# AWS Config

## Overview

Panther supports ingesting Amazon Web Services (AWS) Config [configuration snapshot](https://docs.aws.amazon.com/config/latest/developerguide/config-concepts.html#config-snapshot) logs via AWS S3. Panther does not support AWS Config History logs.

## How to onboard AWS Config logs to Panther

After AWS Config is configured to generate configuration snapshot logs [via the AWS CLI](https://docs.aws.amazon.com/config/latest/developerguide/deliver-snapshot-cli.html), they will be sent to an S3 bucket.

{% hint style="info" %}
AWS Config sends configuration history files to your S3 bucket every six hours, but these files are not supported for ingestion. Instead, you'll need to manually trigger a configuration snapshot (which *is* supported in Panther) to be sent to your S3 bucket. You can do this using either the [deliver-config-snapshot](https://docs.aws.amazon.com/cli/latest/reference/configservice/deliver-config-snapshot.html) command via the AWS CLI or the [DeliverConfigSnapshot](https://docs.aws.amazon.com/config/latest/APIReference/API_DeliverConfigSnapshot.html) action in the AWS Config API. To generate snapshot files on a regular cadence, consider using EventBridge Scheduler, AWS Systems Manager Automation, or an external cron job.

For more details, refer to the [AWS Config documentation](https://docs.aws.amazon.com/config/latest/developerguide/how-does-config-work.html#delivery-channel).
{% endhint %}

To then pull these logs into Panther, you will need to set up an S3 bucket in the Panther Console.

1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log** **Sources**.
2. Click **Create New.**
3. Search for “AWS Config,” then click its tile.
   * On the next screen, the Transport Mechanism dropdown in the upper right corner will be populated with the **AWS S3 Bucket** option.
4. Click **Start Setup**.
5. Follow [Panther’s documentation for configuring S3 for data transport](https://docs.panther.com/data-onboarding/data-transports/aws/s3).
   * While configuring the S3 bucket source in Panther, configure the following exclusion filters:
     * `*_Config_*ConfigHistory*.json.gz`. This will ensure that Panther ignores S3 objects containing unsupported Config History logs.
     * `*/OversizedChangeNotification/*.json.gz`. This will ensure that Panther ignores S3 objects containing unsupported change SNS notifications.

## Panther-managed detections

See [Panther-managed](https://docs.panther.com/detections/panther-managed) rules for AWS in the [panther-analysis GitHub repository](https://github.com/panther-labs/panther-analysis/tree/main/rules).

## Supported AWS Config logs

### AWS.Config

Record and evaluate snapshots of your AWS resources' configurations. For more information, see [AWS's documentation on how Config works](https://docs.aws.amazon.com/config/latest/developerguide/how-does-config-work.html).

{% hint style="warning" %}
The Panther-managed `AWS.Config` schema is specially designed to extract events out of a `configurationItems` envelope, which is how they arrive from AWS. This works based on the S3 key name. If you clone this schema and/or try to apply it on files that are not named in the same way that AWS names them, you may receive classification failures.
{% endhint %}

{% hint style="info" %}
The event time (`p_event_time`) is the time the snapshot was created.
{% endhint %}

```yaml
schema: AWS.Config
fields:
  - name: relatedEvents
    description: RelatedEvents field
    type: array
    element:
      type: json
  - name: relationships
    description: Relationships field
    type: array
    element:
      type: object
      fields:
        - name: resourceId
          description: ResourceId field
          type: string
        - name: resourceType
          description: ResourceType field
          type: string
        - name: name
          description: Name field
          type: string
  - name: configuration
    required: true
    description: Configuration field
    type: json
  - name: supplementaryConfiguration
    description: SupplementaryConfiguration field
    type: json
  - name: tags
    description: Tags field
    type: json
  - name: configurationItemVersion
    description: ConfigurationItemVersion field
    type: string
  - name: configurationItemCaptureTime
    required: true
    description: ConfigurationItemCaptureTime field
    type: timestamp
    timeFormat: rfc3339
    isEventTime: true
  - name: configurationStateId
    description: ConfigurationStateId field
    type: bigint
  - name: awsAccountId
    required: true
    description: AwsAccountId field
    type: string
    indicators:
      - aws_account_id
  - name: configurationItemStatus
    description: ConfigurationItemStatus field
    type: string
  - name: resourceType
    required: true
    description: ResourceType field
    type: string
  - name: resourceId
    description: ResourceId field
    type: string
  - name: resourceName
    description: ResourceName field
    type: string
  - name: ARN
    description: ARN field
    type: string
    indicators:
      - aws_arn
  - name: awsRegion
    description: AwsRegion field
    type: string
  - name: availabilityZone
    description: AvailabilityZone field
    type: string
  - name: configurationStateMd5Hash
    description: ConfigurationStateMd5Hash field
    type: string
    indicators:
      - md5
  - name: resourceCreationTime
    description: ResourceCreationTime field
    type: timestamp
    timeFormat: rfc3339
```