be disabled. The possible values for deliveryFrequency are:

    • One_Hour

    • Three_Hours

    • Six_Hours

    • Twelve_Hours

    • TwentyFour_Hours

  3. It is up to you which frequency to pick. This represents a tradeoff between AWS costs and accuracy (and "freshness") of the resource configurations that will be fetched by Hunters’ auto-investigation for resources that appear in AWS-related leads. Setting it to One_Hour will incur the highest AWS costs (as the pricing is per configuration recorded), but will allow the auto-investigation to fetch the most recent configuration seen for a resource. Setting it to TwentyFour_Hours, on the other hand, will incur the lowest AWS costs, but will cause the auto-investigation to fetch a configuration snapshot from up to a day back, which might be outdated.
    To prevent undesired or unplanned costs, we recommend starting with TwentyFour_Hours, and optionally increasing the frequency later on.

  4. After the command successfully runs, ConfigSnapshot files will start being written to S3 periodically.

⚠️ Attention

  1. The above process only enables Config (and sets up ConfigSnapshot file delivery) for a specific region. This needs to be repeated across all regions for maximum coverage.

  2. The written files must contain %/ConfigSnapshot/% in the file name to be processed correctly.

3. Set up ingestion on Hunters

Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in JSON format.

{
    "fileVersion": "1.0",
    "configSnapshotId": "11111-1111-11111",
    "configurationItems": [
        {
            "relatedEvents": [],
            "relationships": [],
            "configuration": {
                "complianceType": "NON_COMPLIANT",
                "targetResourceId": "228111117272",
                "targetResourceType": "AWS::::Account",
                "configRuleList": [
                    {
                        "configRuleArn": "arn:aws:config:eu-west-1:228222222272:config-rule/config-rule-aaaa",
                        "configRuleId": "config-rule-aaaa",
                        "configRuleName": "root-account-mfa-enabled",
                        "complianceType": "COMPLIANT"
                    }
                ]
            },
            "supplementaryConfiguration": {
                "unsupportedResources": [
                    {
                        "resourceId": "228111117272",
                        "resourceType": "AWS::::Account"
                    }
                ]
            },
            "tags": {},
            "configurationItemVersion": "1.3",
            "configurationItemCaptureTime": "2013-07-01T08:41:02.213Z",
            "configurationStateId": 1511111970462213,
            "awsAccountId": "228181117272",
            "configurationItemStatus": "OK",
            "resourceType": "AWS::Config::ResourceCompliance",
            "resourceId": "AWS::::Account/228181117272",
            "awsRegion": "eu-west-1",
            "configurationStateMd5Hash": ""
        }
    ]
}