New Test for AWS Config (#3278)

Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>
2026-03-13 04:18:26 -07:00
parent d754ba322f
commit 7b3bc23307
1 changed files with 44 additions and 0 deletions
@@ -477,3 +477,47 @@ atomic_tests:
      gcloud config get-value account
    get_prereq_command: |
      gcloud auth login --no-launch-browser
+- name: AWS - Config Logs Disabled
+  description: |
+    Disables AWS Config by stopping the configuration recorder, deleting the delivery channel, and deleting the configuration recorder. An attacker with sufficient permissions can use this to stop configuration change recording and avoid detection of subsequent activity.
+  supported_platforms:
+  - iaas:aws
+  input_arguments:
+    configuration_recorder_name:
+      description: Name of the configuration recorder
+      type: string
+      default: "redatomictestconfigurationrecorder"
+    delivery_channel_name:
+      description: Name of the delivery channel
+      type: string
+      default: "redatomictestdeliverychannel"
+    region:
+      description: Name of the region
+      type: string
+      default: "us-west-2"
+  dependencies:
+  - description: |
+      Check if ~/.aws/credentials file has a default stanza is configured
+    prereq_command: |
+      cat ~/.aws/credentials | grep "default"
+    get_prereq_command: |
+      echo Please install the aws-cli and configure your AWS default profile using: aws configure
+  - description: |
+      Check if terraform is installed.
+    prereq_command: |
+      terraform version
+    get_prereq_command: |
+      echo Please install terraform and configure your AWS default profile
+  executor:
+    command: |
+      aws configservice stop-configuration-recorder --configuration-recorder-name #{configuration_recorder_name} --region #{region}
+      echo "*** Configuration recorder stopped ***"
+      aws configservice delete-delivery-channel --delivery-channel-name #{delivery_channel_name} --region #{region}
+      echo "*** Delivery channel deleted ***"
+      aws configservice delete-configuration-recorder --configuration-recorder-name #{configuration_recorder_name} --region #{region}
+      echo "*** Configuration recorder deleted ***"
+    cleanup_command: aws configservice list-configuration-recorders --region us-west-2
+    description: |
+        List recorders, to confirm there are none. Confirming previous configuration recorder was stopped and deleted.
+    name: sh
+    elevation_required: false