AWS Config Rules With Examples
Hello Everyone
Welcome to CloudAffaire and this is Debjeet.
In the last blog post, we have enabled the AWS config service and started recording configuration changes.
https://cloudaffaire.com/how-to-enable-aws-config-service-using-api/
Today we are going to discuss AWS config rules with some examples. AWS config service can compare your configuration settings with some predefined set of rules to evaluate if the configuration setting is compliant. You can use AWS provided config rules or create a custom config rule as per your need. The idea behind AWS config rule is to detect if a resource is using some non-standard configuration and action/notify them to make your AWS landscape consistence with your organization standard.
AWS Config Rules With Examples:
Prerequisites:
- AWS CLI installed and configured with proper access. You can use below link to install and configure AWS CLI.
https://cloudaffaire.com/how-to-install-aws-cli/
https://cloudaffaire.com/how-to-configure-aws-cli/
Step 1: Create a S3 bucket with proper bucket policy to store config recordings.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 |
## Create the S3 bucket aws s3api create-bucket \ --bucket s3-for-config-recording \ --region ap-south-1 \ --create-bucket-configuration LocationConstraint=ap-south-1 ## Create a bucket policy definition file for config cat < { "Version": "2012-10-17", "Statement": [ { "Sid": "AWSConfigBucketPermissionsCheck", "Effect": "Allow", "Principal": { "Service": [ "config.amazonaws.com" ] }, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::s3-for-config-recording" }, { "Sid": "AWSConfigBucketExistenceCheck", "Effect": "Allow", "Principal": { "Service": [ "config.amazonaws.com" ] }, "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::s3-for-config-recording" }, { "Sid": "AWSConfigBucketDelivery", "Effect": "Allow", "Principal": { "Service": [ "config.amazonaws.com" ] }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::s3-for-config-recording/*", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } } ] } EOF ## Create a S3 bucket policy for Config aws s3api put-bucket-policy \ --bucket s3-for-config-recording \ --policy file://config_bucket_policy.json |
Step 2: Create an IAM role for AWS config service with proper policy.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 |
## Create assume role policy definition cat <<'EOF'> config_assume_role_policy.json { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "config.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF ## Create IAM role aws iam create-role \ --role-name config_iam_role \ --assume-role-policy-document file://config_assume_role_policy.json ## Create IAM policy definition for config to access S3 cat < { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:PutObject", "s3:PutObjectAcl" ], "Resource":[ "arn:aws:s3:::s3-for-config-recording/*" ], "Condition":{ "StringLike":{ "s3:x-amz-acl":"bucket-owner-full-control" } } }, { "Effect":"Allow", "Action":[ "s3:GetBucketAcl" ], "Resource":"arn:aws:s3:::s3-for-config-recording" } ] } EOF ## Update the IAM role with the above IAM policy aws iam put-role-policy \ --role-name config_iam_role \ --policy-name config_iam_policy \ --policy-document file://config_iam_policy.json ## Add AWS managed AWS_ConfigRole policy to the role aws iam attach-role-policy \ --role-name config_iam_role \ --policy-arn arn:aws:iam::aws:policy/service-role/AWS_ConfigRole |
Step 3: Enable AWS Config service using AWS CLI
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
## Create recording group configuration cat <<'EOF' > config_recording_group.json { "allSupported": false, "includeGlobalResourceTypes": false, "resourceTypes": ["AWS::EC2::VPC"] } EOF ## Enable AWS Config using AWS CLI ACCOUNT_ID=$(aws sts get-caller-identity | jq -r .Account) && IAM_ROLE_ARN=arn:aws:iam::$ACCOUNT_ID:role/config_iam_role && aws configservice put-configuration-recorder \ --configuration-recorder name=myconfig,roleARN=$IAM_ROLE_ARN \ --recording-group file://config_recording_group.json |
Warning: There is additional cost associated with AWS Config, please refer below documentation for latest AWS Config pricing.
https://aws.amazon.com/config/pricing/
Step 5: Create AWS Config rules
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
## Create config rule definition file cat <<'EOF' > config_rule.json { "ConfigRuleName": "myconfigrule", "Description": "Checks if VPC has specific tags", "Scope": { "ComplianceResourceTypes": ["AWS::EC2::VPC"] }, "Source": { "Owner": "AWS", "SourceIdentifier": "REQUIRED_TAGS" }, "InputParameters": "{\"tag1Key\":\"owner\",\"tag1Value\":\"debjeet\"}" } EOF ## Create the config rule (AWS Provided) aws configservice put-config-rule \ --config-rule file://config_rule.json |
Observe, we have used AWS provided rule “REQUIRED_TAG”. AWS config rule will evaluate a resource non-compliant if it does not have a tag with key=owner and value=debjeet.
