“AWS Config” assesses, audits, and evaluates the compliance of your AWS resources.
Features
- “AWS Config” continuously monitors and records AWS resource configurations.
- Check compliance of a resource over time
- Check configuration of a resource over time
- Check CloudTrail API calls of a resource over time (if enabled)
- It is a per-region service.
- Can be aggregated across regions and accounts.
- It can check such as:
- Security Groups: Is there unrestricted SSH access?
- S3: Is there any bucket that has any public access?
- EBS: Is the volume encrypted?
- It evaluates recorded configurations against desired configurations.
Config Rules
Rules
- Rules are criteria to validate whether your resources are compliant or not.
- Rules are your desired configuration settings.
- Predefined Managed rules & custom rules
- Rules do NOT prevent actions from happening. (NO DENY)
- When the violation is found, you can remediate automatically or/and can be notified.
- Examples (S3)
- s3-bucket-server-side-encryption-enabled
- s3-bucket-public-read-prohibited
- s3-bucket-public-write-prohibited
Automatic Remediation
- Automate remediation of non-compliance resources using SSM Automation Documents
- using AWS-managed or custom Automation Documents
- You can set Remediation Retries if the resources is still non-compliant after the automatic remediation.
Notification
- Set up the EventBridge rule to trigger notifications (to SNS, SQS, or Lambda) when your resources are NON-COMPLIANT.
{
"version": "0",
"detail-type": "Config Rules Compliance Change",
"source": "aws.config",
...
"detail": {
"messageType": "ComplianceChangeNotification",
...
"newEvaluationResult": {
...
"complianceType": "NON_COMPLIANT"
}
}
}
Use Cases
cloudformation-stack-drift-detection-check
- Checks if the actual configuration of a AWS CloudFormation stack has drifted from the expected configuration.
Configuration Recorder
- A configuration item represents a point-in-time view of the various attributes of a supported AWS resource.
- A recorder stores the configurations of the supported resources in your account as configuration items.
- You can use the CloudFormation StackSets and AWS Organization to enable the Recorder in multiple accounts.
- Apply SCP to prevent users disabling AWS Config
"Statement": [
{
"Effect": "Deny",
"Action": [
"config:DeleteConfigRule",
"config:DeleteConfigurationRecorder",
"config:StopConfigurationRecorder",
"config:DeleteDeliveryChannel",
],
"Resource": "*"
}
]
Multi-Accounts Config
- You can manage AWS Config rules across all AWS accounts within an Organization.
- You can deploy a common set of AWS Config rules across all accounts and specify accounts where the rules should not be created.
- From the master account in AWS Organizations, you can enforce governance by ensuring that the underlying AWS Config rules are not modifiable by your organization’s member accounts.
- Create an organization level rule
- Setup an SCP that prevents any modifications from happening that would stop the rule from running.
Aggregators
- In a central aggregator (management) account, you can combine rules and resources across multiple accounts and regions.
- The rules must be deployed across all accounts.
- You can deploy rules to multiple accounts using CloudFormation StackSets.
Conformance Pack
- A collection of AWS Config Rules and Remediation actions in YAML
- can be deployed as a single entity in an Account and a Region or across organizations in AWS Organizations.
- You can use SSM Documents to store your conformance packs.
- Customization
- You can include Custom Config Rules, which are backed by Lambda functions to check whether the resources are compliant with the rules.
Scriptorium 