diff --git a/source/cloud-security/amazon/services/supported-services/config.rst b/source/cloud-security/amazon/services/supported-services/config.rst
index bd453383af..248a5f90f5 100644
--- a/source/cloud-security/amazon/services/supported-services/config.rst
+++ b/source/cloud-security/amazon/services/supported-services/config.rst
@@ -1,75 +1,230 @@
.. Copyright (C) 2015, Wazuh, Inc.
.. meta::
- :description: AWS Config is a service that records the configuration of AWS resources easing auditing tasks. Learn how to configure and monitor it with Wazuh.
+ :description: The following sections cover how to configure different services required to integrate AWS config service with Wazuh.
-.. _amazon_config:
+AWS configuration
+=================
-AWS Config
-==========
-
-`AWS Config `_ is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. With Config, you can review changes in configurations and relationships between AWS resources, dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines. This enables you to simplify compliance auditing, security analysis, change management, and operational troubleshooting.
+`AWS Config `__ is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. AWS Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. With AWS Config, you can review changes in configurations and relationships between AWS resources, dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines. This enables you to simplify compliance auditing, security analysis, change management, and operational troubleshooting.
Amazon configuration
--------------------
-#. On the `AWS Config page, `_ go to *Settings*.
+The following sections cover how to configure different services required to integrate AWS config service with Wazuh.
+
+.. thumbnail:: /images/cloud-security/aws/config/config.png
+ :align: center
+ :width: 80%
+
+Amazon Data Firehose configuration
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Create an Amazon Data Firehose delivery stream to store the AWS Config events into the desired S3 bucket so Wazuh can process them.
-#. Here, choose the **Resource types to record** (specify the AWS resource types you want AWS Config to record):
+#. :doc:`Create a new S3 bucket <../prerequisites/S3-bucket>`. If you want to use an already existing one, skip this step.
- - All resources
- - Specific types
+#. On your AWS console, search for "*amazon data firehose*" in the search bar at the top of the page or go to **Services** > **Analytics** > **Amazon Data Firehose**.
- .. note::
- For more information about these options, see `Selecting Which Resources AWS Config Records. `_
+ .. thumbnail:: /images/cloud-security/aws/config/01-data-firehose.png
+ :align: center
+ :width: 80%
-#. Select an existing S3 Bucket or :doc:`create a new one `.
+#. Click **Create Firehose stream**.
- .. thumbnail:: /images/cloud-security/aws/aws-create-config-1.png
+ .. thumbnail:: /images/cloud-security/aws/config/02-create-firehose-stream.png
:align: center
- :width: 100%
+ :width: 80%
+
+#. Select **Direct PUT** and **Amazon S3** as the desired Source and Destination, respectively.
- After these steps, it is necessary to configure the rules.
+ .. thumbnail:: /images/cloud-security/aws/config/03-select-direct-put.png
+ :align: center
+ :width: 80%
-#. Go to Services > Management Tools > CloudWatch:
+#. Choose an appropriate **Firehose stream name**.
- .. thumbnail:: /images/cloud-security/aws/aws-create-firehose-12.png
+ .. thumbnail:: /images/cloud-security/aws/config/04-firehose-stream-name.png
:align: center
- :width: 100%
+ :width: 80%
-#. Select Rules on the left menu and click on the *Create* rule button:
+#. Select the desired S3 bucket as the destination. It is possible to specify a custom prefix to alter the path where AWS stores the logs. AWS Firehose creates a file structure ``YYYY/MM/DD/HH``, if a prefix is used the created file structure would be ``prefix-name/YYYY/MM/DD/HH``. If a prefix is used it must be specified under the Wazuh bucket configuration. Select your preferred compression, Wazuh supports any kind of compression but Snappy.
- .. thumbnail:: /images/cloud-security/aws/aws-create-firehose-13.png
+ .. thumbnail:: /images/cloud-security/aws/config/05-select-desired-bucket.png
:align: center
- :width: 100%
+ :width: 80%
-#. Select the services you want to get logs from using the Service name slider, then, click on the Add target button and add the previously created Firehose delivery stream there. Also, create a new role to access the delivery stream:
+#. Create or choose an existing IAM role to be used by Amazon Data Firehose in the **Advanced settings** section.
