Lab: Automated Remediation of Public S3 Buckets with AWS Config and SSM
Unit 6: Automated Remediation and Remedial Actions
Lab: Automated Remediation of Public S3 Buckets
This lab demonstrates how to implement automated remediation for security compliance. You will use AWS Config to detect non-compliant S3 buckets (those with public read access) and automatically trigger an AWS Systems Manager (SSM) Automation runbook to secure them.
[!WARNING] Remember to run the teardown commands at the end of the lab to avoid ongoing charges for AWS Config and S3 storage.
Prerequisites
- An active AWS Account.
- AWS CLI installed and configured with Administrator permissions.
- Basic knowledge of IAM roles and S3 bucket policies.
- A specific region selected for all resources (e.g.,
us-east-1).
Learning Objectives
- Enable and configure AWS Config to monitor resource states.
- Implement AWS Config Rules to identify security risks.
- Set up Automated Remediation using SSM Automation runbooks.
- Verify the end-to-end event-driven remediation flow.
Architecture Overview
\begin{tikzpicture}[node distance=2cm, auto] \draw[fill=blue!10, rounded corners] (0,0) rectangle (10,3); \node at (5,2.5) {\textbf{The Remediation Loop}}; \node (detect) at (2,1) [draw, circle, fill=white] {Detect}; \node (eval) at (5,1) [draw, circle, fill=white] {Evaluate}; \node (remed) at (8,1) [draw, circle, fill=white] {Remediate}; \draw[->, thick] (detect) -- (eval); \draw[->, thick] (eval) -- (remed); \draw[->, thick] (remed) .. controls (8,-0.5) and (2,-0.5) .. (detect); \end{tikzpicture}
Step-by-Step Instructions
Step 1: Enable AWS Config
AWS Config must be recording resources in your region to detect changes.
# Create an S3 bucket for Config delivery
aws s3 mb s3://config-bucket-remediation-<YOUR_ACCOUNT_ID>
# Put the delivery channel configuration
aws configservice put-delivery-channel --delivery-channel name=default,s3BucketName=config-bucket-remediation-<YOUR_ACCOUNT_ID>
# Start the configuration recorder
aws configservice start-configuration-recorder --configuration-recorder-name default▶Console alternative
- Navigate to AWS Config > Settings.
- Click Turn on.
- Choose Record all resources supported in this region.
- Create a new S3 bucket for the configuration snapshots.
- Click Confirm.
Step 2: Create a Non-Compliant S3 Bucket
We will intentionally create a bucket that violates security best practices by allowing public read access.
# Create the test bucket
aws s3 mb s3://lab-insecure-bucket-<YOUR_ACCOUNT_ID>
# Disable 'Block Public Access' (to allow the vulnerability)
aws s3api put-public-access-block \
--bucket lab-insecure-bucket-<YOUR_ACCOUNT_ID> \
--public-access-block-configuration "BlockPublicAcls=false,IgnorePublicAcls=false,BlockPublicPolicy=false,RestrictPublicBuckets=false"[!IMPORTANT] Do not upload sensitive data to this bucket, as we are intentionally weakening its security for the lab.
Step 3: Deploy the Config Rule
Now, deploy a managed rule that checks if S3 buckets have public read access prohibited.
aws configservice put-config-rule \
--config-rule '{"ConfigRuleName": "s3-bucket-public-read-prohibited", "Source": {"Owner": "AWS", "SourceIdentifier": "S3_BUCKET_PUBLIC_READ_PROHIBITED"}}'▶Console alternative
- Go to Config > Rules > Add rule.
- Search for
s3-bucket-public-read-prohibited. - Keep default parameters and click Next then Save.
Step 4: Configure Automated Remediation
We will link the rule to the SSM Automation document AWS-PublishPublicAccessBlockCustom or AWS-ConfigureS3BucketPublicAccessBlock.
aws configservice put-remediation-configuration \
--config-rule-name s3-bucket-public-read-prohibited \
--target-id AWS-ConfigureS3BucketPublicAccessBlock \
--target-type SSM_DOCUMENT \
--parameters '{"BucketName": {"ResourceValue": {"Value": "RESOURCE_ID"}}, "RestrictPublicBuckets": {"StaticValue": {"Values": ["true"]}}, "BlockPublicAcls": {"StaticValue": {"Values": ["true"]}}, "BlockPublicPolicy": {"StaticValue": {"Values": ["true"]}}, "IgnorePublicAcls": {"StaticValue": {"Values": ["true"]}}}' \
--automatic[!TIP] The parameter
RESOURCE_IDis a dynamic placeholder that AWS Config replaces with the actual name of the non-compliant bucket.
Checkpoints
- Evaluation Check: Run
aws configservice get-compliance-details-by-config-rule --config-rule-name s3-bucket-public-read-prohibited. Does it showNON_COMPLIANTfor your lab bucket? - Remediation Check: Wait 2-3 minutes. Run
aws s3api get-public-access-block --bucket lab-insecure-bucket-<YOUR_ACCOUNT_ID>. All four settings should now betrue.
Troubleshooting
| Error | Likely Cause | Solution |
|---|---|---|
InsufficientPermissionsException | The Config Service Role lacks SSM permissions. | Ensure the IAM role used by Config has AmazonSSMFullAccess or equivalent. |
Remediation status: FAILED | Parameter mismatch in SSM. | Check if the S3 bucket name format is correct in the remediation parameters. |
Rule stays COMPLIANT | Config recording delay. | Manually trigger a re-evaluation in the console or wait 5-10 minutes. |
Clean-Up / Teardown
To avoid costs, delete all resources created during this lab.
# 1. Delete the Config Rule
aws configservice delete-config-rule --config-rule-name s3-bucket-public-read-prohibited
# 2. Delete the test bucket
aws s3 rb s3://lab-insecure-bucket-<YOUR_ACCOUNT_ID> --force
# 3. Stop Config recording (to stop monthly charges)
aws configservice stop-configuration-recorder --configuration-recorder-name default
# 4. Delete the Config storage bucket
aws s3 rb s3://config-bucket-remediation-<YOUR_ACCOUNT_ID> --forceStretch Challenge
Configure an Amazon EventBridge rule that listens for the "Remediation Successful" event from AWS Config and sends an email via Amazon SNS to notify your security team that an automated fix was applied.