Voiced by Amazon Polly |
Overview
Have you ever wondered if we can check whether our resources are compliant even before their provision. This new feature of proactive compliance, which AWS recently launched in their reinvent, allows us to ensure our resources are always compliant and follow the security best practices per industry standards.
Pioneers in Cloud Consulting & Migration Services
- Reduced infrastructural costs
- Accelerated application deployment
Introduction
This blog post will use AWS Config to enforce proactive compliance for the “RDS-storage-encrypted” rule.
The RDS-storage-encrypted rule is a security best practice that requires that all RDS database instances have encryption enabled for their storage volumes. This ensures that sensitive data stored in your databases is protected against unauthorized access and meets compliance requirements for data protection.
A Guide to enforce proactive compliance with the Rule
To enforce proactive compliance with this rule, follow these steps:
- Enable AWS Config
The first step is to enable AWS Config in your AWS account. AWS Config can be enabled through the AWS Management Console, the AWS CLI, or the AWS SDKs. Once AWS Config is enabled, it will start recording the configuration of your AWS resources.
- Create an AWS Config rule
create an AWS Config rule that checks whether RDS database instances enable encryption for their storage volumes. You can create this rule through the AWS Management Console or AWS CloudFormation. Here we are doing it with AWS Management Console.
3. Evaluate Mode
By default, only detective compliance is switched on. We need to turn on the proactive evaluation so that they can be run before provisioning and save time spent to implement custom pre-deployment validations.
4. Turning On Proactive evaluation switch and click on next. Review the current settings and click on Create Rule.
5. Review your rule here.
6. With the help of the AWS CLI, we will try to fetch the current status of our RDS database. For that, we need a resource evaluation id. We will generate that by passing this command. Change your Resource ID with that of the RDS database id.
1 2 3 4 5 6 7 |
aws configservice start-resource-evaluation --evaluation-mode PROACTIVE Let me know if there is anything else I can help you with. --resource-details '{"ResourceId":"myDB ", "ResourceType":"AWS::RDS::DBInstance", "ResourceConfiguration":"{\"StorageEncrypted\":true}", "ResourceConfigurationSchemaType":"CFN_RESOURCE_SCHEMA"}' \ --evaluation-timeout 60 |
7. Copy the Resource evaluation id. We will need it in the next step.
8. Run this command by placing your resource evaluation id in place of
1 2 3 |
<your-resource-evaluation-id>. aws configservice get-resource-evaluation-summary \ --resource-evaluation-id <your-resource-evaluation-id> |
As expected, the Amazon RDS configuration is compliant with the rds-storage-encrypted rule. If I repeat the previous steps with StorageEncrypted set to false, I get a non-compliant result.
9. Now run this command to get individual rule-level compliance for the resource. We can call the GetComplianceDetailsByResource by placing the resource evaluation id in place of
1 2 3 |
<your-resource-evaluation-id>. aws configservice get-compliance-details-by-resource \ --resource-evaluation-id <your-resource-evaluation-id> |
Applications of Using AWS Config with proactive compliance
- Continuous Compliance Monitoring: AWS Config allows you to monitor your resources continuously and provide a comprehensive view of their compliance status, including historical changes. You can set up rules to identify and flag compliance violations, such as security group changes allowing unrestricted access to sensitive resources.
- Resource Configuration Auditing: AWS Config can help you audit your resource configurations to ensure they meet regulatory compliance requirements. You can define custom rules to check for specific configurations, such as encryption on S3 buckets or instance types that comply with security standards.
- Security Analysis: AWS Config can help you identify security vulnerabilities in your infrastructure by checking for common misconfigurations and best practices. It can alert you to issues such as overly permissive IAM policies or unsecured network configurations.
- Compliance Reporting: AWS Config provides detailed compliance reports that can be used for auditing and reporting purposes. You can create custom reports to meet specific compliance requirements and automate generating and distributing of reports.
- Policy Enforcement: AWS Config can automatically remediate non-compliant resources by triggering AWS Lambda functions or AWS Systems Manager Automation documents. This feature can be used to enforce policies such as requiring multi-factor authentication for privileged accounts or automatically encrypting sensitive data.
Conclusion
AWS Config can proactively monitor and enforce compliance across your resources. By leveraging its capabilities, you can identify and address compliance issues before they become costly or cause regulatory violations.
Making IT Networks Enterprise-ready – Cloud Management Services
- Accelerated cloud migration
- End-to-end view of the cloud environment
About CloudThat
CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.
CloudThat is the first Indian Company to win the prestigious Microsoft Partner 2024 Award and is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 850k+ professionals in 600+ cloud certifications and completed 500+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, AWS GenAI Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, Amazon ECS Service Delivery Partner, AWS Glue Service Delivery Partner, Amazon Redshift Service Delivery Partner, AWS Control Tower Service Delivery Partner, AWS WAF Service Delivery Partner, Amazon CloudFront Service Delivery Partner, Amazon OpenSearch Service Delivery Partner, AWS DMS Service Delivery Partner, AWS Systems Manager Service Delivery Partner, Amazon RDS Service Delivery Partner, AWS CloudFormation Service Delivery Partner, AWS Config, Amazon EMR and many more.
FAQs
1. How does AWS Config work?
ANS: – AWS Config continuously monitors your AWS resources and records their configuration details in a configuration history. It also provides rules that you can use to evaluate the configuration of your resources against best practices, security standards, and compliance requirements.
2. What are some benefits of using AWS Config?
ANS: – AWS Config enables you to gain visibility into the configuration of your AWS resources, track changes to their configuration, and assess their compliance with your policies. It can also help you troubleshoot issues and identify security vulnerabilities in your infrastructure.
3. What types of resources can AWS Config monitor?
ANS: – AWS Config can monitor various AWS resources, including EC2 instances, VPCs, IAM roles, S3 buckets, RDS instances, Lambda functions, and many more.
4. How much does AWS Config cost?
ANS: – AWS Config pricing is based on the number of configuration items recorded and the number of active AWS Config rules evaluated monthly. You can find more information about AWS Config pricing on the AWS website.
5. Can AWS Config be integrated with other AWS services?
ANS: – Yes, AWS Config can be integrated with other AWS services, such as AWS CloudTrail, AWS Lambda, and Amazon SNS. This enables you to automate evaluating your resources’ configuration and take action when issues are detected.
WRITTEN BY Jeet Patel
Comments