How To Enable AWS Config Service Using API
Hello Everyone
Welcome to CloudAffaire and this is Debjeet.
In the last blog post, we have discussed key concepts of AWS config service.
https://cloudaffaire.com/key-concepts-of-aws-config-service/
In today’s blog post, we will discuss how to enable AWS config service using API. You can enable AWS Config service on your AWS account for a specific region and for all supported resources or a subset of supported resources. AWS Config service acts as CMDB for your AWS landscape where you enable it and records all configuration changes.
When you enable AWS Config, it first discovers the supported AWS resources that exist in your account and generates a configuration item for each resource. AWS Config also generates configuration items when the configuration of a resource changes, and it maintains historical records of the configuration items of your resources from the time you start the configuration recorder.
By default, AWS Config creates configuration items for every supported resource in the region. If you don’t want AWS Config to create configuration items for all supported resources, you can specify the resource types that you want it to track.
How To Enable AWS Config Service Using API:
Prerequisites:
- AWS CLI installed and configured with proper access. You can use below link to install and configure AWS CLI.
https://cloudaffaire.com/how-to-install-aws-cli/
https://cloudaffaire.com/how-to-configure-aws-cli/
Step 1: Create a S3 bucket with proper bucket policy to store config recordings.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
## Create a S3 bucket to store config recordings ## Create the S3 bucket aws s3api create-bucket \ --bucket s3-for-config-recording \ --region ap-south-1 \ --create-bucket-configuration LocationConstraint=ap-south-1 ## Create a bucket policy definition file for config cat < { "Version": "2012-10-17", "Statement": [ { "Sid": "AWSConfigBucketPermissionsCheck", "Effect": "Allow", "Principal": { "Service": [ "config.amazonaws.com" ] }, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::s3-for-config-recording" }, { "Sid": "AWSConfigBucketExistenceCheck", "Effect": "Allow", "Principal": { "Service": [ "config.amazonaws.com" ] }, "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::s3-for-config-recording" }, { "Sid": "AWSConfigBucketDelivery", "Effect": "Allow", "Principal": { "Service": [ "config.amazonaws.com" ] }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::s3-for-config-recording/*", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } } ] } EOF ## Create a S3 bucket policy for Config aws s3api put-bucket-policy \ --bucket s3-for-config-recording \ --policy file://config_bucket_policy.json |
Step 2: Create an IAM role for AWS config service with proper policy.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 |
## Create an IAM role for Config ## Create assume role policy definition cat <<'EOF'> config_assume_role_policy.json { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "config.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF ## Create IAM role aws iam create-role \ --role-name config_iam_role \ --assume-role-policy-document file://config_assume_role_policy.json ## Create IAM policy definition for config to access S3 cat < { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:PutObject", "s3:PutObjectAcl" ], "Resource":[ "arn:aws:s3:::s3-for-config-recording/*" ], "Condition":{ "StringLike":{ "s3:x-amz-acl":"bucket-owner-full-control" } } }, { "Effect":"Allow", "Action":[ "s3:GetBucketAcl" ], "Resource":"arn:aws:s3:::s3-for-config-recording" } ] } EOF ## Update the IAM role with the above IAM policy aws iam put-role-policy \ --role-name config_iam_role \ --policy-name config_iam_policy \ --policy-document file://config_iam_policy.json ## Add AWS managed AWS_ConfigRole policy to the role aws iam attach-role-policy \ --role-name config_iam_role \ --policy-arn arn:aws:iam::aws:policy/service-role/AWS_ConfigRole |
Step 3: Enable AWS Config service using AWS CLI
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
## Create recording group configuration cat <<'EOF' > config_recording_group.json { "allSupported": false, "includeGlobalResourceTypes": false, "resourceTypes": ["AWS::EC2::RouteTable","AWS::EC2::SecurityGroup","AWS::EC2::Subnet","AWS::EC2::VPC"] } EOF ## Enable AWS Config using AWS CLI ACCOUNT_ID=$(aws sts get-caller-identity | jq -r .Account) && IAM_ROLE_ARN=arn:aws:iam::$ACCOUNT_ID:role/config_iam_role && aws configservice put-configuration-recorder \ --configuration-recorder name=myconfig,roleARN=$IAM_ROLE_ARN \ --recording-group file://config_recording_group.json |
Observe, we are enabling AWS config service for only specific sub-set of supported resources by defining custom recording group.
Warning: There is additional cost associated with AWS Config, please refer below documentation for latest AWS Config pricing.
https://aws.amazon.com/config/pricing/
Step 4: Create a config delivery channel (S3 in our case) to store all the config recordings.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
## Create config delivery channel object configuration file cat << EOF > config_delivery_channel.json { "name": "myconfig", "s3BucketName": "s3-for-config-recording", "configSnapshotDeliveryProperties": { "deliveryFrequency": "One_Hour" } } EOF ## Create config delivery channel object aws configservice put-delivery-channel \ --delivery-channel file://config_delivery_channel.json |
Step 5: Start Config recordings
1 2 3 4 5 6 |
## Starts recording configurations of recording group aws configservice start-configuration-recorder \ --configuration-recorder-name myconfig ## Get config recorder status aws configservice describe-configuration-recorder-status |
Note: AWS Config will take some time to discover all the resources, initial configuration items and deliver them to S3 bucket. Wait for some time till status of config recorder status is “SUCCESS” and then proceed to next step.
Step 6: Get details for AWS config.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
## Get details on config recorder aws configservice describe-configuration-recorders ## Get all the resources discovered aws configservice get-discovered-resource-counts \ --resource-type AWS::EC2::VPC ## List all the resources discovered aws configservice list-discovered-resources \ --resource-type "AWS::EC2::VPC" ## List config delivery channels aws configservice describe-delivery-channels ## Get default config delivery channel status aws configservice describe-delivery-channel-status ## Get configuration history change VPC_ID=$(aws configservice list-discovered-resources \ --resource-type "AWS::EC2::VPC" | jq -r .resourceIdentifiers[0].resourceId) && aws configservice get-resource-config-history \ --resource-type AWS::EC2::VPC \ --resource-id $VPC_ID ## Wraning, sometimes the above query timesout ## same thing happens through console as well ## Check if any Config recordings are dilivered to the S3 bcuket aws s3api list-objects \ --bucket s3-for-config-recording \ --prefix "AWSLogs/$ACCOUNT_ID/Config" |
We have successfully enabled AWS config service.
Next, we will delete all the resources created in this demo as there are cost associated with them.
Step 7: Disable AWS config service and delete all the resources.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
## Clean-up ## Stop config recorder aws configservice stop-configuration-recorder \ --configuration-recorder-name myconfig ## Delete config delivery channel aws configservice delete-delivery-channel \ --delivery-channel-name myconfig ## Disable config service aws configservice delete-configuration-recorder \ --configuration-recorder-name myconfig ## Delete the S3 bucket with objects (configuration items) aws s3 rb \ s3://s3-for-config-recording --force ## Delete IAM Role & Policy for Config aws iam detach-role-policy \ --role-name config_iam_role \ --policy-arn arn:aws:iam::aws:policy/service-role/AWS_ConfigRole && aws iam delete-role-policy \ --role-name config_iam_role \ --policy-name config_iam_policy && aws iam delete-role \ --role-name config_iam_role |
Hope you have enjoyed this article. To know more about AWS Config, please refer below official documentation
https://docs.aws.amazon.com/config/index.html