AWS Config provides a fantastic way to document your resources and keep track of configuration changes. The tool is designed to simplify resource tracking and management, allowing you to organize configurations based on predefined parameters without setting up complex resource monitoring or creating a dedicated database for your configs.
AWS Config Custom Rules allows you to create custom rules and associate each custom rule with an AWS Lambda function, which contains the instructions that evaluate whether your AWS resources comply with the rule.
A resource is compliant if it complies with all of the AWS Config rules that evaluate it. A resource is noncompliant if it does not comply with one or more of these rules.
There are two types of Config Rules:
- AWS Managed Config Rules
- Custom Config rules
Support for Config Rules and custom Config Rules enhances the capability of AWS Config even further. With a Config Rule, the configuration of a resource can be tied to other resources within the same cloud environment. This means you can define Config Rules and have the cloud environment perform an automatic risk assessment and compliance.
AWS Managed Config Rules are the rules provided by AWS by default. There are Config Rules for most of the services like EC2, VPC, EBS volumes. There are 120 AWS managed Config Rules.
Config Rules vs. Conformance Packs
Config Rules is slightly different than Conformance Packs. The latter is designed to also handle packaging rules. Conformance Packs also include details about the actions to take for non-compliance, allowing for easier handling of complex cloud environments without a lot of manual work. Conformance Packs makes it easy to generate compliance reports and maintain overall compliance.
Conformance Packs are created by authoring a YAML template that contains the list of AWS Config managed or custom rules and remediation actions. You can deploy the template by using the AWS Config console or the AWS CLI.
Conformance packs are charged using a tiered pricing model based on the number of conformance pack evaluations you run each month.
While Conformance Packs are more capable in certain ways, it is not the best solution in different situations. When compared to AWS Security Hub, for instance, Conformance Packs give you more granular control, but without the automation and managed services. AWS Security Hub is the better option when you want to automate compliance to a higher degree.
The same is true with Config Rules. As mentioned, Conformance Packs cost extra when used as part of AWS Config, so you have to choose carefully when to use the feature if you want to keep the running costs of your cloud environment at a minimum. As a framework for building and deploying configuration compliance packages, however, the tool is invaluable.
How Does AWS Config Rules Work?
Example: Config Rule for VPC Flow Logs Creation
If a Config Rule is written for VPC flow logs creation, the Config Rule first checks whether the flow logs are available or not. If the flow logs which were created for a VPC are deleted then the Config Rule is triggered and then the Lambda function is triggered. This then instigates the flow log creation. I such a manner, Config Rules can be used to monitor and solve errors.
Getting Started with AWS Config Rules
Use Config Rules for security best practices and cost optimization. Follow these guidelines to begin. Below is the landing page console of AWS Config. Click on the ‘Get started’ button to enable Config in your AWS account.
As per the image below, select the option to include all global resources by enabling config for ‘All resources’. Choose an S3 bucket, SNS topic, and Service linked role in the settings.
Choose from the 83 rules related to ‘all resources’ or else select the specific rules which you need.
After enabling the service, you’ll reach the below dashboard.
These are the rules which are compliant and noncompliant.
Custom Rules for AWS Config
There are multiple ways to develop Custom Config Rules for AWS Config, but you can further automate the process by using AWS Lambda. Since AWS Lambda is designed to be serverless and event-driven, you don’t have to maintain a separate EC2 instance or keep the computing engine running just to handle config changes and compliance.
The process of developing Custom Config Rules can be divided into two parts: creating an AWS Lambda function for handling the Custom Config Rules and creating a Custom Rule from the AWS Config Console. Setting up a Lambda function is fairly straightforward. The first prerequisite is a cloud environment running on a support AWS region.
You can go to the AWS Lambda console and create a Lambda function. You can then choose a trigger from the Blueprint page. In this case, you want to use config-rule-change-triggered as the trigger. You can further configure the trigger from the Configure Triggers menu, and then define functions to run from the Configure Function page. Select the trigger type either for when configuration changes or by periodic changes. The scope of changes can also be selected. It can either be for:
- all changes
- particular resources
Similar to other AWS functions and tools, you have to define a runtime and create a role for the function. Lambda works best with Node.js, but you can virtually use any supported runtime to manage your Custom Config Rules. You can also choose a policy template from Amazon to make sure that the role is not only sufficient but properly secured too.
Amazon lets you test the newly created function by running a test event. Try setting up a test event to make sure that your new Lambda function can recognize the right trigger and perform the desired action. Once this step is completed, you can continue by creating a Custom Rule (or Custom Rules) for the function to run.
Configuring a Custom Rule
From the AWS Config Console, access the Rules page and add a new rule.
Using the GUI, you will have no trouble defining the Custom Config Rules for your resources. For example, you can immediately define that all EC2 instances need to be in a certain region and of a certain type (i.e. P3 instances with a predefined size).
Set the Trigger Type to Configuration Change, and then drill down until you can identify changes to certain resources like EC2. You will then have the option to define Rule parameters for the particular Config Rule, which means you can add desiredInstanceType as a parameter. For Value, add p3.2xlarge and you are all set.
Save the Config Rule and AWS Config will automatically scan your cloud environment. You will see the results of the scan based on the parameters you defined earlier. If there are resources that don’t comply with this rule, AWS Config will warn you immediately.
Ibexlabs is an experienced DevOps & Managed Services provider and an AWS consulting partner. Our AWS Certified DevOps consultancy team evaluates your infrastructure and make recommendations based on your individual business or personal requirements. Contact us today and set up a free consultation to discuss a custom-built solution tailored just for you.