🔒 AWS Secure Configuration Guidance

AWS provides comprehensive APIs and tools to export all security settings and configurations
in machine-readable formats (JSON, YAML, CSV). This enables backup, documentation, compliance
reporting, and migration of security configurations.

AWS Command Line Interface (CLI)

Description:

Export configurations using AWS CLI commands with JSON/YAML output

How It Works:

CLI commands query AWS APIs and return structured data that can be saved to files

Common Exports:

• iam_users: # Export all IAM users aws iam list-users --output json > iam-users.json # Export user details with policies aws iam get-user --user-name john --output json > user-john.json aws iam list-attached-user-policies --user-name john --output json > user-john-policies.json # Export all users with MFA status aws iam get-credential-report --output json > credential-report.json
• iam_roles: # Export all roles aws iam list-roles --output json > iam-roles.json # Export specific role with policies aws iam get-role --role-name MyRole --output json > role-details.json aws iam list-attached-role-policies --role-name MyRole --output json > role-policies.json aws iam get-role-policy --role-name MyRole --policy-name InlinePolicy --output json > role-inline-policy.json
• iam_policies: # Export all customer managed policies aws iam list-policies --scope Local --output json > custom-policies.json # Export specific policy document aws iam get-policy --policy-arn arn:aws:iam::123456789012:policy/MyPolicy --output json > policy-metadata.json aws iam get-policy-version --policy-arn arn:aws:iam::123456789012:policy/MyPolicy --version-id v1 --output json > policy-document.json
• password_policy: # Export account password policy aws iam get-account-password-policy --output json > password-policy.json
• account_summary: # Export account summary aws iam get-account-summary --output json > account-summary.json # Export account authorization details (comprehensive) aws iam get-account-authorization-details --output json > account-authorization.json
• cloudtrail: # Export CloudTrail configuration aws cloudtrail describe-trails --output json > cloudtrail-trails.json aws cloudtrail get-trail-status --name my-trail --output json > trail-status.json aws cloudtrail get-event-selectors --trail-name my-trail --output json > trail-selectors.json
• s3_security: # Export S3 bucket configurations aws s3api list-buckets --output json > s3-buckets.json # Export bucket-specific settings aws s3api get-bucket-encryption --bucket my-bucket --output json > bucket-encryption.json aws s3api get-bucket-versioning --bucket my-bucket --output json > bucket-versioning.json aws s3api get-public-access-block --bucket my-bucket --output json > bucket-public-access.json aws s3api get-bucket-policy --bucket my-bucket --output json > bucket-policy.json
• security_groups: # Export all security groups aws ec2 describe-security-groups --output json > security-groups.json # Export specific security group aws ec2 describe-security-groups --group-ids sg-xxxxx --output json > sg-details.json
• kms_keys: # Export KMS keys aws kms list-keys --output json > kms-keys.json # Export key details aws kms describe-key --key-id xxxxx --output json > key-details.json aws kms get-key-policy --key-id xxxxx --policy-name default --output json > key-policy.json aws kms get-key-rotation-status --key-id xxxxx --output json > key-rotation.json

Batch Export Script:

#!/bin/bash
# Comprehensive AWS security configuration export

EXPORT_DIR="aws-security-export-$(date +%Y%m%d)"
mkdir -p $EXPORT_DIR

echo "Exporting IAM configurations..."
aws iam list-users > $EXPORT_DIR/iam-users.json
aws iam list-roles > $EXPORT_DIR/iam-roles.json
aws iam list-policies --scope Local > $EXPORT_DIR/iam-policies.json
aws iam get-account-password-policy > $EXPORT_DIR/password-policy.json
aws iam get-account-authorization-details > $EXPORT_DIR/account-authorization.json

echo "Exporting CloudTrail..."
aws cloudtrail describe-trails > $EXPORT_DIR/cloudtrail.json

echo "Exporting S3 configurations..."
aws s3api list-buckets > $EXPORT_DIR/s3-buckets.json

echo "Exporting VPC security..."
aws ec2 describe-security-groups > $EXPORT_DIR/security-groups.json
aws ec2 describe-network-acls > $EXPORT_DIR/network-acls.json

echo "Exporting KMS keys..."
aws kms list-keys > $EXPORT_DIR/kms-keys.json

echo "Export complete: $EXPORT_DIR"
tar czf $EXPORT_DIR.tar.gz $EXPORT_DIR

AWS Config Configuration Snapshots

Description:

