Login
April 24, 2023|
Voiced by Amazon Polly |
Overview
Have you ever wondered if we can check whether our resources are compliant even before their provision. This new feature of proactive compliance, which AWS recently launched in their reinvent, allows us to ensure our resources are always compliant and follow the security best practices per industry standards.
Pioneers in Cloud Consulting & Migration Services
- Reduced infrastructural costs
- Accelerated application deployment
Introduction
This blog post will use AWS Config to enforce proactive compliance for the “RDS-storage-encrypted” rule.
The RDS-storage-encrypted rule is a security best practice that requires that all RDS database instances have encryption enabled for their storage volumes. This ensures that sensitive data stored in your databases is protected against unauthorized access and meets compliance requirements for data protection.
A Guide to enforce proactive compliance with the Rule
To enforce proactive compliance with this rule, follow these steps:
- Enable AWS Config
The first step is to enable AWS Config in your AWS account. AWS Config can be enabled through the AWS Management Console, the AWS CLI, or the AWS SDKs. Once AWS Config is enabled, it will start recording the configuration of your AWS resources.
- Create an AWS Config rule
create an AWS Config rule that checks whether RDS database instances enable encryption for their storage volumes. You can create this rule through the AWS Management Console or AWS CloudFormation. Here we are doing it with AWS Management Console.
3. Evaluate Mode
By default, only detective compliance is switched on. We need to turn on the proactive evaluation so that they can be run before provisioning and save time spent to implement custom pre-deployment validations.
4. Turning On Proactive evaluation switch and click on next. Review the current settings and click on Create Rule.
5. Review your rule here.
6. With the help of the AWS CLI, we will try to fetch the current status of our RDS database. For that, we need a resource evaluation id. We will generate that by passing this command. Change your Resource ID with that of the RDS database id.
|
1 2 3 4 5 6 7 |
aws configservice start-resource-evaluation --evaluation-mode PROACTIVE Let me know if there is anything else I can help you with. --resource-details '{"ResourceId":"myDB ", "ResourceType":"AWS::RDS::DBInstance", "ResourceConfiguration":"{\"StorageEncrypted\":true}", "ResourceConfigurationSchemaType":"CFN_RESOURCE_SCHEMA"}' \ --evaluation-timeout 60 |
7. Copy the Resource evaluation id. We will need it in the next step.
8. Run this command by placing your resource evaluation id in place of
|
1 2 3 |
<your-resource-evaluation-id>. aws configservice get-resource-evaluation-summary \ --resource-evaluation-id <your-resource-evaluation-id> |
As expected, the Amazon RDS configuration is compliant with the rds-storage-encrypted rule. If I repeat the previous steps with StorageEncrypted set to false, I get a non-compliant result.
9. Now run this command to get individual rule-level compliance for the resource. We can call the GetComplianceDetailsByResource by placing the resource evaluation id in place of
|
1 2 3 |
<your-resource-evaluation-id>. aws configservice get-compliance-details-by-resource \ --resource-evaluation-id <your-resource-evaluation-id> |
Applications of Using AWS Config with proactive compliance
- Continuous Compliance Monitoring: AWS Config allows you to monitor your resources continuously and provide a comprehensive view of their compliance status, including historical changes. You can set up rules to identify and flag compliance violations, such as security group changes allowing unrestricted access to sensitive resources.
- Resource Configuration Auditing: AWS Config can help you audit your resource configurations to ensure they meet regulatory compliance requirements. You can define custom rules to check for specific configurations, such as encryption on S3 buckets or instance types that comply with security standards.
- Security Analysis: AWS Config can help you identify security vulnerabilities in your infrastructure by checking for common misconfigurations and best practices. It can alert you to issues such as overly permissive IAM policies or unsecured network configurations.
- Compliance Reporting: AWS Config provides detailed compliance reports that can be used for auditing and reporting purposes. You can create custom reports to meet specific compliance requirements and automate generating and distributing of reports.
- Policy Enforcement: AWS Config can automatically remediate non-compliant resources by triggering AWS Lambda functions or AWS Systems Manager Automation documents. This feature can be used to enforce policies such as requiring multi-factor authentication for privileged accounts or automatically encrypting sensitive data.
Conclusion
AWS Config can proactively monitor and enforce compliance across your resources. By leveraging its capabilities, you can identify and address compliance issues before they become costly or cause regulatory violations.
Making IT Networks Enterprise-ready – Cloud Management Services
- Accelerated cloud migration
- End-to-end view of the cloud environment
About CloudThat
CloudThat is an award-winning company and the first in India to offer cloud training and consulting services worldwide. As a Microsoft Solutions Partner, AWS Advanced Tier Training Partner, and Google Cloud Platform Partner, CloudThat has empowered over 850,000 professionals through 600+ cloud certifications winning global recognition for its training excellence including 20 MCT Trainers in Microsoft’s Global Top 100 and an impressive 12 awards in the last 8 years. CloudThat specializes in Cloud Migration, Data Platforms, DevOps, IoT, and cutting-edge technologies like Gen AI & AI/ML. It has delivered over 500 consulting projects for 250+ organizations in 30+ countries as it continues to empower professionals and enterprises to thrive in the digital-first world.
FAQs
1. How does AWS Config work?
ANS: – AWS Config continuously monitors your AWS resources and records their configuration details in a configuration history. It also provides rules that you can use to evaluate the configuration of your resources against best practices, security standards, and compliance requirements.
2. What are some benefits of using AWS Config?
ANS: – AWS Config enables you to gain visibility into the configuration of your AWS resources, track changes to their configuration, and assess their compliance with your policies. It can also help you troubleshoot issues and identify security vulnerabilities in your infrastructure.
3. What types of resources can AWS Config monitor?
ANS: – AWS Config can monitor various AWS resources, including EC2 instances, VPCs, IAM roles, S3 buckets, RDS instances, Lambda functions, and many more.
4. How much does AWS Config cost?
ANS: – AWS Config pricing is based on the number of configuration items recorded and the number of active AWS Config rules evaluated monthly. You can find more information about AWS Config pricing on the AWS website.
5. Can AWS Config be integrated with other AWS services?
ANS: – Yes, AWS Config can be integrated with other AWS services, such as AWS CloudTrail, AWS Lambda, and Amazon SNS. This enables you to automate evaluating your resources’ configuration and take action when issues are detected.
WRITTEN BY Jeet Patel
PREV
Comments