- .. thumbnail:: /images/cloud-security/aws/aws-create-firehose-14.png
+ .. thumbnail:: /images/cloud-security/aws/config/06-choose-iam-role.png
:align: center
- :width: 100%
+ :width: 80%
-#. Give the rule some name and click on the *Create* rule button:
+#. Click **Create Firehose stream** at the end of the page. The new delivery stream will be created and its details will be shown as follows.
- .. thumbnail:: /images/cloud-security/aws/aws-create-firehose-15.png
+ .. thumbnail:: /images/cloud-security/aws/config/07-create-firehose-stream.png
:align: center
- :width: 100%
+ :width: 80%
-#. Once the rule is created, data will start to be sent to the previously created S3 bucket. Remember to first enable the service you want to monitor, otherwise, you won't get any data.
+AWS Config configuration
+^^^^^^^^^^^^^^^^^^^^^^^^
-Policy configuration
-++++++++++++++++++++
+#. On the `AWS Config `__ page, go to **Set up AWS Config**.
+
+#. Under **Recording strategy**, specify the AWS resource types you want AWS Config to record:
+
+ - All resource types with customizable overrides
+ - Specific resource types
+
+ .. note::
+
+ For more information about these options, see `selecting which resources AWS Config records `__.
+
+ .. thumbnail:: /images/cloud-security/aws/config/01-recording-strategy.png
+ :align: center
+ :width: 80%
+
+#. Create or select an existing IAM role for AWS Config.
-.. include:: /_templates/cloud/amazon/create_policy.rst
-.. include:: /_templates/cloud/amazon/bucket_policies.rst
-.. include:: /_templates/cloud/amazon/attach_policy.rst
+ .. thumbnail:: /images/cloud-security/aws/config/.png
+ :align: center
+ :width: 80%
+
+#. Select an existing **S3** bucket and prefix or :doc:`create a new one <../prerequisites/S3-bucket>` then save your configuration.
+
+ .. thumbnail:: /images/cloud-security/aws/config/02-s3-and-prefix.png
+ :align: center
+ :width: 80%
-Wazuh configuration
--------------------
+After these steps, it is necessary to configure an Amazon EventBridge rule to send AWS config events to the Amazon Data Firehose delivery stream created in the previous step.
-#. Open the Wazuh configuration file (``/var/ossec/etc/ossec.conf``) and add the following block:
+Amazon EventBridge configuration
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Configure an Amazon EventBridge rule to send Config events to the Amazon Data Firehose delivery stream created in the previous step.
+
+#. On your AWS console, search for "*eventbridge*" in the search bar at the top of the page or go to **Services** > **Application Integration** > **EventBridge**.
+
+ .. thumbnail:: /images/cloud-security/aws/config/01-search-for-eventbridge.png
+ :align: center
+ :width: 80%
- .. code-block:: xml
+#. Select **EventBridge Rule** and click **Create rule**.
+
+ .. thumbnail:: /images/cloud-security/aws/config/02-create-rule.png
+ :align: center
+ :width: 80%
+
+#. Assign a name to the EventBridge rule and select the **Rule with an event pattern** option.
+
+ .. thumbnail:: /images/cloud-security/aws/config/03-assign-name-to-eventbridge.png
+ :align: center
+ :width: 80%
+
+#. In the **Build event pattern** section, choose **AWS events or EventBridge partner events** as **Event source**.
+
+ .. thumbnail:: /images/cloud-security/aws/config/04-build-event-pattern.png
+ :align: center
+ :width: 80%
+
+#. In the **Event pattern** section choose **AWS services** as **Event source**, **Config** as **AWS service**, and **All Events** as **Event type**. Click **Next** to apply the configuration.
+
+ .. thumbnail:: /images/cloud-security/aws/config/05-config-as-aws-service.png
+ :align: center
+ :width: 80%
+
+#. Under **Select a target**, choose **Firehose delivery stream** and select the stream created previously. Also, create a new role to access the delivery stream. Click **Next** to apply the configuration.
+
+ .. thumbnail:: /images/cloud-security/aws/config/06-choose-firehose-delivery-stream.png
+ :align: center
+ :width: 80%
+
+#. Review the configuration and click **Create rule**.
+
+ .. thumbnail:: /images/cloud-security/aws/config/07-review-config-1.png
+ :align: center
+ :width: 80%
+
+ .. thumbnail:: /images/cloud-security/aws/config/07-review-config-2.png
+ :align: center
+ :width: 80%
+
+Once the rule is created, every time an AWS Config event is sent, it will be stored in the specified S3 bucket. Remember to first enable the AWS Config service, otherwise, you won't get any data.