Point-in-time snapshots of all resource configurations

How It Works:

Config continuously records configurations and can deliver snapshots to S3

Configuration:

# Enable Config snapshot delivery
aws configservice put-delivery-channel \
  --delivery-channel name=default,s3BucketName=my-config-bucket,configSnapshotDeliveryProperties={deliveryFrequency=TwentyFour_Hours}

# Trigger on-demand snapshot
aws configservice deliver-config-snapshot \
  --delivery-channel-name default

Query Configurations:

# Query specific resource configuration
aws configservice get-resource-config-history \
  --resource-type AWS::IAM::User \
  --resource-id AIDAI23HXX2LMI5EXAMPLE \
  --output json > user-config-history.json

# List all resources of a type
aws configservice list-discovered-resources \
  --resource-type AWS::IAM::Role \
  --output json > all-roles.json

Advanced Queries:

# Use Config advanced queries (SQL-like)
aws configservice select-resource-config \
  --expression "SELECT resourceId, resourceType, configuration WHERE resourceType = 'AWS::IAM::User'" \
  --output json > iam-users-query.json

# Find non-compliant resources
aws configservice select-resource-config \
  --expression "SELECT resourceId WHERE resourceType = 'AWS::S3::Bucket' AND configuration.publicAccessBlockConfiguration.blockPublicAcls = false" \
  --output json > public-buckets.json

CloudFormation Template Export

Description:

Export existing resources as CloudFormation templates

How It Works:

Reverse-engineer deployed resources into IaC templates

Methods:

• former2: # Former2 - Web-based tool to generate CloudFormation/Terraform # Visit: https://former2.com # Select resources in AWS Console, generate templates
• cloudformer: # AWS CloudFormer (deprecated, but concept remains) # Create templates from existing resources
• manual_export: # Export stack template aws cloudformation get-template \ --stack-name my-stack \ --output json > stack-template.json # Export stack with current parameter values aws cloudformation describe-stacks \ --stack-name my-stack \ --output json > stack-details.json

Drift Detection:

# Detect and export drift
aws cloudformation detect-stack-drift --stack-name my-stack

# Get drift details
aws cloudformation describe-stack-resource-drifts \
  --stack-name my-stack \
  --output json > stack-drift.json

AWS Systems Manager Inventory

Description:

Collect metadata from EC2 instances and on-premises servers

How It Works:

SSM Agent collects OS, application, and configuration data

Export Commands:

# Get inventory for all instances
aws ssm get-inventory --output json > ssm-inventory.json

# Get specific instance inventory
aws ssm list-inventory-entries \
  --instance-id i-xxxxx \
  --type-name AWS:Application \
  --output json > instance-apps.json

# Export to S3
aws ssm create-resource-data-sync \
  --sync-name MyInventorySync \
  --s3-destination BucketName=my-inventory-bucket,Prefix=inventory/,SyncFormat=JsonSerDe,Region=us-east-1

AWS Security Hub Findings Export

Description:

Export security findings and compliance status

How It Works:

Query findings via API or export to S3/EventBridge

Export Methods:

• api_export: # Export all findings aws securityhub get-findings --output json > security-findings.json # Export failed compliance checks aws securityhub get-findings \ --filters '{"ComplianceStatus":[{"Value":"FAILED","Comparison":"EQUALS"}]}' \ --output json > failed-findings.json # Export by severity aws securityhub get-findings \ --filters '{"SeverityLabel":[{"Value":"CRITICAL","Comparison":"EQUALS"}]}' \ --output json > critical-findings.json
• continuous_export: # Set up EventBridge rule to export findings to S3 # Findings automatically sent to EventBridge, can route to S3, Lambda, etc. # Create EventBridge rule aws events put-rule \ --name SecurityHubToS3 \ --event-pattern '{"source":["aws.securityhub"]}' # Add S3 target (via Lambda or Kinesis Firehose)

