- Why am I getting emails on non-compliant AWS Config rules?
- Misconfigured cloud resources is one of the ways malicious actors can access Stanford’s data in the cloud or break into our systems running in the cloud. Keep in mind that cloud vendors are not responsible for resource misconfigurations under the “Shared security Model”- https://aws.amazon.com/compliance/shared-responsibility-model.
To protect Stanford’s cloud resources, we have deployed some basic rules to check for potential misconfigurations. The Information Security Office (ISO) collects this data and sends reports to account administrators periodically. - I received an email report on non-compliant rules. What should I do?
- You are highly advised to fix these as soon as you can. To fix a particular Config rule non-compliance, you need to make changes to the resource which caused it. Depending on the situation and the config rule, this can be easy or may take a little work in terms of understanding the impact to the resource. For example, one of the rules checks if there is a widely open firewall rule in a security group. Suppose you have SSH access open widely it might be as simple as adding your home or work ip address(es) to the rule to make it compliant. There could be a situation where this is not that easy if there are a number of individuals accessing this resource over SSH from a wide variety of places. Start with the easiest one you can tackle and go from there as you are able to. Depending on the situation, you might want to fix some of them immediately. For example, a database port open to the world needs to be fixed immediately. Use your best judgement on prioritizing these.
- Once I fix a non-compliant configuration, will the resource show as compliant immediately?
- No, it is not immediate. The change to the resource should trigger a re-evaluation of the rule and the compliance status will be updated in a few hours.
- The configuration I have is for a legitimate business case. However, the deployed Config rule(s) is identifying it as non-compliant. How do I request an exception?
- For now, please send an email with your specific case to cardinalcloud@stanford.edu (you can just reply to the non-compliance report you received). We haven’t established a formal process for exceptions at the moment. Depending on the need, we may set up a formal process in the future.
- I’m not understanding the technical information and need help to fix the configuration issues. What do I do?
-
Documentation on fixing these are available at https://docs.aws.amazon.com. See a few examples below:
- Updating security groups: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules
- S3 bucket encryption: https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-bucket-encryption.html
- MFA: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html
If you still need help, UIT’s Technology Consulting Group(TCG) can help. Please note that TCG charges for their services. Details are available at https://uit.stanford.edu/tcg.
Frequently Asked Questions about AWS Configuration Rules and Compliance Reporting
Last modified April 27, 2021
