Study Guides/AWS Cybersecurity Notes/AWS Config: Difference between revisions
m (Mflavell moved page AWS Config to Study Guides/AWS Cybersecurity Notes/AWS Config without leaving a redirect) |
No edit summary |
||
| Line 409: | Line 409: | ||
:* Enables a one click setup. | :* Enables a one click setup. | ||
= Configuration History = | |||
As you may expect, this lists all the changes made to a resource. | |||
:: This is done by comparing the configuration items saved in the S3 bucket. | |||
:: Use case: Determine the history of events that resulted in an incident. | |||
= Fixing no compliant resources = | |||
This is possible out of the box though the use of ''System Manager Automation Runbooks'' | |||
:: Contain predefined automated remediations. | |||
:: Custom remediations can also be created. | |||
= Using Multiple accounts = | |||
This is done using aggregator, the use cases are: | |||
:* Single account / Multi region | |||
:* Multi account / Multi region | |||
The aggregator makes finding trends in multiple regions or accounts easier by consolidating the data. | |||
Latest revision as of 16:06, 21 May 2026
What is AWS Config
AWS Config - records configurations and configuration changes.
This is separate from cloud trail that records user events.
- How to visualize this
- Peope leave trails 🚶... (Cloud Trail)
- Computers have configuration
- Cloudtrail = Who did it?
- AWS Config = What did they do?
AWS config has a configuration recorder that lets you inventory in real time.
- Can be used in across multiple regions or accounts.
- Resources can be evaluated constantly or on a fixed schedule.
- Lambda or System manager can be used to automatically remediate any compliance problems.
AWS Config allows a system to be continuously compliant by maintaining records of the systems sin
- Any time a change is made on the system - the change is captured with who or what made the change.
- This enabled auditing and checking of compliance levels at any time, on demand.
Why use AWS config
It is hard to understand what resources you are using in AWS.
- Think of the problems running a massive system.
- How can you ever keep up with the what / where?
- How do you know what is no longer required?
- How do you know developers and engineers are following security policy?
This can be used for risk reduction:
- Checking server exposure to the internet
- Volumes that may not be encrypted.
- Servers than hardening.
- Accurate records of changes are recorded.
What can AWS config do
- Checks configurations
- Can save a snapshot of the current configuration
- Lets you pull historical configurations
- Allows the viewing of relationships
- Can find resources been used easily and quickly
- Can help reduce troubleshooting times though the comparison with the last known good configuration.
Does AWS config have associated charges
- Yes - recoding has two different prices for continuous and periodic recording.
- Rule evaulations will also cost you.
- How to avoid pricing:
- Exclude resources you don't care about.
- Filter out regions or systems you don't care about.
- Monitor your bill!
How AWS Config works
When a service is started AWS config scans the account for supported resources or services.
- A configuation item is created for each resource or service.
- Each time a change takes place a new configuration item is created.
- This allows changes to be determined in the configuration.
Configuration Items
These are snapshots that are stored in JSON format.
- They represent the configuration at a point in time.
- Most resources are supported by AWS Config - but not all.
- An updare to the CI is made every time something changes on a monitored resource.
Inside a configuration item:
- Metadata - Information about the configuration item.
- Attributes - Resourde data of the configuraton item.
- Relationship - Holds related data:
- For example subnet infomation or VPC infomation.
- Current configuration
Confguration recorder
The configuration recorder discoveres changes in resources, new or existing.
- These changes are then fed into configration item.
- A configuration recorder is a must to monitor configurations.
- The configuration recorder is the eyes of the config system.
The recorder can be setup severa ways:
- Command line interface
- IaC - Infrastrcture as code such as:
- CloudFormation
- Terraform
By default this will setup configuration items for all resources by defauly.
Configuration role
This is an IAM role that provides read only access to record the configuration items.
This role also needs write permissions to the S3 bucket where the snapshots will be stored.
Configuration streams
When a new configuration item is created it's added to a configuration stream.
The configuration stream is the same as an SNS topic.
Basic Setup
This provides a overview, for the exact CLI commands consult the AWS guides.
