Questions tagged with AWS Config

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Hello, I'm trying to prevent AWS Config from recording resources with a specific tag in my organization. The end result I'm looking for is that I have EC2 instances, DynamoDB tables, etc with a tag "awsconfig" and a value of "disable" and these are not recorded in AWS config. I have found that you can configure the recorder to not record specific resources, however that wouldn't work since I have resources that I do want to capture that are the same type of resources I don't want to capture. Additionally I have found the [AWS RDK](https://github.com/awslabs/aws-config-rdk) which is cool, but acts on rules and has no effect on recording of resources. I also have found [this question](https://repost.aws/questions/QUBXSScAzLSH60lu4DcVaW5w/exclude-resources-from-aws-config-managed-rules) but it seems geared towards still recording the resources, just not having a rule run against them. Is what I'm looking to do possible or am I out of luck? Thanks
0
answers
0
votes
5
views
asked a day ago
I am trying to use an Athena table for Config data that is supposed to be partitioned. The partition is not getting created because of 'non-partition columns'. ALTER TABLE aws_config_configuration_snapshot ADD PARTITION (accountid='444453583253', dt='latest', region='us-east-1') location 's3://config-bucket-444453583253-us-east-1/AWSLogs/444453583253/Config/us-east-1/2023/1/24/ConfigSnapshot/' The error shown in Athena is: [ErrorCategory:USER_ERROR, ErrorCode:SYNTAX_ERROR], Detail:FAILED: SemanticException Partition spec {accountid=444453583253, dt=latest, region=us-east-1} contains non-partition columns This query ran against the "cost" database, unless qualified by the query. Please post the error message on our forum or contact customer support with Query Id: a9974a89-2ae7-4416-97de-02a6ee5ee5f2 The external table syntax is as follows: CREATE EXTERNAL TABLE aws_config_configuration_snapshot ( fileversion STRING, configsnapshotid STRING, configurationitems ARRAY < STRUCT < configurationItemVersion: STRING, configurationItemCaptureTime: STRING, configurationStateId: BIGINT, awsAccountId: STRING, configurationItemStatus: STRING, resourceType: STRING, resourceId: STRING, resourceName: STRING, ARN: STRING, awsRegion: STRING, availabilityZone: STRING, configurationStateMd5Hash: STRING, configuration: STRING, supplementaryConfiguration: MAP < STRING, STRING >, tags: MAP < STRING, STRING >, resourceCreationTime: STRING > > ) PARTITIONED BY (dt STRING, region STRING) ROW FORMAT SERDE 'org.openx.data.jsonserde.JsonSerDe' WITH SERDEPROPERTIES ( 'case.insensitive' = 'false', 'mapping.fileversion' = 'fileVersion', 'mapping.configsnapshotid' = 'configSnapshotId', 'mapping.configurationitems' = 'configurationItems', 'mapping.configurationitemversion' = 'configurationItemVersion', 'mapping.configurationitemcapturetime' = 'configurationItemCaptureTime', 'mapping.configurationstateid' = 'configurationStateId', 'mapping.awsaccountid' = 'awsAccountId', 'mapping.configurationitemstatus' = 'configurationItemStatus', 'mapping.resourcetype' = 'resourceType', 'mapping.resourceid' = 'resourceId', 'mapping.resourcename' = 'resourceName', 'mapping.arn' = 'ARN', 'mapping.awsregion' = 'awsRegion', 'mapping.availabilityzone' = 'availabilityZone', 'mapping.configurationstatemd5hash' = 'configurationStateMd5Hash', 'mapping.supplementaryconfiguration' = 'supplementaryConfiguration', 'mapping.configurationstateid' = 'configurationStateId' ) LOCATION 's3://config-bucket-444453583253-us-east-1/AWSLogs/'; A similar problem is noted here: https://repost.aws/questions/QU43lhf9JOSv6Ew6QT5y4fZg/not-able-to-get-the-data-in-query-result-in-the-athena-for-the-aws-config-from-s-3-bucket
1
answers
0
votes
20
views
AWS
asked 4 days ago
I have gone through this article to **generate architecture diagrams of AWS Cloud workloads** there is no certain guideline on where to start and how to start to build this to get architecture diagrams of any size live workload of aws account to reside. Does anyone use this feature to create architecture diagrams of AWS Cloud workloads?
1
answers
0
votes
9
views
asked 5 days ago
In my Control Tower I have some small projects account that have some EC2/ECS that are periodically (every 1-6 hours) started to do some task and than stopped. AWS Config costs me a lot more than EC2/ECS itself. For me it is not sustainable. I state that I have never used AWS Config outside of Control Tower. How can I disable entirely (or at least for EC2/ECS start/stop events) for some (or all accounts) in my Control Tower?
1
answers
0
votes
35
views
asked 6 days ago
I can run my program as localhost but when I try to run it through AWS it fails to connect. I am very much a rookie at AWS but my developer took a look and couldn't figure it out. Not sure what to think about that but regardless I am stuck and wondered if anyone else has seen this issue. He did say the issue was likely caused by me turning the server off, then restarting a few days later which we didn't know updates your AWS IP addresses. We are running 2 ec2 instances and one RDS server. There are 6 Python APIs: Short string is returned well; long string is not returned. Any assistance is appreciated.
0
answers
0
votes
5
views
LQDHVN
asked 9 days ago
Does [AWS Config proactive compliance](https://aws.amazon.com/about-aws/whats-new/2022/11/aws-config-rules-support-proactive-compliance/) work with Terraform ?
