AWS Config deep dive

AWS Config offers a detailed view of AWS resource configurations in your account.It shows the relationships between resources and tracks their past configurations over time.

  • AWS resources are entities within AWS that users can work with, examples include EC2 instances, EBS volumes, security groups, and VPCs.
  • AWS Config helps users monitor and track changes to resource configurations, ensuring compliance and providing visibility into resource relationships and historical configurations.
AWS Config helps oversee AWS resource configurations in various scenarios.

  • Resource Administration:
    • Provides fine-grained visibility into existing resources and their configurations.
    • Notifies about resource creations, modifications, or deletions.
    • Uses AWS Config rules to evaluate resource configuration settings and detect noncompliance.
  • Auditing and Compliance:
    • Provides historical configurations for data audits and compliance demonstration.
  • Managing and Troubleshooting Configuration Changes:
    • Helps understand how resource changes impact related resources.
    • Offers historical configurations for troubleshooting and accessing the last known good configuration.
  • Security Analysis:
    • Offers detailed historical information for analyzing security weaknesses.
    • Allows viewing IAM permissions assigned to users, groups, or roles at specific times.
    • Provides configuration details of EC2 security groups, including port rules at specific times.

The mechanism of AWS config

When AWS Config is turned on, it discovers supported AWS resources and generates a configuration item for each resource.
It creates configuration items for resource changes and maintains historical records from the start of the configuration recorder.

  • By default, it creates configuration items for all supported resources in the region, but you can specify resource types to track.
  • Resource Coverage by Region Availability should be checked before specifying a resource type.
  • AWS Config uses Describe or List API calls to track changes and capture configuration details for related resources.
  • It examines resource configurations periodically to track changes not initiated by the API.
  • If using AWS Config rules, it continuously evaluates resource configurations for desired settings using associated AWS Lambda functions.
  • Noncompliant resources are flagged, and notifications are sent to Amazon SNS topics.

The image provided in the original content gives an overview of how AWS Config works.

AWS Config pricing

AWS Config service Use case

  • Team has configured AWS Config rules in an AWS account.
  • After a long holiday, they find that an AWS Config rule for an S3 bucket has become non-compliant.
  • The rule checks if S3 bucket resources have the bucket policy that denies incoming insecure requests.
  • The rule was compliant for all S3 buckets before the holiday.
  • To quickly check when and how the bucket became non-compliant, the easiest option is:
    • Use AWS Config’s “Timeline” feature to view the history of the S3 bucket’s compliance status changes.
    • The “Timeline” provides a chronological list of configuration changes, allowing them to identify when the rule became non-compliant and any associated events that caused the change.
  • By reviewing the “Timeline,” the team can pinpoint the exact time of the change and investigate the reasons behind the non-compliance, making it the easiest way to quickly gain insights into the issue.

Use case 2

  • DevOps engineer tasked with creating a custom AWS Config rule to evaluate S3 buckets.
  • Custom rule checks if S3 bucket resources have suitable bucket policies.
  • If a bucket becomes non-compliant, immediate remediation actions should be triggered to fix the bucket policy.
  • AWS recommended remediation actions are not suitable for this case.
  • To configure custom remediation actions in the AWS Config rule:
    1. Create a Lambda function that implements the desired remediation logic to fix the bucket policy when the rule detects non-compliance.
    2. Ensure the Lambda function has appropriate permissions to modify S3 bucket policies.
    3. Configure the custom AWS Config rule to trigger the Lambda function as the remediation action when non-compliance is detected.
    4. Test the rule and remediation action to ensure they work as expected for fixing the bucket policy.
    5. Once verified, the custom AWS Config rule will automatically evaluate S3 buckets and trigger the custom remediation action to fix any non-compliant bucket policies.

Use case using AWS config service to ensure EC2 Security Group is compliant

  • Need to configure a custom AWS Config rule to check EC2 security group compliance with company’s security policies.
  • Colleague has already created a Lambda function for security group checks.
  • To trigger the Config rule whenever there is a configuration change in any EC2 security group:
    1. Use the “Scope” property of the AWS Config rule.
    2. Set the scope to “EC2:SecurityGroup” to target all EC2 security groups in the account.
    3. This ensures that whenever a configuration change occurs in any EC2 security group, the rule is automatically triggered to evaluate the related security group resources.
    4. The custom AWS Config rule will continuously monitor security group changes and apply the Lambda function for evaluation, ensuring compliance with the company’s security policies.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top