{ "_index": "security_solution-aws.misconfiguration_latest-v1", "_id": "ZEFzpuzEKSm8mEwiCPNQQYTdFQAAAAAA", "_version": 1, "_score": 0, "_source": { "agent": { "name": "docker-fleet-agent", "id": "314fe0a3-800c-458b-bf3b-af1aafd7f01b", "type": "filebeat", "ephemeral_id": "7e3ecd52-b741-4c78-9ad9-e6eb3716ebc8", "version": "8.16.0" }, "resource": { "name": "111111111111", "id": "AWS::::Account:111111111111", "type": "AwsAccount" }, "elastic_agent": { "id": "314fe0a3-800c-458b-bf3b-af1aafd7f01b", "version": "8.16.0", "snapshot": true }, "rule": { "reference": "https://docs.aws.amazon.com/console/securityhub/Config.1/remediation", "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/Config.1/remediation", "ruleset": [ "CIS AWS Foundations Benchmark v1.2.0/2.5" ], "name": "AWS Config should be enabled and use the service-linked role for resource recording", "description": "This control checks whether AWS Config is enabled in your account in the current AWS Region, records all resources that correspond to controls that are enabled in the current Region, and uses the service-linked AWS Config role.", "id": "security-control/Config.1" }, "tags": [ "preserve_original_event", "forwarded", "aws_securityhub_findings" ], "cloud": { "provider": "aws", "region": "us-east-2", "account": { "id": "111111111111" } }, "result": { "evaluation": "failed" }, "input": { "type": "httpjson" }, "observer": { "vendor": "AWS Security Hub" }, "@timestamp": "2024-10-09T07:41:17.809Z", "ecs": { "version": "8.11.0" }, "data_stream": { "namespace": "default", "type": "logs", "dataset": "aws.securityhub_findings" }, "organization": { "name": "AWS" }, "event": { "severity": 40, "agent_id_status": "verified", "ingested": "2024-10-31T16:30:41Z", "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"AssociatedStandards\":[{\"StandardsId\":\"ruleset/cis-aws-foundations-benchmark/v/1.2.0\"},{\"StandardsId\":\"standards/aws-foundational-security-best-practices/v/1.0.0\"}],\"RelatedRequirements\":[\"CIS AWS Foundations Benchmark v1.2.0/2.5\"],\"SecurityControlId\":\"Config.1\",\"SecurityControlParameters\":[{\"Name\":\"includeConfigServiceLinkedRoleCheck\",\"Value\":[\"true\"]}],\"Status\":\"FAILED\"},\"CreatedAt\":\"2024-10-07T07:12:38.627Z\",\"Description\":\"This control checks whether AWS Config is enabled in your account in the current AWS Region, records all resources that correspond to controls that are enabled in the current Region, and uses the service-linked AWS Config role.\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"MEDIUM\",\"Normalized\":40,\"Original\":\"MEDIUM\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-10-07T07:12:38.627Z\",\"GeneratorId\":\"security-control/Config.1\",\"Id\":\"arn:aws:securityhub:us-east-2:111111111111:security-control/Config.1/finding/c029266e-4881-4c67-8fe7-d5d87bd75b5c\",\"LastObservedAt\":\"2024-10-09T07:41:17.809Z\",\"ProcessedAt\":\"2024-10-09T07:41:32.288Z\",\"ProductArn\":\"arn:aws:securityhub:us-east-2::product/aws/securityhub\",\"ProductFields\":{\"Resources:0/Id\":\"arn:aws:iam::111111111111:root\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:us-east-2::product/aws/securityhub/arn:aws:securityhub:us-east-2:111111111111:security-control/Config.1/finding/c029266e-4881-4c67-8fe7-d5d87bd75b5c\",\"aws/securityhub/ProductName\":\"Security