Accepted AnswerAWS Config
1
answers
0
votes
49
views
AWS
asked 25 days ago
I am trying to enable AWS config as trusted service from AWS Organizations as mentioned in official documentation. However, i see a note that AWS recommend to enable trusted service from AWS Config service and not from AWS Organizations. How do i enable trusted service from AWS Conifg so that any rule or pack i enable in management account get automatically replicated to member accounts?
4
answers
0
votes
34
views
asked a month ago
Hi all, Tricky one here, but seems possible. I am attempting to create an AWS EC2 inventory csv file across our AWS Organization. Requirements are to include the EC2 Instance Name and the ENI Network Interface Id's. Using the AWS Config Query editor appears to be the fastest method in a multi-account Organization. Here is my query so far: ``` SELECT resourceId, resourceName, resourceType, accountId, configuration.instanceType, configuration.state.name, tags, configuration.networkInterfaces, configuration.publicIp, configuration.privateIpAddress WHERE resourceType = 'AWS::EC2::Instance' AND configuration.state.name = 'running' ``` **Questions:** 1. How can I get the tags.key "Name" property to display in the output? 2. How can I get the configuration.networkInterfaces "networkInterfaceId" property to display in the output? Screenshot attached for reference illustrating the problem. ![Enter image description here](/media/postImages/original/IMfFCV_WIvSfeQmAhLxXxrfw) Here is a link for reference. [https://www.virtualbonzo.com/2022/08/08/a-quick-and-easy-ec2-inventory-using-aws-config/](https://www.virtualbonzo.com/2022/08/08/a-quick-and-easy-ec2-inventory-using-aws-config/)
Accepted AnswerAWS ConfigAmazon EC2
2
answers
0
votes
45
views
asked a month ago
Hi everyone, Can anyone guide me why my instance is getting down so many time, i have started to use aws services since 2 3 months and facing this problem again and again. **My instance is initiated with "WordPress by Bitnami".** and hosted with EC2 Medium in London region When it happened me first time, I have rebooted my instance and it just got started suddenly and the same thing happened again so initially it gone through with the rebooting then i have started getting an error of 503 & unreachability so I have done many things to resolve this like DNS updates, .html file update and etc. Today, again my website is down and i am wondering what's the actual reason behind and to how to resolve this. Just to remember site status and monitoring seems fine in AWS console. Looking forward to hearing from you guys soon.
1
answers
0
votes
19
views
asked a month ago
How do I recreate my Config Delivery Channel, if AWS region does not have AWS support cloud shell or AWS CLI configured?
1
answers
0
votes
21
views
asked a month ago
I have an organization that's updating its accounts to Control Tower Landing Zone 3.0. As we do so, we're finding that the upgraded accounts fail Security Hub AWS Foundational Security Best Practices rule Config.1 "AWS Config should be enabled". The failure appears to be caused by a change to Config where global resource recording only happens in the home Control Tower region. The Config.1 failures we see are in secondary regions, and we confirmed that the failing accounts don't have global resource recording active in the secondary regions. My question is: is there a plan to update the Security Hub rule to reflect the Control Tower change? Control Tower has it right, we only need to record global resources in one region. It's also very annoying to undo the change in Landing Zone 3.0 as we have to move accounts out of CT-managed OUs or log in as the CT role to change Config.
2
answers
0
votes
70
views
asked 2 months ago
Hello, i try to use AWS Config Rule with Auto Remediation, the rule should detect security groups with open SSH and remove the ingress. I Use "INCOMING_SSH_DISABLED" (restricted-ssh) managed rule and AWS-DisablePublicAccessForSecurityGroup SSM document, the remediation is configured with terraform: ``` target_id = "AWS-DisablePublicAccessForSecurityGroup" target_type = "SSM_DOCUMENT" resource_type = "AWS::EC2::SecurityGroup" target_version = "1" parameter { name = "AutomationAssumeRole" static_value = aws_iam_role.ssh-remediation-role.arn } parameter { name = "GroupId" resource_value = "RESOURCE_ID" ``` The role is: ``` data "aws_iam_policy_document" "ssm-automation-assume-role" { version = "2012-10-17" statement { effect = "Allow" actions = ["sts:AssumeRole"] principals { identifiers = ["ssm.amazonaws.com"] type = "Service" } condition { test = "StringEquals" variable = "aws:SourceAccount" values = [local.account-id] } condition { test = "ArnLike" variable = "aws:SourceArn" values = ["arn:aws:ssm:*:${local.account-id}:automation-execution/*"] } } } resource "aws_iam_role" "ssh-remediation-role" { assume_role_policy = data.aws_iam_policy_document.ssm-automation-assume-role.json managed_policy_arns = [ "arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole", "arn:aws:iam::aws:policy/AmazonEC2FullAccess" ] ``` When i create such security group AWS Config detects it, runs remediation, the Automation finishes with result 'Success' (and the security group is properly updated, so the remediation works) but AWS Config shows "Failed", when i try to see some details with `aws configservice describe-remediation-execution-status ` i get: ``` "State": "FAILED", "StepDetails": [ { "Name": "GetAutomationExecution", "State": "FAILED", "ErrorMessage": "AccessDeniedException while calling STS for execution: SsmExecutionId(value=d69b27e5-da83-43de-b563-9d9040c2cf03)" } ], ``` I tried to google this error but i have not found anything. How can i solve this issue? Thank you for your help.
0
answers
0
votes
29
views
bielosx
asked 2 months ago