+
+Policy configuration
+^^^^^^^^^^^^^^^^^^^^
+
+Follow the :ref:`creating an AWS policy ` guide to create a policy using the Amazon Web Services console.
+
+Take into account that the policies below follow the principle of least privilege to ensure that only the minimum permissions are provided to the AWS IAM user.
+
+To allow an AWS user to use the Wazuh module for AWS with read-only permissions, it must have a policy like the following attached:
+
+.. code-block:: json
+
+ {
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Sid": "VisualEditor0",
+ "Effect": "Allow",
+ "Action": [
+ "s3:GetObject",
+ "s3:ListBucket"
+ ],
+ "Resource": [
+ "arn:aws:s3:::/*",
+ "arn:aws:s3:::"
+ ]
+ }
+ ]
+ }
+
+If it is necessary to delete the log files once they have been collected, the associated policy would be as follows:
+
+.. code-block:: json
+
+ {
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Sid": "VisualEditor0",
+ "Effect": "Allow",
+ "Action": [
+ "s3:GetObject",
+ "s3:ListBucket",
+ "s3:DeleteObject"
+ ],
+ "Resource": [
+ "arn:aws:s3:::/*",
+ "arn:aws:s3:::"
+ ]
+ }
+ ]
+ }
+
+.. note::
+
+ ```` is a placeholder. Replace it with the actual name of the bucket from which you want to retrieve logs.
+
+After creating a policy, you can attach it directly to a user or to a group to which the user belongs. In :ref:`attaching a policy to an IAM user group `, you see how to attach a policy to a group. More information on how to use other methods is available in the `AWS documentation `__.
+
+Configure Wazuh to process Amazon Config logs
+---------------------------------------------
+
+#. Access the Wazuh configuration in **Server management** > **Settings** using the Wazuh dashboard or by manually editing the ``/var/ossec/etc/ossec.conf`` file in the Wazuh server or agent.
+
+ .. thumbnail:: /images/cloud-security/aws/config/01-wazuh-configuration.png
+ :align: center
+ :width: 80%
+
+ .. thumbnail:: /images/cloud-security/aws/config/02-wazuh-configuration.png
+ :align: center
+ :width: 80%
+
+#. Add the following :doc:`Wazuh module for AWS ` configuration to the file, replacing ```` with the name of the S3 bucket:
+
+ .. code-block:: xml
no
@@ -77,22 +232,46 @@ Wazuh configuration
yes
yes
- wazuh-aws-wodle
+
config
default
- .. note::
- Check the :doc:`AWS S3 module ` reference manual to learn more about each setting.
+ .. note::
+
+ In this example, the ``aws_profile`` authentication parameter was used. Check the :doc:`credentials <../prerequisites/credentials>` section to learn more about the different authentication options and how to use them.
+
+#. Save the changes and restart Wazuh to apply the changes. The service can be manually restarted using the following command outside the Wazuh dashboard:
+
+ - Wazuh manager:
+
+ .. code-block:: console
+
+ # systemctl restart wazuh-manager
+
+ - Wazuh agent:
+
+ .. code-block:: console
+
+ # systemctl restart wazuh-agent
+
+Use cases
+---------
-#. Restart Wazuh in order to apply the changes:
+AWS Config allows you to review changes in configuration and relationships between AWS resources. Below is an example of a use case for AWS Config.
- * If you're configuring a Wazuh manager:
+Monitoring configuration changes
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
- .. include:: /_templates/common/restart_manager.rst
+Multiple alerts with rule ID *80454* will be seen on the Wazuh dashboard when there are changes in the configuration of the resources monitored by AWS config. Some examples are shown in the image below.
- * If you're configuring a Wazuh agent:
+.. thumbnail:: /images/cloud-security/aws/config/1-monitor-configuration-changes.png
+ :align: center
+ :width: 80%
- .. include:: /_templates/common/restart_agent.rst
+You can expand an alert to see more information such as the resource name, resource type, and configuration state.