- Create an S3 bucket to store the configuration items
- Create an SNS topic for the config service
- Create the IAM role for the config service:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "your account number"
}
}
}
]
}
Saving this will give you a role ARN - 'This will be needed to start the configuration recorder'
lets break the JSON down for better understanding:
- You want to Assume a role
- To Allow
- The Config service
- To access Your aws account
A Policy now needs to be created for the role to use, lets use this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ConfigS3PutPolicy","Effect": "Allow",
"Action":[
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource":[
"arn:aws:s3:::s3 bucket/*"
],
"Condition":{
"StringLike":{
"s3:x-amz-acl":"bucket-owner-full-control"
}
}
},
{
"Sid": "ConfigS3GetPolicy",
"Effect": "Allow",
"Action":[
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource":[
"arn:aws:s3:::packt-config/*"
],
"Condition":{
"StringLike":{
"s3:x-amz-acl":"bucket-owner-full-control"
}
}
},
{
"Sid": "ConfigS3GetPolicy",
"Effect": "Allow",
"Action":[ "s3:GetBucketAcl" ],
"Resource": "arn:aws:s3::s3 bucket"
},
{
"Sid": "ConfigSNSPolicy",
"Effect": "Allow",
"Action": "sns:Publish",
"Resource": "arn:SNS-ARN"
},
{
"Sid": "DescribeResources",
"Effect": "Allow",
"Action":[
"ec2:Describe*"
],
"Resource": "*"
}
]
}
Let's break the JSON down for understanding:
- It provides access to the bucket to write objects
- It provides assess to SNS for push data
- It allows allows the discerption of ec2 resources
The entire process is captured:
- Describe > Transmit (SNS) > Save (s3)
With this done we can attach the policy to the role:
This can be done in the AWS CLI with the following command:
aws iam attach-role-policy --role-name role name --policy-arn policy arn
Next and very importantly we need to determine what resources to capture.
- Keep in mind you will pay a nominal free for these / but this is AWS - resources add up $$$
- If you monitor too little you won't get the data you need to make decisions or protect the system.
- Decide what is right for your system.
Here is an example of the JSON file:
{
"allSupported": false,
"includeGlobalResourceTypes": false,
"resourceTypes": [
"AWS::EC2::SecurityGroup",
"AWS::EC2::Volume"
]
}
This will monitor:
- EC2 security groups.
- EC2 Volue status.
Next create a delivery file:
{
"name": "default",
"s3BucketName": "your-bucket",
"snsTopicARN": "arn:aws:sns:your-sns",
"configSnapshotDeliveryProperties": {
"deliveryFrequency": "Twelve_Hours"
}
}
Breaking it down:
- Connects the S3 bucket
- Connects the SNS
- Defines the frequency
Finally, start the recorder
aws configservice start-configuration-recorder --configuration-recorder-name name
- It will take a few minutes for the data to be posted.
AWS Config Rules
Rules enable you to automatically evaluate the configuration of monitored resources.
A rule can be triggered in two ways:
- When a resource changes
- On a schedule
These rules allow you to enfore a consistant approach to AWS resources.
- This is independent of who deployed them or when they where deployed.
Rules can apply to
- A single or a set of resouce ID's
- Types of resources
- Resources with a specified tag
Rules help enforce compliance.
- Labmba functions can also be used to add logic to the rules.
AWS Config Managed Rules
These are preconfigured to ensure your systems comply to industry best practices.
For custom rules their is no need for write an action - it is performed automatically.
Over 150 managed rules exist today.
Custom Rules
Custom rules can be created using two methods:
- AWS Lambda
- A Guard policy
Rule Evaluation
- Proactive mode - Immimdate evaluation
- Detective mode - Evaulated against resources that are already depoyed.
Conformance packs
- These make it easy to implement best practices.
- Can be run in a region or over multiple regions via aggregator.
- Enables a one click setup.
Configuration History
As you may expect, this lists all the changes made to a resource.
- This is done by comparing the configuration items saved in the S3 bucket.
- Use case: Determine the history of events that resulted in an incident.
Fixing no compliant resources
This is possible out of the box though the use of System Manager Automation Runbooks
- Contain predefined automated remediations.
- Custom remediations can also be created.
Using Multiple accounts
This is done using aggregator, the use cases are:
- Single account / Multi region
- Multi account / Multi region
The aggregator makes finding trends in multiple regions or accounts easier by consolidating the data.
