From the course: AWS Essential Training for Administrators

Tracking compliance with AWS Config - Amazon Web Services (AWS) Tutorial

From the course: AWS Essential Training for Administrators

Start my 1-month free trial Buy for my team

Tracking compliance with AWS Config

- [Instructor] In growing AWS environments, configuration changes happen all the time. A user may add a public S3 bucket, tweak a security group, or update an EC2 instance type without a trace. Without tracking, these can slip under the radar, leading to security risks, failed audits, and unexpected costs. AWS Config addresses this by capturing every resource's configuration state, creating a timeline of changes, and running checks to identify any discrepancies. With AWS Config, you can discover existing AWS resources, get notified when resources are created, modified, or deleted, continuously monitor and record configuration changes of your resources, define rules for provisioning and configuring resources, view relationships between your resources, and export a complete inventory with all configuration details. To use AWS Config, you will need to start the recorder from the Settings section. So go over to the Settings section, and under the Recorder section, turn on recording for your resources. When you turn it on, it first discovers the supported AWS resources in your account. This process can take from a few minutes to a few hours, depending on the number of resources in your account. Here are the discovered resources in my account. Clicking on a resource will show you the JSON document, which is also known as Configuration Item. At the top, you have the Resource Timeline. It shows you how the resource configuration has changed over time. Config also allows you to define rules that describe the desired state of your resources. AWS has managed rules to get you started, and you can also create custom ones. Let's say our corporate policy requires all EBS volumes to be encrypted. Let's add a rule to detect unencrypted EBS volumes. I'll search for EBS, and here we have a rule that checks if EBS volumes have encryption enabled. I'll select the rule and go to the Next step. Here, you can change the evaluation frequency, which is 24 hours by default, and save the rule. I've already created a rule, as you can see over here, and it has identified a non-compliant resource. So when I click on the rule and scroll down, I can see the non-compliant resources. You can configure an EventBridge rule to notify you when the compliance state of a rule changes. Now let's create one more rule, but this time, with remediation. I'll use a rule to identify elastic IPs that are not associated with instances. Config has a managed rule for this purpose, so I'll select that. It's called eip-attached. I'll click Apply. Then I'll select and go to the Next step. No changes needed to the configuration, so I'll go to the last step and Save it. So that's the detection part. This rule will identify elastic IPs that are not attached to any instance. Let's take it a step further and set up automatic remediation. To do so, I'll click Actions, and go to Manage Remediation. Manual remediation is where you'll trigger the remediation action yourself. Automatic remediation is triggered when a non-compliant resource is found. That's the option we'll use. Automated remediation relies on Systems Manager documents. Systems Manager is a service in AWS that helps you automate your workflows. We'll talk more about that in an upcoming video. AWS Config has a pre-configured remediation action to remove unassociated elastic IPs. It's called AWS-ReleaseElasticIP. So I'll use this remediation action. Scroll down to enter the Resource ID Parameter. I'll set this to Allocationid, as AWS Config needs that information to release the elastic IP. Next, you'll need to provide the ARN of an IAM role that Config can use to take the required action. I've already created an IAM role, so I'll provide the ARN of that role over here. Then, I'll click Save Changes. Alright, so now we have the rule and the remediation action in place. Config will automatically execute the action when a noncompliant resource is found. Alright, so that's about AWS Config. It performs important administrative functions like discovering resources, evaluating them for compliance, and remediating them. Next up, how do you manage and automate operations across your resources? In the following video, we'll look at AWS Systems Manager for centralized control.

Contents