AWS Config

🌎AWS Config

• AWS config will show you what has changed after an incident.

• • What id the bad guy do?

AWS config is a configuration recorder

Can evaluate resources instantly or on a schedule.

It can be used with Labnda and the system manager to bring systems back into compliance.

• Can delete out-of-compliance items

• Can remediate some issues automatically

AWS config ensues continus complante

• Any time a change is made on compatible resources, the change is captured.

AWS config enables running an audit report at any time to check compliance.

AWS Config is available in all regions an can continually monitor systems.

• 💰It is a paid service.

What can AWS Config do?

• Check that AWS resources align with the desired settings for the account.

• Take a snapshot of the current configuration

• Useful when making changes

• Can restrive historical configurations.

• Can view relationships between resources

• Detect and catalog resources.

• Reduce diagnostic time by viewing configuration changes.

How AWS Config Works

When started it:

• Scans your account for resources.

• Creates a configuration item for each resource found.

As changes take place:

• A new configuration item is generated.

The process:

AWS Config > Configuration Recorder > [Cloudtrail / IAM / Other] > Configuration snapshots

AWS Config VS Cloudtrail

know the difference for the exam

• AWS Config:

• • Captures what has changed in a resource at a point in time

• • Details of changes, NOT who did it.

• AWS Cloud Trail:

• • Who changed which resource? From where? and the response.

• • Provides a detailed view of what happened.

• • Like a black box.

• Config: Configuration.

• Trail: Trails left by actions.

Configuration items

This is a point-in-time snapshot.

• Stored in JSON format

• A new CI is generated every time a change is made to a resource.

• This includes creating, deleting, and updating.

The CI contains:

• Metadata: Information about the CI

• Attributes of the resource.

• Relationship: Data about any connected resource

• Current configuration.

Configuration recorder

This discovers changes.

• Captures the changes as configuration items.

• A configuration recorder must be created

• A CI will be created for all resources by default if the AWS management console is used.

An IAM role will be created to allow the recorder to gain read-only access to resources.

• The role needs read and write permissions to a designated S3 bucket.

• Bucket is used to publish snapshots.

• Permissions will be needed for KMS keys to encrypt snapshots.

Configuration Streams

When a CI is created, it is added to a configuration stream.

• The stream is a SNS topic.

• The SNS topic can be specified.

AWS Config Rules

Configuration rules let you evaluate the current configuration settings.

To be run, a rule must be triggered.

Two trigger options:

• Change detection.

• Periodic.

This helps to enforce a consistent deployment approach.

It does not matter how or when something was deployed or by who.

The following information must be provided:

• Type of Trigger.

• A single or set of resource ID's

• The resource types.

• A tag with a value is optional.

If the correct values are not specified, the rule will not trigger.

If a resource is not compliant, you will be notified by:

• SNS Notification

• Configratuon stream

Lambda functions can be used to perform simple logic.

AWS Config Managed Rules

AWS Provides managed rules.

• • These are predefined.

• • These are customizable.

• • About 150 exist.

You don't need to write a Lambda function using the function for a custom rule.

The remediation becomes part of the custom rule.

Rules can be filtered by:

• Evaluation mode

• Trigger Type

• Region

• Linked Service

Creating Custom Rules

First, try to find a managed rule; it is easier.

You can create a custom rule in the AWS config service.

Two methods:

• Create an AWS Lambda Function

• Using Gurard and the Guard policy code language

The only difference is that custom rules are created from scratch.

This is not tested in the exam - just know you can do it.

Evaluating Rules

Rules are evaluated in two modes:

• Proactive mode: Evaluation as soon as resources are deployed and provisioned. It is proactive about things.

• Detective mode: Matches rules against resources already deployed. Detects.

AWS Config Conformance Packs

These are collections of AWS rules.

They ensure systems conform to a standard.

They apply to a region.

An Aggregator can be used to combine multiple regions and accounts.

Sample packs are available to support a range of compliance situations, such as HIPPA.

Configuration History

This is useful for audits and compliance purposes.

By collecting and comparing configuration items, a configuration history is generated.

• If a security incident occurs, the history is useful for determining what changes took place.

Remdiation with AWS Config

System manager automation runbooks perform remediation.

• Not done by config!!!

Several predefined automation exist - custom automation can be created.

Data Aggregation

Many organizations use multiple AWS accounts

• Data Aggregator can collect information across multiple accounts.

This allows compliance data and configuration data in the following situations:

• A single account in a multi-region setup.

• Multiple accounts in multiple regions

• • Need to present findings in a unified view.

• • Information is collected and stored in a single location.

• Running multiple accounts and want to assemble all the data in one place.

If you are using multiple regions/accounts and want to assemble configuration data in one place... think Aggregator.

Once the data has been collected, a dashboard on the aggregator's page will display all the information collected.

This dashboard also provides a combined combined count of:

• • All Resources

• • All source accounts