Hub\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"us-east-2\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/Config.1/remediation\"}},\"Resources\":[{\"Id\":\"AWS::::Account:111111111111\",\"Partition\":\"aws\",\"Region\":\"us-east-2\",\"Type\":\"AwsAccount\"}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"MEDIUM\",\"Normalized\":40,\"Original\":\"MEDIUM\"},\"Title\":\"AWS Config should be enabled and use the service-linked role for resource recording\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-10-09T07:41:17.809Z\",\"Workflow\":{\"Status\":\"NEW\"},\"WorkflowState\":\"NEW\"}", "created": "2024-10-09T07:41:32.288Z", "kind": "state", "id": "arn:aws:securityhub:us-east-2:111111111111:security-control/Config.1/finding/c029266e-4881-4c67-8fe7-d5d87bd75b5c", "type": [ "info" ], "category": [ "configuration" ], "dataset": "aws.securityhub_findings", "outcome": "failure" }, "aws": { "securityhub_findings": { "schema": { "version": "2018-10-08" }, "severity": { "original": "MEDIUM", "normalized": "40", "label": "MEDIUM" }, "product": { "name": "Security Hub", "arn": "arn:aws:securityhub:us-east-2::product/aws/securityhub", "fields": { "Resources:0/Id": "arn:aws:iam::111111111111:root", "aws/securityhub/ProductName": "Security Hub", "aws/securityhub/CompanyName": "AWS", "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-2::product/aws/securityhub/arn:aws:securityhub:us-east-2:111111111111:security-control/Config.1/finding/c029266e-4881-4c67-8fe7-d5d87bd75b5c" } }, "types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ], "workflow": { "state": "NEW", "status": "NEW" }, "record_state": "ACTIVE", "description": "This control checks whether AWS Config is enabled in your account in the current AWS Region, records all resources that correspond to controls that are enabled in the current Region, and uses the service-linked AWS Config role.", "generator": { "id": "security-control/Config.1" }, "resources": [ { "Partition": "aws", "Type": "AwsAccount", "Region": "us-east-2", "Id": "AWS::::Account:111111111111" } ], "provider_fields": { "severity": { "original": "MEDIUM", "normalized": "40", "label": "MEDIUM" }, "types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ] }, "title": "AWS Config should be enabled and use the service-linked role for resource recording", "remediation": { "recommendation": { "text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", "url": "https://docs.aws.amazon.com/console/securityhub/Config.1/remediation" } }, "aws_account_id": "111111111111", "updated_at": "2024-10-09T07:41:17.809Z", "last_observed_at": "2024-10-09T07:41:17.809Z", "compliance": { "related_requirements": [ "CIS AWS Foundations Benchmark v1.2.0/2.5" ], "status": "FAILED", "security_control_id": "Config.1" }, "processed_at": "2024-10-09T07:41:32.288Z", "company": { "name": "AWS" }, "first_observed_at": "2024-10-07T07:12:38.627Z", "region": "us-east-2" } } }, "fields": { "agent.version.keyword": [ "8.16.0" ], "rule.id": [ "security-control/Config.1" ], "aws.securityhub_findings.aws_account_id": [ "111111111111" ], "aws.securityhub_findings.company.name": [ "AWS" ], "elastic_agent.version": [ "8.16.0" ], "event.category": [ "configuration" ], "result.evaluation": [ "failed" ], "aws.securityhub_findings.schema.version": [ "2018-10-08" ], "aws.securityhub_findings.workflow.state": [ "NEW" ], "aws.securityhub_findings.resources": [ { "Partition": "aws", "Type": "AwsAccount", "Region": "us-east-2", "Id": "AWS::::Account:111111111111" } ], "rule.reference": [ "https://docs.aws.amazon.com/console/securityhub/Config.1/remediation" ], "elastic_agent.id.keyword": [ "314fe0a3-800c-458b-bf3b-af1aafd7f01b" ], "aws.securityhub_findings.compliance.security_control_id": [ "Config.1" ], "observer.vendor": [ "AWS Security Hub" ], "rule.ruleset": [ "CIS AWS Foundations Benchmark v1.2.0/2.5" ], "agent.name": [ "docker-fleet-agent" ], "event.agent_id_status": [ "verified" ], "event.kind": [ "state" ], "aws.securityhub_findings.description": [ "This control checks whether AWS Config is enabled in your account in the current AWS Region, records all resources that correspond to controls that are enabled in the current Region, and uses the service-linked AWS Config role." ], "aws.securityhub_findings.last_observed_at": [ "2024-10-09T07:41:17.809Z" ], "aws.securityhub_findings.provider_fields.severity.normalized": [ "40" ], "event.outcome": [ "failure" ], "event.severity": [ 40 ], "event.original": [ "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"AssociatedStandards\":[{\"StandardsId\":\"ruleset/cis-aws-foundations-benchmark/v/1.2.0\"},{\"StandardsId\":\"standards/aws-foundational-security-best-practices/v/1.0.0\"}],\"RelatedRequirements\":[\"CIS AWS Foundations Benchmark v1.2.0/2.5\"],\"SecurityControlId\":\"Config.1\",\"SecurityControlParameters\":[{\"Name\":\"includeConfigServiceLinkedRoleCheck\",\"Value\":[\"true\"]}],\"Status\":\"FAILED\"},\"CreatedAt\":\"2024-10-07T07:12:38.627Z\",\"Description\":\"This control checks whether AWS Config is enabled in your account in the current AWS Region, records all resources that correspond to controls that are enabled in the current Region, and uses the service-linked AWS Config role.\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"MEDIUM\",\"Normalized\":40,\"Original\":\"MEDIUM\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-10-07T07:12:38.627Z\",\"GeneratorId\":\"security-control/Config.1\",\"Id\":\"arn:aws:securityhub:us-east-2:111111111111:security-control/Config.1/finding/c029266e-4881-4c67-8fe7-d5d87bd75b5c\",\"LastObservedAt\":\"2024-10-09T07:41:17.809Z\",\"ProcessedAt\":\"2024-10-09T07:41:32.288Z\",\"ProductArn\":\"arn:aws:securityhub:us-east-2::product/aws/securityhub\",\"ProductFields\":{\"Resources:0/Id\":\"arn:aws:iam::111111111111:root\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:us-east-2::product/aws/securityhub/arn:aws:securityhub:us-east-2:111111111111:security-control/Config.1/finding/c029266e-4881-4c67-8fe7-d5d87bd75b5c\",\"aws/securityhub/ProductName\":\"Security Hub\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"us-east-2\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/Config.1/remediation\"}},\"Resources\":[{\"Id\":\"AWS::::Account:111111111111\",\"Partition\":\"aws\",\"Region\":\"us-east-2\",\"Type\":\"AwsAccount\"}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"MEDIUM\",\"Normalized\":40,\"Original\":\"MEDIUM\"},\"Title\":\"AWS Config should be enabled and use the service-linked role for resource recording\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-10-09T07:41:17.809Z\",\"Workflow\":{\"Status\":\"NEW\"},\"WorkflowState\":\"NEW\"}" ], "cloud.region": [ "us-east-2" ], "rule.name": [ "AWS Config should be enabled and use the service-linked role for resource recording" ], "agent.id.keyword": [ "314fe0a3-800c-458b-bf3b-af1aafd7f01b" ], "input.type": [ "httpjson" ], "rule.description": [ "This control checks whether AWS Config is enabled in your account in the current AWS Region, records all resources that correspond to controls that are enabled in the current Region, and uses the service-linked AWS Config role." ], "resource.type": [ "AwsAccount" ], "data_stream.type": [ "logs" ], "tags": [ "preserve_original_event", "forwarded", "aws_securityhub_findings" ], "aws.securityhub_findings.provider_fields.severity.label": [ "MEDIUM" ], "cloud.provider": [ "aws" ], "agent.id": [ "314fe0a3-800c-458b-bf3b-af1aafd7f01b" ], "aws.securityhub_findings.provider_fields.types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ], "ecs.version": [ "8.11.0" ], "event.created": [ "2024-10-09T07:41:32.288Z" ], "aws.securityhub_findings.compliance.status": [ "FAILED" ], "agent.version": [ "8.16.0" ], "aws.securityhub_findings.remediation.recommendation.url": [ "https://docs.aws.amazon.com/console/securityhub/Config.1/remediation" ], "aws.securityhub_findings.compliance.related_requirements": [ "CIS AWS Foundations Benchmark v1.2.0/2.5" ], "aws.securityhub_findings.generator.id": [ "security-control/Config.1" ], "aws.securityhub_findings.remediation.recommendation.text": [ "For information on how to correct this issue, consult the AWS Security Hub controls documentation." ], "aws.securityhub_findings.provider_fields.severity.original": [ "MEDIUM" ], "resource.name": [ "111111111111" ], "aws.securityhub_findings.types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ], "elastic_agent.version.keyword": [ "8.16.0" ], "aws.securityhub_findings.severity.normalized": [ "40" ], "aws.securityhub_findings.product.fields": [ { "Resources:0/Id": "arn:aws:iam::111111111111:root", "aws/securityhub/ProductName": "Security Hub", "aws/securityhub/CompanyName": "AWS", "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-2::product/aws/securityhub/arn:aws:securityhub:us-east-2:111111111111:security-control/Config.1/finding/c029266e-4881-4c67-8fe7-d5d87bd75b5c" } ], "agent.type": [ "filebeat" ], "event.module": [ "aws" ], "aws.securityhub_findings.region": [ "us-east-2" ], "elastic_agent.snapshot": [ true ], "agent.type.keyword": [ "filebeat" ], "agent.ephemeral_id.keyword": [ "7e3ecd52-b741-4c78-9ad9-e6eb3716ebc8" ], "aws.securityhub_findings.severity.label": [ "MEDIUM" ], "agent.name.keyword": [ "docker-fleet-agent" ], "elastic_agent.id": [ "314fe0a3-800c-458b-bf3b-af1aafd7f01b" ], "data_stream.namespace": [ "default" ], "aws.securityhub_findings.product.arn": [ "arn:aws:securityhub:us-east-2::product/aws/securityhub" ], "organization.name": [ "AWS" ], "rule.remediation": [ "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/Config.1/remediation" ], "aws.securityhub_findings.product.name": [ "Security Hub" ], "aws.securityhub_findings.severity.original": [ "MEDIUM" ], "organization.name.text": [ "AWS" ], "resource.id": [ "AWS::::Account:111111111111" ], "aws.securityhub_findings.record_state": [ "ACTIVE" ], "aws.securityhub_findings.updated_at": [ "2024-10-09T07:41:17.809Z" ], "event.ingested": [ "2024-10-31T16:30:41.000Z" ], "@timestamp": [ "2024-10-09T07:41:17.809Z" ], "cloud.account.id": [ "111111111111" ], "data_stream.dataset": [ "aws.securityhub_findings" ], "event.type": [ "info" ], "agent.ephemeral_id": [ "7e3ecd52-b741-4c78-9ad9-e6eb3716ebc8" ], "aws.securityhub_findings.processed_at": [ "2024-10-09T07:41:32.288Z" ], "aws.securityhub_findings.title": [ "AWS Config should be enabled and use the service-linked role for resource recording" ], "aws.securityhub_findings.workflow.status": [ "NEW" ], "event.id": [ "arn:aws:securityhub:us-east-2:111111111111:security-control/Config.1/finding/c029266e-4881-4c67-8fe7-d5d87bd75b5c" ], "event.dataset": [ "aws.securityhub_findings" ], "aws.securityhub_findings.first_observed_at": [ "2024-10-07T07:12:38.627Z" ] } }