Lab: Automated Remediation of Security Controls with AWS Config
Prescribe security controls
Lab: Automated Remediation of Security Controls with AWS Config
This lab focuses on prescribing and implementing security controls as defined in the AWS SAP-C02 Domain 1.2. You will learn how to automate the detection and remediation of insecure S3 bucket configurations using AWS Config and AWS Systems Manager (SSM).
[!WARNING] This lab involves creating AWS resources. To avoid ongoing charges, ensure you complete the Clean-Up / Teardown section at the end.
Prerequisites
- AWS Account: Active account with AdministratorAccess permissions.
- AWS CLI: Installed and configured with
aws configureusing a region likeus-east-1orus-west-2. - IAM Permissions: Ability to create IAM Roles and S3 buckets.
- Service Linked Role: Ensure the
AWSServiceRoleForConfigexists (standard if Config has been used before).
Learning Objectives
- Implement AWS Config Managed Rules to detect security drifts.
- Configure SSM Automation for real-time remediation of non-compliant resources.
- Apply the Principle of Least Privilege using IAM roles for automation.
- Verify the effectiveness of security controls through manual testing.
Architecture Overview
Step-by-Step Instructions
Step 1: Create a Non-Compliant S3 Bucket
We will start by creating a bucket that intentionally violates security best practices by allowing public read access.
# Generate a unique bucket name
BUCKET_NAME="brainybee-lab-insecure-$(date +%s)"
# Create the bucket
aws s3api create-bucket --bucket $BUCKET_NAME --region us-east-1
# Remove default Public Access Blocks (to simulate an insecure state)
aws s3api delete-public-access-block --bucket $BUCKET_NAME▶Console alternative
- Navigate to S3 > Create bucket.
- Enter a unique name and uncheck Block all public access.
- Acknowledge the warning and click Create bucket.
Step 2: Create an IAM Role for Remediation
AWS Config needs permission to execute the SSM Automation document on your behalf.
# Create the Trust Policy
cat <<EOF > trust-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Service": "ssm.amazonaws.com" },
"Action": "sts:AssumeRole"
}
]
}
EOF
# Create the role
aws iam create-role --role-name ConfigRemediationRole --assume-role-policy-document file://trust-policy.json
# Attach the required policy (AmazonSSMAutomationRole)
aws iam attach-role-policy --role-name ConfigRemediationRole --policy-arn arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRoleStep 3: Enable AWS Config and Managed Rule
We will deploy the s3-bucket-public-read-prohibited managed rule.
# Put the managed rule
aws configservice put-config-rule --config-rule '{
"ConfigRuleName": "s3-bucket-public-read-prohibited",
"Source": {
"Owner": "AWS",
"SourceIdentifier": "S3_BUCKET_PUBLIC_READ_PROHIBITED"
}
}'[!TIP] If this is your first time using AWS Config, you may need to run the setup wizard in the console to create the configuration recorder and delivery channel first.
Step 4: Configure Automated Remediation
Now, we link the Config rule to the SSM Automation document AWS-ConfigureS3BucketPublicAccessBlock.
# Associate remediation
aws configservice put-remediation-configurations --remediation-configurations '[
{
"ConfigRuleName": "s3-bucket-public-read-prohibited",
"TargetType": "SSM_DOCUMENT",
"TargetId": "AWS-ConfigureS3BucketPublicAccessBlock",
"Parameters": {
"AutomationAssumeRole": { "StaticValue": { "Values": [ "arn:aws:iam::<YOUR_ACCOUNT_ID>:role/ConfigRemediationRole" ] } },
"BucketName": { "ResourceValue": { "Value": "RESOURCE_ID" } }
},
"Automatic": true,
"MaximumAutomaticAttempts": 5,
"RetryAttemptSeconds": 60
}
]'Note: Replace <YOUR_ACCOUNT_ID> with your actual 12-digit AWS account ID.
Checkpoints
| Checkpoint | Action | Expected Result |
|---|---|---|
| 1. Config Status | aws configservice describe-config-rule-evaluation-status --config-rule-names s3-bucket-public-read-prohibited | LastSuccessfulEvaluationTime is populated. |
| 2. Compliance | Check the Config Dashboard in the console. | The insecure bucket should show as Non-compliant then transition to Compliant. |
| 3. Remediation | aws s3api get-public-access-block --bucket <YOUR_BUCKET_NAME> | Output should show all four blocks as true. |
Troubleshooting
| Issue | Possible Cause | Fix |
|---|---|---|
| Remediation fails with "Access Denied" | IAM Role permissions | Ensure ConfigRemediationRole has the AmazonSSMAutomationRole policy and S3 permissions. |
| Rule stays "Pending" | Configuration Recorder | Check if the AWS Config recorder is in the RUNNING state. |
| Bucket still public | Evaluation Delay | AWS Config can take 2-5 minutes to detect and trigger the SSM document. |
Clean-Up / Teardown
Run these commands to remove all resources and avoid costs:
# 1. Delete the S3 bucket
aws s3 rb s3://$BUCKET_NAME --force
# 2. Delete the Config Rule
aws configservice delete-config-rule --config-rule-name s3-bucket-public-read-prohibited
# 3. Delete the IAM Role
aws iam detach-role-policy --role-name ConfigRemediationRole --policy-arn arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole
aws iam delete-role --role-name ConfigRemediationRoleStretch Challenge
Goal: Implement a "Notification-First" remediation flow as mentioned in the source material.
Instead of blocking access immediately, modify the Config Rule to trigger an Amazon SNS notification to an administrator. Only if the bucket is still non-compliant after 1 hour, trigger the SSM Remediation.
▶Hint
Use
to capture the AWS Config compliance change event and route it to SNS.
Cost Estimate
- AWS Config: $0.003 per configuration item recorded and $1.00 per active rule/month.
- S3: Minimal ($0.00 for empty bucket).
- SSM Automation: Free for AWS-owned documents.
- Estimated Total: < $0.50 (well within Free Tier if applicable).
Concept Review
| Service | Role in this Lab | Alternative |
|---|---|---|
| AWS Config | Detection of drift and policy enforcement. | AWS Security Hub (aggregated checks) |
| SSM Automation | The "Prescribed Guidance" execution engine. | AWS Lambda (for custom logic) |
| S3 Public Access Block | The specific security control applied. | Bucket Policies (more granular but manual) |
Key Takeaway: As an SAP-C02 candidate, you must prescribe automation for scale. Manual intervention cannot keep up with thousands of resources; tools like AWS Config provide the "guardrails" necessary for organizational compliance.