AWS Config Conformance Packs: When TRUE is not true

In this post I want to share a problem I encountered with an AWS Config Conformance Pack in hopes it can help someone else some time.

The Conformance Packs are sets of AWS Config rules to help you meet compliance with various regulations. They are available on GitHub. You can clone that repository and use the AWS CLI to deploy a conformance pack to your account. Once deployed, the conformance pack will evaluate its set of AWS Config rules and let you know which rules are compliant, which are not compliant, and which rules aren’t currently applicable due to AWS resources not being used.

A very useful exercise is to set up a system to automatically notify you when a Config rule is non-compliant, or even take it a step further to automatically remediate the issue!

The Conformance Packs provide powerful guard rails that help you maintain the security and status of your environments over time. You can make changes to the rules in the Conformance Packs by editing the YAML file through modifying parameters or by adding or removing rules. One of the rules is the iam-password-policy rule that validates the IAM password requirements to make sure it requires a certain number of characters, upper case, and so on.  Here’s the parameters to the rule that defines those password requirements:

    Default: 'TRUE'
    Type: String
    Default: 'TRUE'
    Type: String
    Default: 'TRUE'
    Type: String
    Default: 'TRUE'
    Type: String

In this configuration, we are intending to set the Config rule to require the IAM password policy to require lowercase characters, numbers, symbols, and uppercase characters. Using the AWS CLI we can deploy the Conformance Pack to our AWS account:

aws put-conformance-pack --conformance-pack-name <value> --template-body file://./conformance-pack.yaml

After a minute or two, the Conformance Pack will be deployed and we can see the result of the rule evaluations. This is where things get fun! The iam-password-policy is shown as being non-compliant. We take a look at the IAM password policy requirements and we see they meet the requirements. So why is the Config rule not compliant?

It turns out the 'TRUE' in the Config rule parameters is case-sensitive:

The true and false values for the rule parameters are case-sensitive. If true is not provided in lowercase, it will be treated as false.

There’s our answer. The 'TRUE' is being treated as 'false'. The Conformance Pack in AWS’ GitHub repository needs fixed. The 'TRUE' values for the iam-password-policy need changed to 'true'. After making that change the Config rule will show as compliant after the next re-evaluation. I submitted a pull request to make the change in the repository.

What about true/false values for parameters to other rules? It’s hard to say. The iam-password-policy rule explicitly said in the documentation it has to be lowercase. Other rules I checked didn’t have that stated. My advice is if you see something weird check the parameter casing first to rule out any inconsistencies.

Notify of
Inline Feedbacks
View all comments