Nahidul Islam's Blog

AWS Config All About

Nahidul Islam's photo
Nahidul Islam
·

4 min read

AWS Config is a service that allows you to assess, audit, and evaluate the configurations of your AWS resources. It helps you monitor resource configurations over time, enabling compliance, security checks, and overall governance of your AWS environment.

Lets, we have two ec2 instances. So, there is one ec2 instance that follows the standards of your organizations that follows the compliance of your organization. And there is another ec2 instance that does not fit into the compliance of your organization. Know who will take responsibility for it?

Like, there is this huge AWS account. There can be 1000s of ec2 instances, not just ec2 instance this applies for different resources.
For example, your organization has a rule that all these people should have lifecycle management enabled or public access disabled. So now who is responsible for looking at all of these things? And how will you ensure that your AWS account adheres to the compliance rules and regulations of your organization?

As a DevOps engineer, it's your responsibility. Now, you might be thinking that, how can I do all of these things? 
 So for that very own reason, AWS provides a resource called as aws config, so what you can do here, you can simply search for config and you will find the section policy, track resource inventory and changes.

Now, this is the AWS config and using this, basically, you can verify how many resources are compliant and how many resources are non compliant.

Projects:

To get a better understanding, we'll delve deeper into AWS Config by engaging in a hands-on project. Let's dive into our practical project on AWS Config.

Before creating an AWS Config rule, we must create a Lambda function.

Great, our cloud Lambda function has been created. Now, we'll create an AWS Config rule.

When creating the rule, we'll choose the option 'Create custom Lambda rule' under the rule type.

We'll give our rule a valid name and input the AWS Lambda function's ARN URL in the ARN section of our AWS Config rule. To get this URL, we'll navigate to our Lambda function and copy the ARN.

For the Config rule trigger type, we'll select 'when configurations change' because we want any changes or modifications to trigger the rule, regardless of the updates made to the EC2 instance. In the 'Scope of changes' option, we'll choose 'Resources' to specify which service should trigger the rule. Here, we'll select 'AWS resource' and then specifically the EC2 instance, as we want AWS Config to execute on EC2 instance service.

When any updates or modifications occur on an EC2 instance, the Config rule triggers and Lambda function executes, gathering all details about the instance. The Lambda function checks if the instance has monitoring enabled or not. It updates the Config rule's status with this information.

Now, let's discuss how to write code for the Lambda function. 

import boto3
import json

def lambda_handler(event, context):

    # Get the specific EC2 instance.
    ec2_client = boto3.client('ec2')

    # Assume compliant by default
    compliance_status = "COMPLIANT"  

    # Extract the configuration item from the invokingEvent
    config = json.loads(event['invokingEvent'])

    configuration_item = config["configurationItem"]

    # Extract the instanceId
    instance_id = configuration_item['configuration']['instanceId']

    # Get complete Instance details
    instance = ec2_client.describe_instances(InstanceIds=[instance_id])['Reservations'][0]['Instances'][0]

    # Check if the specific EC2 instance has Cloud Trail logging enabled.

    if not instance['Monitoring']['State'] == "enabled":
        compliance_status = "NON_COMPLIANT"

    evaluation = {
        'ComplianceResourceType': 'AWS::EC2::Instance',
        'ComplianceResourceId': instance_id,
        'ComplianceType': compliance_status,
        'Annotation': 'Detailed monitoring is not enabled.',
        'OrderingTimestamp': config['notificationCreationTime']
    }

    config_client = boto3.client('config')

    response = config_client.put_evaluations(
        Evaluations=[evaluation],
        ResultToken=event['resultToken']
    )  

    return response

To access all EC2 instance information via the Lambda function, we need to grant permissions to the Lambda function's IAM role. To do this, we'll select the 'Permission' option in the Lambda function's configuration tab to view the IAM role name. Upon clicking the role name URL, a new tab will open displaying the required interface.

To add permissions to our IAM role, we'll start by clicking on 'Attach policies.' Once there, we'll add the necessary policies to grant permissions.

After updating the code by clicking the 'Deploy' button, a 'Test' button click will display a success message in the Lambda function console.

Lastly, we'll enable the monitoring option for our EC2 instance, starting with the first instance.

After that will look after the AWS Config that will tell us which one of the EC2 instance have followed the rule and which doesn't.

By using AWS Config to identify compliant and non-compliant resources, We can maintain a better understanding of the state of our AWS environment, ensuring that it adheres to our organization's policies. This helps us to take action to mitigate risks or issues related to resource misconfigurations or non-compliance. In doing so, We can improve the overall security and reliability of our AWS infrastructure.