AWS Organizations Configuration Export

Description:

Export organization structure and policies

How It Works:

Query Organizations API for accounts, OUs, and policies

Export Commands:

# Export organization structure
aws organizations describe-organization --output json > organization.json

# Export all accounts
aws organizations list-accounts --output json > accounts.json

# Export organizational units
aws organizations list-organizational-units-for-parent \
  --parent-id r-xxxx \
  --output json > organizational-units.json

# Export SCPs
aws organizations list-policies \
  --filter SERVICE_CONTROL_POLICY \
  --output json > scps.json

# Export specific SCP content
aws organizations describe-policy \
  --policy-id p-xxxxx \
  --output json > scp-details.json

Json

Description: JavaScript Object Notation - most common AWS API output

Yaml

Description: YAML Ain't Markup Language - human-readable format

Conversion: # Convert JSON to YAML aws iam list-users --output yaml > users.yaml

Csv

Description: Comma-Separated Values - spreadsheet format

Example: # Export IAM users to CSV aws iam list-users --output text --query 'Users[].[UserName,CreateDate,PasswordLastUsed]' > users.csv

Terraform

Description: HashiCorp Configuration Language - IaC format

Example: # Use Terraformer to import existing resources terraformer import aws --resources=iam,s3,vpc --regions=us-east-1

Python Boto3:

import boto3
import json
from datetime import datetime

def export_iam_configuration():
    iam = boto3.client('iam')
    
    export_data = {
        'export_date': datetime.now().isoformat(),
        'users': iam.list_users()['Users'],
        'roles': iam.list_roles()['Roles'],
        'policies': iam.list_policies(Scope='Local')['Policies'],
        'password_policy': iam.get_account_password_policy()['PasswordPolicy']
    }
    
    with open('iam-export.json', 'w') as f:
        json.dump(export_data, f, indent=2, default=str)
    
    print("IAM configuration exported to iam-export.json")

if __name__ == '__main__':
    export_iam_configuration()

Comprehensive Export:

#!/usr/bin/env python3
import boto3
import json
from datetime import datetime
from pathlib import Path

def export_all_security_configs():
    export_dir = Path(f"aws-export-{datetime.now().strftime('%Y%m%d-%H%M%S')}")
    export_dir.mkdir(exist_ok=True)
    
    # IAM
    iam = boto3.client('iam')
    with open(export_dir / 'iam-users.json', 'w') as f:
        json.dump(iam.list_users(), f, indent=2, default=str)
    
    # CloudTrail
    cloudtrail = boto3.client('cloudtrail')
    with open(export_dir / 'cloudtrail.json', 'w') as f:
        json.dump(cloudtrail.describe_trails(), f, indent=2, default=str)
    
    # S3
    s3 = boto3.client('s3')
    buckets = s3.list_buckets()['Buckets']
    bucket_configs = []
    for bucket in buckets:
        try:
            config = {
                'name': bucket['Name'],
                'encryption': s3.get_bucket_encryption(Bucket=bucket['Name']),
                'versioning': s3.get_bucket_versioning(Bucket=bucket['Name']),
                'public_access': s3.get_public_access_block(Bucket=bucket['Name'])
            }
            bucket_configs.append(config)
        except:
            pass
    
    with open(export_dir / 's3-buckets.json', 'w') as f:
        json.dump(bucket_configs, f, indent=2, default=str)
    
    print(f"Export complete: {export_dir}")

if __name__ == '__main__':
    export_all_security_configs()

Compliance Reporting

Description: Generate evidence for audits

Frequency: Monthly or quarterly

Format: JSON + CSV for reports

Backup And Recovery

Description: Backup security configurations

Frequency: Daily or weekly

Format: JSON for restoration

Change Tracking

Description: Track configuration changes over time

Frequency: Continuous (via Config)

Format: JSON with timestamps

Migration

Description: Move configurations between accounts/regions

Frequency: As needed

Format: CloudFormation or Terraform

Documentation

Description: Document current state for teams

Frequency: Monthly

Format: YAML or Markdown