How To Create A Custom AWS Config Rule Using RDK
Hello Everyone
Welcome to CloudAffaire and this is Debjeet.
In the last blog post, we discussed AWS config rule with example.
https://cloudaffaire.com/aws-config-rules-with-examples/
In this blog post, we will discuss how to create a custom AWS config rule using rule development kit (RDK). AWS provides lots of AWS managed config rules that you can use directly with AWS config service. But sometime you may need to create a custom AWS config rule for some specific requirement that is not covered by AWS managed config rule. You can manually create a custom config rule custom rule configuration and a lambda function to evaluate against your config configuration item.
If you don’t want to go through that hassle, there is an alternate way to create custom config rule using Rule Development Kit (RDK) which can be used with the community supported custom config rule to setup and deploy AWS config service with custom config rule in less than five mins.
RDK is basically some program written mainly in python boto3 to create and configure AWS config in your AWS landscape on behalf of you. It uses CloudFormation to deploy the required resources for AWS config setup. You can either use custom config rules provided by RDK or Community. If your requirements is still not covered, then you can use RDK to develop a new custom rule and once you’re are satisfied with new custom rule, you contribute to the community by adding the new custom rule to the ever growing community supported custom config rule list.
How To Create A Custom AWS Config Rule Using RDK:
Prerequisites:
- Python and PIP
- AWS CLI installed and configured with proper access. You can use below link to install and configure AWS CLI.
https://cloudaffaire.com/how-to-install-aws-cli/
https://cloudaffaire.com/how-to-configure-aws-cli/
Step 1: Install RDK in your local system.
1 2 3 4 5 6 7 8 9 |
## Install RDK in your local system using pip pip install rdk ## Check if rdk installation was successfull rdk ## Should return something similar to below ## usage: rdk [-h] [-p PROFILE] [-k ACCESS_KEY_ID] [-s SECRET_ACCESS_KEY] [-r REGION] [-v] ## rdk: error: the following arguments are required: |
Step 2: Initialize Rule Development Kit (RDK)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
## Create a directory mkdir aws_config && cd aws_config ## Initialize AWS config rdk init ## Running init! ## Creating Config bucket config-bucket- ## Creating IAM role config-role ## Waiting for IAM role to propagate ## Creating delivery channel to bucket config-bucket- ## Config Service is ON ## Config setup complete. ## Creating Code bucket config-rule-code-bucket- |
Warning: There are additional cost associated with AWS Config. Please refer AWS latest pricing doc for details.
If you have already enabled and setup AWS config, RDK will just validate your configuration. If you have not enabled and configured AWS config, the RDK will create the necessary IAM role, S3 bucket, Config recordings for you.
Next, we are going to deploy a AWS community provided custom config rule in our AWS config.
Step 3: Deploy a custom config rule using rdk.
1 2 3 4 5 6 7 8 9 |
## Clone the git repo for community supported config rules git clone https://github.com/awslabs/aws-config-rules ## Check the custom rules ls aws-config-rules/python ## Deploy a custom config rule cd aws-config-rules/python && rdk deploy IAM_USER_MFA_ENABLED |
This will setup the required permissions, IAM role, custom config rule and a lambda function for rule evaluation using a CloudFormation stack.
We have successfully deployed a new custom config rule using rdk. Next, we are going to delete all the resources created in this blog.
Step 4: Clean-up
1 2 |
## Clean up rdk clean --force |
Warning: This is for demo purpose only, do not execute the above command in live environment. This will delete all the resources deployed by CloudFormation stack and revert the rdk init command changes.
Hope you have enjoyed this article. To know more about AWS Config, please refer below official documentation
https://docs.aws.amazon.com/config/index.html
Community supported custom config rules GitHub repo
https://github.com/awslabs/aws-config-rules/
Rule Development Kit (RDK) GitHub repo
https://github.com/awslabs/aws-config-rdk