+.. thumbnail:: /images/cloud-security/aws/config/2-monitor-configuration-changes.png
+ :align: center
+ :width: 80%
diff --git a/source/cloud-security/amazon/services/supported-services/index.rst b/source/cloud-security/amazon/services/supported-services/index.rst
index a2d6737a2a..e4d9d4bea4 100644
--- a/source/cloud-security/amazon/services/supported-services/index.rst
+++ b/source/cloud-security/amazon/services/supported-services/index.rst
@@ -23,7 +23,7 @@ The next table contains the most relevant information about configuring each ser
+--------------+----------------------------------------------------------+-----------------------+----------------+------------------------------------------------------------------------------------------------------------------+
| Amazon | :doc:`VPC ` | bucket | vpcflow | //AWSLogs///vpcflowlogs//// |
+--------------+----------------------------------------------------------+-----------------------+----------------+------------------------------------------------------------------------------------------------------------------+
-| Amazon | :ref:`Config ` | bucket | config | //AWSLogs///Config//// |
+| Amazon | :doc:`Config ` | bucket | config | //AWSLogs///Config//// |
+--------------+----------------------------------------------------------+-----------------------+----------------+------------------------------------------------------------------------------------------------------------------+
| Amazon | :ref:`ALB ` | bucket | alb | //AWSLogs//elasticloadbalancing//// |
+--------------+----------------------------------------------------------+-----------------------+----------------+------------------------------------------------------------------------------------------------------------------+
diff --git a/source/cloud-security/amazon/services/supported-services/vpc.rst b/source/cloud-security/amazon/services/supported-services/vpc.rst
index ca805c7b59..0d1fea9e0d 100644
--- a/source/cloud-security/amazon/services/supported-services/vpc.rst
+++ b/source/cloud-security/amazon/services/supported-services/vpc.rst
@@ -1,7 +1,7 @@
.. Copyright (C) 2015, Wazuh, Inc.
.. meta::
- :description: Amazon VPC lets users provision a logically isolated section of the AWS Cloud where they can launch AWS resources in a virtual network that they define.
+ :description: The following sections cover how to configure the Amazon VPC service to integrate with Wazuh.
Amazon Virtual Private Cloud (VPC)
==================================
diff --git a/source/images/cloud-security/aws/config/01-data-firehose.png b/source/images/cloud-security/aws/config/01-data-firehose.png
new file mode 100644
index 0000000000..6a96041015
Binary files /dev/null and b/source/images/cloud-security/aws/config/01-data-firehose.png differ
diff --git a/source/images/cloud-security/aws/config/01-recording-strategy.png b/source/images/cloud-security/aws/config/01-recording-strategy.png
new file mode 100644
index 0000000000..165dc45beb
Binary files /dev/null and b/source/images/cloud-security/aws/config/01-recording-strategy.png differ
diff --git a/source/images/cloud-security/aws/config/01-search-for-eventbridge.png b/source/images/cloud-security/aws/config/01-search-for-eventbridge.png
new file mode 100644
index 0000000000..50931b9bdc
Binary files /dev/null and b/source/images/cloud-security/aws/config/01-search-for-eventbridge.png differ
diff --git a/source/images/cloud-security/aws/config/01-wazuh-configuration.png b/source/images/cloud-security/aws/config/01-wazuh-configuration.png
new file mode 100644
index 0000000000..77d343cce2
Binary files /dev/null and b/source/images/cloud-security/aws/config/01-wazuh-configuration.png differ
diff --git a/source/images/cloud-security/aws/config/02-create-firehose-stream.png b/source/images/cloud-security/aws/config/02-create-firehose-stream.png
new file mode 100644
index 0000000000..7da734a4b8
Binary files /dev/null and b/source/images/cloud-security/aws/config/02-create-firehose-stream.png differ
diff --git a/source/images/cloud-security/aws/config/02-create-rule.png b/source/images/cloud-security/aws/config/02-create-rule.png
new file mode 100644
index 0000000000..1354f936f9
Binary files /dev/null and b/source/images/cloud-security/aws/config/02-create-rule.png differ
diff --git a/source/images/cloud-security/aws/config/02-s3-and-prefix.png b/source/images/cloud-security/aws/config/02-s3-and-prefix.png
new file mode 100644
index 0000000000..bd562c3037
Binary files /dev/null and b/source/images/cloud-security/aws/config/02-s3-and-prefix.png differ
