☁️
CTHFM: AWS
  • Welcome
  • Getting Started
    • Account Setup
  • AWS CLI
    • AWS CLI Overview
    • Installation
  • AWS Fundamentals
    • AWS Documentation
    • AWS Shared Responsibility Model
    • Organizational Hierarchy
    • AWS Principals
    • IAM Fundamentals
      • IAM Policy Components
      • IAM Documentation References
    • AWS Security Services Overview
    • AWS Core Services
    • AWS Frameworks
    • Regions and Availability Zones
  • SQL
    • SQL Refresher for Threat Hunting
  • Logging Reference
    • Cloudtrail
      • What is Cloudtrail?
      • Setting Up Cloudtrail
      • Cloudtrail Events Structure
      • Filtering and Searching CloudTrail Logs
      • IAM ID Prefixes
      • Additional Resources
      • API References
    • VPCFlow Logs
    • GuardDuty
      • Multi-Account Setup
      • GuardDuty Concepts
      • GuardDuty Finding References
      • S3 Protection
      • Malware Protection
        • EC2 Malware Protection
          • EC2 Protection Resources
          • Monitoring Scans
          • EC2 Malware Protection Events: CloudWatch
        • S3 Malware Protection
          • Enabling S3 Malware Protection
          • After Enabling S3 Malware Protection
          • S3 Malware Resource Plan Status
          • S3 Malware Protection Quotas
      • RDS Protection Enablement
      • Lambda Protection Enablement
      • Trusted IP Lists and Threat Lists in Amazon GuardDuty
      • Remediation Recommendations
      • GuardDuty API Reference
      • GuardDuty Quotas
    • Access Analyzer
      • Setup
      • External Access and Unused Access Analyzer Findings
      • Review Findings
      • Access Analyzer Resources
      • Access Analyzer API Reference
    • AWS Network Firewall
      • Permissions
      • Firewall Log Contents
      • Logging Destinations
      • CloudWatch Firewall Metrics
    • AWS Config
      • Resource Management in AWS Config
      • AWS Config Integrations
      • AWS Config Resources
      • Configuration Item
      • Config Rules
        • Evaluation Modes
  • CloudWatch
    • Amazon CloudWatch
      • CloudWatch Concepts
      • CloudWatch Metrics
        • Filter Pattern Syntax
      • CloudWatch Alarms
        • Alarm Recommendations
      • Subscriptions
      • CloudWatch Agent
      • CloudWatch Insights
        • Supported Logs and Discovered Fields
        • CloudWatch Insights Query Syntax
      • Anomaly Detection
        • Create Anomaly Detector
        • Alarms for Anomaly Detections
      • CloudWatch Filter Syntax
      • CloudWatch Service Quota
  • Athena For Threat Hunting
    • Introduction to Athena
    • Setting Up Athena
    • SQL For Threat Hunters
    • Automated Response
    • Query Best Practices
  • AWS Security Research and Resources
    • AWS Security Blog
    • AWS Goat
    • Cloud Goat
    • Pacu
    • Prowler
    • Scout Suite
  • Threat Hunting in AWS
    • Threat Hunting in AWS
    • Threat Hunting Introduction
    • Threat Hunting Process
      • Hypothesis Generation
      • Investigation
      • Identification
      • Resolution & Follow Up
    • Pyramid of Pain
    • MITRE Att&ck
      • MITRE Att&ck Concepts
      • MITRE Att&CK Data Sources
      • MITRE Att&CK Mitigations
    • MITRE Att&ck: AWS
      • MITRE Att&CK Matrix
      • Amazon Web Services Security Control Mappings
    • AWS Threat Hunting Ideas
      • AWS Threat Hunting Ideas: EC2
      • AWS Threat Hunting Ideas: Lambda
      • AWS Threat Hunting Ideas: SQS
      • AWS Threat Hunting Ideas: SNS
      • AWS Threat Hunting Ideas: RDS
Powered by GitBook
On this page
  • Evaluation Mode and Trigger Types for AWS Config Rules
  • Evaluation Modes:
  • Trigger Types:
  • Impact of Turning Off the Configuration Recorder:
  1. Logging Reference
  2. AWS Config
  3. Config Rules

Evaluation Modes

Evaluation Mode and Trigger Types for AWS Config Rules

AWS Config rules allow you to evaluate your resource configurations at different stages and frequencies. Below are the evaluation modes and trigger types available for AWS Config rules.

Evaluation Modes:

  1. Proactive Evaluation:

    • Evaluates resources before deployment.

    • Helps ensure resources meet compliance before they are provisioned.

    • Example: Use the S3_BUCKET_LOGGING_ENABLED rule to check if an S3 bucket has logging enabled before deploying it.

    • Use APIs like StartResourceEvaluation and GetResourceEvaluationSummary to test resource configurations.

  2. Detective Evaluation:

    • Evaluates resources after deployment.

    • Ensures existing resources are compliant with configuration rules.

    • Example: Use S3_BUCKET_LOGGING_ENABLED to check compliance when an S3 bucket is created or modified.

Trigger Types:

  1. Configuration Change Trigger:

    • Evaluates resources when a change occurs (e.g., resource creation, modification, or deletion).

    • Example: A rule evaluates every time an S3 bucket's settings are updated.

  2. Periodic Trigger:

    • Runs evaluations at regular intervals (e.g., every 24 hours).

    • Example: IAM_PASSWORD_POLICY checks if user password policies meet account standards every 24 hours.

  3. Hybrid Trigger:

    • Combines both configuration change and periodic triggers.

    • Example: A rule evaluates CloudTrail trails whenever a trail is updated or deleted and also every 12 hours.

Examples:

  • Change-Triggered Rule:

    • S3_BUCKET_LOGGING_ENABLED triggers evaluations whenever an S3 bucket is modified.

  • Periodic Rule:

    • IAM_PASSWORD_POLICY runs every 24 hours to ensure password policies meet requirements.

  • Hybrid Rule:

    • A custom rule monitors if CloudTrail trails are logging across all regions both when a trail is updated and at 12-hour intervals.

Impact of Turning Off the Configuration Recorder:

  • Periodic Rules: Continue to run on schedule.

  • Change-Triggered Rules: Stop evaluating when the configuration recorder is off.

  • Hybrid Rules: Only run evaluations at scheduled intervals, not on configuration changes.

PreviousConfig RulesNextAmazon CloudWatch

Last updated 8 months ago