Proactively Monitor and Enforce Compliance for your AWS Resources with AWS Config

Overview

Have you ever wondered if we can check whether our resources are compliant even before their provision. This new feature of proactive compliance, which AWS recently launched in their reinvent, allows us to ensure our resources are always compliant and follow the security best practices per industry standards.

Introduction

This blog post will use AWS Config to enforce proactive compliance for the “RDS-storage-encrypted” rule.

The RDS-storage-encrypted rule is a security best practice that requires that all RDS database instances have encryption enabled for their storage volumes. This ensures that sensitive data stored in your databases is protected against unauthorized access and meets compliance requirements for data protection.

A Guide to enforce proactive compliance with the Rule

To enforce proactive compliance with this rule, follow these steps:

1. Enable AWS Config

The first step is to enable AWS Config in your AWS account. AWS Config can be enabled through the AWS Management Console, the AWS CLI, or the AWS SDKs. Once AWS Config is enabled, it will start recording the configuration of your AWS resources.

2. Create an AWS Config rule

create an AWS Config rule that checks whether RDS database instances enable encryption for their storage volumes. You can create this rule through the AWS Management Console or AWS CloudFormation. Here we are doing it with AWS Management Console.

3. Evaluate Mode

By default, only detective compliance is switched on. We need to turn on the proactive evaluation so that they can be run before provisioning and save time spent to implement custom pre-deployment validations.

4. Turning On Proactive evaluation switch and click on next. Review the current settings and click on Create Rule.

5. Review your rule here.

6. With the help of the AWS CLI, we will try to fetch the current status of our RDS database. For that, we need a resource evaluation id. We will generate that by passing this command. Change your Resource ID with that of the RDS database id.

7. Copy the Resource evaluation id. We will need it in the next step.

8. Run this command by placing your resource evaluation id in place of

As expected, the Amazon RDS configuration is compliant with the rds-storage-encrypted rule. If I repeat the previous steps with StorageEncrypted set to false, I get a non-compliant result.

9. Now run this command to get individual rule-level compliance for the resource. We can call the GetComplianceDetailsByResource by placing the resource evaluation id in place of

Applications of Using AWS Config with proactive compliance

1. Continuous Compliance Monitoring: AWS Config allows you to monitor your resources continuously and provide a comprehensive view of their compliance status, including historical changes. You can set up rules to identify and flag compliance violations, such as security group changes allowing unrestricted access to sensitive resources.
2. Resource Configuration Auditing: AWS Config can help you audit your resource configurations to ensure they meet regulatory compliance requirements. You can define custom rules to check for specific configurations, such as encryption on S3 buckets or instance types that comply with security standards.
3. Security Analysis: AWS Config can help you identify security vulnerabilities in your infrastructure by checking for common misconfigurations and best practices. It can alert you to issues such as overly permissive IAM policies or unsecured network configurations.
4. Compliance Reporting: AWS Config provides detailed compliance reports that can be used for auditing and reporting purposes. You can create custom reports to meet specific compliance requirements and automate generating and distributing of reports.
5. Policy Enforcement: AWS Config can automatically remediate non-compliant resources by triggering AWS Lambda functions or AWS Systems Manager Automation documents. This feature can be used to enforce policies such as requiring multi-factor authentication for privileged accounts or automatically encrypting sensitive data.

Conclusion

AWS Config can proactively monitor and enforce compliance across your resources. By leveraging its capabilities, you can identify and address compliance issues before they become costly or cause regulatory violations.

About CloudThat

CloudThat is also the official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner and Microsoft gold partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best in industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.

Drop a query if you have any questions regarding AWS Config and I will get back to you quickly.

To get started, go through our Consultancy page and Managed Services Package that is CloudThat’s offerings.