Proactively Monitor and Enforce Compliance for your AWS Resources with AWS Config

Overview

Have you ever wondered if we can check whether our resources are compliant even before their provision. This new feature of proactive compliance, which AWS recently launched in their reinvent, allows us to ensure our resources are always compliant and follow the security best practices per industry standards.

Pioneers in Cloud Consulting & Migration Services

Reduced infrastructural costs
Accelerated application deployment

Get Started

Introduction

AWS Config is a powerful tool that allows you to assess, audit, and evaluate the configuration of your AWS resources. With AWS Config, you can ensure that your resources comply with industry standards and regulations.

This blog post will use AWS Config to enforce proactive compliance for the “RDS-storage-encrypted” rule.

The RDS-storage-encrypted rule is a security best practice that requires that all RDS database instances have encryption enabled for their storage volumes. This ensures that sensitive data stored in your databases is protected against unauthorized access and meets compliance requirements for data protection.

A Guide to enforce proactive compliance with the Rule

To enforce proactive compliance with this rule, follow these steps:

Enable AWS Config

The first step is to enable AWS Config in your AWS account. AWS Config can be enabled through the AWS Management Console, the AWS CLI, or the AWS SDKs. Once AWS Config is enabled, it will start recording the configuration of your AWS resources.

Create an AWS Config rule

create an AWS Config rule that checks whether RDS database instances enable encryption for their storage volumes. You can create this rule through the AWS Management Console or AWS CloudFormation. Here we are doing it with AWS Management Console.

step2

3. Evaluate Mode

By default, only detective compliance is switched on. We need to turn on the proactive evaluation so that they can be run before provisioning and save time spent to implement custom pre-deployment validations.

step3

4. Turning On Proactive evaluation switch and click on next. Review the current settings and click on Create Rule.

step4

5. Review your rule here.

step5

6. With the help of the AWS CLI, we will try to fetch the current status of our RDS database. For that, we need a resource evaluation id. We will generate that by passing this command. Change your Resource ID with that of the RDS database id.

aws configservice start-resource-evaluation --evaluation-mode PROACTIVE Let me know if there is anything else I can help you with.

--resource-details '{"ResourceId":"myDB

", "ResourceType":"AWS::RDS::DBInstance", "ResourceConfiguration":"{\"StorageEncrypted\":true}", "ResourceConfigurationSchemaType":"CFN_RESOURCE_SCHEMA"}' \

--evaluation-timeout 60

aws configservice start-resource-evaluation --evaluation-mode PROACTIVE Let me know if there is anything else I can help you with.

--resource-details '{"ResourceId":"myDB

", "ResourceType":"AWS::RDS::DBInstance", "ResourceConfiguration":"{\"StorageEncrypted\":true}", "ResourceConfigurationSchemaType":"CFN_RESOURCE_SCHEMA"}' \

--evaluation-timeout 60

7. Copy the Resource evaluation id. We will need it in the next step.

step7

8. Run this command by placing your resource evaluation id in place of

<your-resource-evaluation-id>.

aws configservice get-resource-evaluation-summary \ --resource-evaluation-id <your-resource-evaluation-id>

<your-resource-evaluation-id>.

aws configservice get-resource-evaluation-summary \ --resource-evaluation-id <your-resource-evaluation-id>

step8

As expected, the Amazon RDS configuration is compliant with the rds-storage-encrypted rule. If I repeat the previous steps with StorageEncrypted set to false, I get a non-compliant result.

9. Now run this command to get individual rule-level compliance for the resource. We can call the GetComplianceDetailsByResource by placing the resource evaluation id in place of

<your-resource-evaluation-id>.

aws configservice get-compliance-details-by-resource \ --resource-evaluation-id <your-resource-evaluation-id>

<your-resource-evaluation-id>.

aws configservice get-compliance-details-by-resource \ --resource-evaluation-id <your-resource-evaluation-id>

step9

Applications of Using AWS Config with proactive compliance

Continuous Compliance Monitoring: AWS Config allows you to monitor your resources continuously and provide a comprehensive view of their compliance status, including historical changes. You can set up rules to identify and flag compliance violations, such as security group changes allowing unrestricted access to sensitive resources.
Resource Configuration Auditing: AWS Config can help you audit your resource configurations to ensure they meet regulatory compliance requirements. You can define custom rules to check for specific configurations, such as encryption on S3 buckets or instance types that comply with security standards.
Security Analysis: AWS Config can help you identify security vulnerabilities in your infrastructure by checking for common misconfigurations and best practices. It can alert you to issues such as overly permissive IAM policies or unsecured network configurations.
Compliance Reporting: AWS Config provides detailed compliance reports that can be used for auditing and reporting purposes. You can create custom reports to meet specific compliance requirements and automate generating and distributing of reports.
Policy Enforcement: AWS Config can automatically remediate non-compliant resources by triggering AWS Lambda functions or AWS Systems Manager Automation documents. This feature can be used to enforce policies such as requiring multi-factor authentication for privileged accounts or automatically encrypting sensitive data.

Conclusion

AWS Config can proactively monitor and enforce compliance across your resources. By leveraging its capabilities, you can identify and address compliance issues before they become costly or cause regulatory violations.

Making IT Networks Enterprise-ready – Cloud Management Services

Accelerated cloud migration
End-to-end view of the cloud environment

Get Started

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

FAQs

1. How does AWS Config work?

ANS: – AWS Config continuously monitors your AWS resources and records their configuration details in a configuration history. It also provides rules that you can use to evaluate the configuration of your resources against best practices, security standards, and compliance requirements.

2. What are some benefits of using AWS Config?

ANS: – AWS Config enables you to gain visibility into the configuration of your AWS resources, track changes to their configuration, and assess their compliance with your policies. It can also help you troubleshoot issues and identify security vulnerabilities in your infrastructure.

3. What types of resources can AWS Config monitor?

ANS: – AWS Config can monitor various AWS resources, including EC2 instances, VPCs, IAM roles, S3 buckets, RDS instances, Lambda functions, and many more.

4. How much does AWS Config cost?

ANS: – AWS Config pricing is based on the number of configuration items recorded and the number of active AWS Config rules evaluated monthly. You can find more information about AWS Config pricing on the AWS website.

5. Can AWS Config be integrated with other AWS services?

ANS: – Yes, AWS Config can be integrated with other AWS services, such as AWS CloudTrail, AWS Lambda, and Amazon SNS. This enables you to automate evaluating your resources’ configuration and take action when issues are detected.