AWS Config is a fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance. Config Rules enables you to create rules that automatically check the configuration of AWS resources recorded by AWS Config.
AWS Config Rules is a new set of cloud governance capabilities that allow IT Administrators to define guidelines for provisioning and configuring AWS resources and then continuously monitor compliance with those guidelines. AWS Config Rules lets you choose from a set of pre-built rules based on common AWS best practices or custom rules that you define.
AWS Config Key Essentials
AWS Config will be setup initially with the basic settings to start monitoring the changes to the resources. In settings section, it will ask the below parameters to switch on AWS Config.
Resource types to record – Select the types of AWS resources for which you want AWS Config to record configuration changes. By default, AWS Config records configuration changes for all supported resources. You can also choose to record configuration changes for supported global resources in this region (like IAM)
As of now, AWS Config is supporting the following AWS Services as of now.
You can choose the entire service resources to monitor or choose specific resources like: Security Groups, Instances, Subnets and Route Tables etc.
Ideally, we would recommend to keep the important resources monitoring via the AWS Config instead of monitoring every resource of a Service.
Amazon S3 Bucket – Provide the S3 bucket information to receive configuration history and configuration snapshot files, which contain details for the resources that AWS Config records.
Amazon SNS Topic – Choose/Create SNS Topic to deliver configuration changes notifications to the operations teams via the e-mail.
IAM Role & Policy – AWS Config needs read-only access to record the configuration of our resources, and to deliver these configurations to Amazon S3 and Amazon SNS. AWS Config will create an IAM role that grants the following permissions:
Read access to your resource configurations using the Describe or List interface for AWS services.
Deliver configuration data to our Amazon SNS Topic and Amazon S3 Bucket.
We can also choose to use an existing role and update the role policy to give AWS Config appropriate permissions.
This role will automatically customized based on the resources and services we select when we choose the resource record type.
Rules represent our desired configuration settings. AWS Config evaluates whether our resource configurations comply with relevant rules and summarizes the results in a table in Rules section in Console.
Amazon AWS is allowing Rules in two forms. AWS Managed Rules and Customer Managed Rules
AWS Managed Rules – These are customizable, predefined rules, which AWS Config provides to help you start ongoing evaluations for common needs. You can use the AWS Config console to select one of these rules, customize it for your needs, and activate it.
As of now today, Amazon AWS is providing the following list of Managed Rules and AWS will add more Managed Rules in future.
Customizing an existing Managed Rule
The rule can be triggered based on “Configuration Changes” or “Periodic” (1, 3,6,12 and 24 hours).
Depending upon our resources and it’s criticality we can choose the trigger type.
As soon as we save the rule, it will evaluate for the first time to see the current configuration.
Once the evaluation is done, it will generate a report with the list of resources which are non-compliant.
Customer Managed Rules – These are custom rules that we develop and add to AWS Config. Before we can add a customer managed rule, we must first create an AWS Lambda function that contains the evaluation logic for our rule.
Amazon AWS is encouraging the developers by setting up a Git repository to develop Custom AWS Config rules with AWS Lambda functions. https://github.com/awslabs/aws-config-rules/blob/master/RULES.md
When any of the rules are found to be non-complaints against to their configured resources. AWS Config uses its SNS topic to deliver these non-complaint resources information to the designated e-mail ID’s as per SNS topic.
AWS Config Use Cases
AWS Config has various use cases where it can be used. Here are the few use cases which we have outlined.
Using AWS Config service we can keep track of the changes occurring to the AWS resources and impact to their relationship resources because of this change.
Setup AWS Compliance rules like: MFA enabled for all IAM Users, IAM Password Polices, and Resources with non-tags, and Unused EBS Volumes etc.
Setup AWS Security rules like: Security Group changes with blocked ports, Security Groups with publicly opened ports, AWS Console Login users with AWS Keys etc.
While using the AWS Config & Rules, there are multiple cost components that you should be aware of.
$0.003 per Configuration Item recorded (it’s a one-time cost)
Configuration Item – A Configuration Item is a record of the configuration of a resource, in our AWS account. Read more about Configuration Item – http://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#config-item-table
$2 for every active rule per month
Customer managed rules are authored using AWS Lambda. Standard rates for AWS Lambda apply.
Configuration snapshots and configuration history files are delivered to us in the Amazon S3 bucket that we choose, and configuration change notifications are delivered via Amazon Simple Notification Service (SNS). Standard rates for Amazon S3 and Amazon SNS apply.
Since its launch AWS Config became a very vital service in Configuration Changes, Audit History, Compliance and Security.
Members of the AWS Partner Network (APN) have been working with AWS Config in order to address a variety of customer use cases.
Launch partners for AWS Config include:
Red Hat Cloud Forms
We would highly recommend the use of AWS Config for key resources like: Security Groups, Route Tables, Subnets, IAM and etc. And Config Rules for compliance and security checks.