Step 5: Create a config delivery channel (S3 in our case) to store all the config recordings.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
## Create config delivery channel object configuration file cat << EOF > config_delivery_channel.json { "name": "myconfig", "s3BucketName": "s3-for-config-recording", "configSnapshotDeliveryProperties": { "deliveryFrequency": "One_Hour" } } EOF ## Create config delivery channel object as S3 aws configservice put-delivery-channel \ --delivery-channel file://config_delivery_channel.json |
Step 6: Start Config recordings
|
1 2 3 |
## Starts recording configurations of recording group aws configservice start-configuration-recorder \ --configuration-recorder-name myconfig |
Note: AWS Config will take some time to discover all the resources, initial configuration items and deliver them to S3 bucket. Wait for some time and then proceed to next step.
Step 7: Get details for AWS config and config rules.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
## Get config recorder status aws configservice describe-configuration-recorder-status ## Get details on config recorder aws configservice describe-configuration-recorders ## Get all the resources discovered aws configservice get-discovered-resource-counts \ --resource-type AWS::EC2::VPC ## List all the resources discovered aws configservice list-discovered-resources \ --resource-type "AWS::EC2::VPC" ## List config delivery channels aws configservice describe-delivery-channels ## Get config delivery channel status aws configservice describe-delivery-channel-status ## Get config rule details aws configservice describe-config-rules \ --config-rule-names myconfigrule ## Get config rule status aws configservice describe-config-rule-evaluation-status \ --config-rule-names myconfigrule ## Get config rule compliance summary aws configservice get-compliance-summary-by-config-rule ## Get config rule compliance details aws configservice get-compliance-details-by-config-rule \ --config-rule-name myconfigrule \ --compliance-types NON_COMPLIANT && aws configservice get-compliance-details-by-config-rule \ --config-rule-name myconfigrule \ --compliance-types COMPLIANT |
Observe, we have some non-compliant resources.
Next, we are going to fix config rule non compliance by creating a tag in our VPC.
Step 8: Remediate non-compliant resource in AWS config.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
## Create a new tag for the VPC VPC_ID=$(aws configservice list-discovered-resources \ --resource-type "AWS::EC2::VPC" | jq -r .resourceIdentifiers[0].resourceId) && aws ec2 create-tags \ --resources $VPC_ID \ --tags Key=owner,Value=debjeet ## Start a new evaluation for the config rule aws configservice start-config-rules-evaluation \ --config-rule-names myconfigrule ## Get config rule compliance summary aws configservice get-compliance-summary-by-config-rule ## Wait for the evaluation to complete (it takes around 1 mins on avg) ## Get config rule compliance details aws configservice get-compliance-details-by-config-rule \ --config-rule-name myconfigrule \ --compliance-types NON_COMPLIANT && aws configservice get-compliance-details-by-config-rule \ --config-rule-name myconfigrule \ --compliance-types COMPLIANT |
Observe, now we have a compliant resource under AWS config.
Since we have created a new tag for the VPC which is recorded by AWS config for any configuration changes. We can view what exactly changed in the VPC (in this case a new tag was created).
Step 9: View configuration history in AWS config.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
## Get configuration history change aws configservice get-resource-config-history \ --resource-type AWS::EC2::VPC \ --resource-id $VPC_ID ## Wraning, sometimes the above query timesout ## same thing happnes through console as well ## Check if any Config recordings are dilivered to the S3 bcuket aws s3api list-objects \ --bucket s3-for-config-recording \ --prefix "AWSLogs/$ACCOUNT_ID/Config" ## If you don't get the recordings ## You may have to wait for 1 hour (the min delivery interval) |
You can also view the same information from AWS console.
Step 10: Delete the config rule and disable config service
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
## Stop config recorder aws configservice stop-configuration-recorder \ --configuration-recorder-name myconfig ## Delete config rule aws configservice delete-config-rule \ --config-rule-name myconfigrule ## Delete config delivery channel aws configservice delete-delivery-channel \ --delivery-channel-name myconfig ## Disable config service aws configservice delete-configuration-recorder \ --configuration-recorder-name myconfig ## Delete the S3 bucket with objects (configuration items) aws s3 rb \ s3://s3-for-config-recording --force ## Delete IAM Role & Policy aws iam detach-role-policy \ --role-name config_iam_role \ --policy-arn arn:aws:iam::aws:policy/service-role/AWS_ConfigRole && aws iam delete-role-policy \ --role-name config_iam_role \ --policy-name config_iam_policy && aws iam delete-role \ --role-name config_iam_role |
Hope you have enjoyed this article. To know more about AWS Config, please refer below official documentation
https://docs.aws.amazon.com/config/index.html
Please refer below documentation for all AWS provided config rule examples.
https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html