diff --git a/source/images/cloud-security/aws/config/02-wazuh-configuration.png b/source/images/cloud-security/aws/config/02-wazuh-configuration.png
new file mode 100644
index 0000000000..711d459fea
Binary files /dev/null and b/source/images/cloud-security/aws/config/02-wazuh-configuration.png differ
diff --git a/source/images/cloud-security/aws/config/03-assign-name-to-eventbridge.png b/source/images/cloud-security/aws/config/03-assign-name-to-eventbridge.png
new file mode 100644
index 0000000000..8e579be3d6
Binary files /dev/null and b/source/images/cloud-security/aws/config/03-assign-name-to-eventbridge.png differ
diff --git a/source/images/cloud-security/aws/config/03-select-direct-put.png b/source/images/cloud-security/aws/config/03-select-direct-put.png
new file mode 100644
index 0000000000..a67b28e282
Binary files /dev/null and b/source/images/cloud-security/aws/config/03-select-direct-put.png differ
diff --git a/source/images/cloud-security/aws/config/04-build-event-pattern.png b/source/images/cloud-security/aws/config/04-build-event-pattern.png
new file mode 100644
index 0000000000..448ab5826f
Binary files /dev/null and b/source/images/cloud-security/aws/config/04-build-event-pattern.png differ
diff --git a/source/images/cloud-security/aws/config/04-firehose-stream-name.png b/source/images/cloud-security/aws/config/04-firehose-stream-name.png
new file mode 100644
index 0000000000..f824d6bea9
Binary files /dev/null and b/source/images/cloud-security/aws/config/04-firehose-stream-name.png differ
diff --git a/source/images/cloud-security/aws/config/05-config-as-aws-service.png b/source/images/cloud-security/aws/config/05-config-as-aws-service.png
new file mode 100644
index 0000000000..31e8402328
Binary files /dev/null and b/source/images/cloud-security/aws/config/05-config-as-aws-service.png differ
diff --git a/source/images/cloud-security/aws/config/05-select-desired-bucket.png b/source/images/cloud-security/aws/config/05-select-desired-bucket.png
new file mode 100644
index 0000000000..9d0a62cd98
Binary files /dev/null and b/source/images/cloud-security/aws/config/05-select-desired-bucket.png differ
diff --git a/source/images/cloud-security/aws/config/06-choose-firehose-delivery-stream.png b/source/images/cloud-security/aws/config/06-choose-firehose-delivery-stream.png
new file mode 100644
index 0000000000..fb1ccc0dd0
Binary files /dev/null and b/source/images/cloud-security/aws/config/06-choose-firehose-delivery-stream.png differ
diff --git a/source/images/cloud-security/aws/config/06-choose-iam-role.png b/source/images/cloud-security/aws/config/06-choose-iam-role.png
new file mode 100644
index 0000000000..edf6625f72
Binary files /dev/null and b/source/images/cloud-security/aws/config/06-choose-iam-role.png differ
diff --git a/source/images/cloud-security/aws/config/07-create-firehose-stream.png b/source/images/cloud-security/aws/config/07-create-firehose-stream.png
new file mode 100644
index 0000000000..19ebfcd1a5
Binary files /dev/null and b/source/images/cloud-security/aws/config/07-create-firehose-stream.png differ
diff --git a/source/images/cloud-security/aws/config/07-review-config-1.png b/source/images/cloud-security/aws/config/07-review-config-1.png
new file mode 100644
index 0000000000..42f6bb9aaf
Binary files /dev/null and b/source/images/cloud-security/aws/config/07-review-config-1.png differ
diff --git a/source/images/cloud-security/aws/config/07-review-config-2.png b/source/images/cloud-security/aws/config/07-review-config-2.png
new file mode 100644
index 0000000000..c67f028ce3
Binary files /dev/null and b/source/images/cloud-security/aws/config/07-review-config-2.png differ
diff --git a/source/images/cloud-security/aws/config/1-monitor-configuration-changes.png b/source/images/cloud-security/aws/config/1-monitor-configuration-changes.png
new file mode 100644
index 0000000000..d9d37d7349
Binary files /dev/null and b/source/images/cloud-security/aws/config/1-monitor-configuration-changes.png differ
diff --git a/source/images/cloud-security/aws/config/2-monitor-configuration-changes.png b/source/images/cloud-security/aws/config/2-monitor-configuration-changes.png
new file mode 100644
index 0000000000..e7b067b4e4
Binary files /dev/null and b/source/images/cloud-security/aws/config/2-monitor-configuration-changes.png differ
diff --git a/source/images/cloud-security/aws/config/config.png b/source/images/cloud-security/aws/config/config.png
new file mode 100644
index 0000000000..5faf98180d
Binary files /dev/null and b/source/images/cloud-security/aws/config/config.png differ