By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Upon Deployment generating AWS config

0

Hello,

I am receiving False Positive notifications in my moniotring application which monitors AWS Config and AWS resources using AWS Config to determine if the configuration is compliant or non-compliant.

The problem arises that there was recently a deployment indicating AWS AppSync is not configured with a firewall. When going to AWS account it always indicates ACL setup for both apis in app sync...

Note, this is being deployed in CDK we are receiving alerts upon deloyment and when I go in it seems to be in compliant. I've looked futher in CloudFormation stacks as well and from what I remember the resources are being deployed with appropriate configuration as well in the logs in CF console.

My question is are there any documentation on false positives with AWS config working with CloudFormation from our external app alerts?

Topics
Management & GovernanceAWS Well-Architected FrameworkAWS Cloud Development Kit (CDK)
Tags
AWS ConfigAWS CloudFormationSecurityAWS Cloud Development Kit (CDK)
Language
English
rePost-User-1974302
asked 24 days ago204 views
1 Answer
0

AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.

The 3rd party monitoring application seems to be monitoring resources via AWS Config to determine Compliance where logic for determining Compliance lies with the application.

If the app is indicating 'Non Compliant' for a resource then this can be confirmed by:

i) Checking Config (Since actual resources have already been checked from Console)

    a) Navigate to Config console in given region --> Resources (left pane)
    b) Filter using 'Resource type' to get the resource
    c) See the Configuration Item (JSON format) of the resource and check for Compliance

If Compliance can be confirmed via the Configuration Item from the Config console then it would appear that the monitoring application might be incorrectly flagging the resource as 'Non Compliant'.

If Config is showing incorrect details in the Configuration Item for the resource then please reach out to AWS Support as this indicates incorrect recording of resources from AWS Config.

AWS
Abdur_M
answered 23 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content