Tutorial / Cram Notes
AWS Config rules allow you to automatically assess the configuration of AWS resources against desired configurations. Each rule represents your desired configuration settings for a specific AWS resource type. AWS Config regularly evaluates your resources against these rules to provide compliance information.
Types of AWS Config Rules
AWS Config rules come in two varieties:
- AWS Managed Config Rules – Predefined, customizable rules created by AWS that address common compliance scenarios.
- Custom Config Rules – Custom rules you define. These use AWS Lambda functions to evaluate specific configuration settings against what you’ve defined as compliant.
How AWS Config Rules Work
AWS Config continuously records and evaluates your AWS resource configurations and then triggers the rules at regular intervals or in response to configuration changes. The results of the rule evaluations determine if your resources are compliant or non-compliant with the rule definitions.
Implementing AWS Config Rules
To implement an AWS Config rule, follow these general steps:
- Select/Create Rule:
- For AWS Managed Config Rules, select a predefined rule and configure its parameters.
- For Custom Config Rules, write a Lambda function that contains the logic for compliance evaluation.
- Define Trigger Types:
- Configuration changes: Rules respond to changes in resources.
- Periodic: Rules evaluate resource configurations at a fixed frequency, such as every 24 hours.
- Deploy the Rule:
- Use the AWS Management Console, AWS CLI, or AWS SDKs to deploy your rule.
Examples
Enforcing Encrypted AMIs (AWS Managed Rule)
Enforce that all Amazon Machine Images (AMIs) are encrypted by enabling the encrypted-volumes AWS Managed Config rule. This rule checks whether EBS volumes that are in an attached state are encrypted.
aws configservice put-config-rule \
–config-rule ‘{
“ConfigRuleName”: “encrypted-volumes”,
“Source”: {
“Owner”: “AWS”,
“SourceIdentifier”: “ENCRYPTED_VOLUMES”
}
}’
Limiting Open Security Groups (Custom Rule)
Create a custom rule that triggers when security groups are modified or created. The Lambda function for the rule checks if the security group allows unrestricted ingress access to a particular port (e.g., port 22 for SSH), and marks the security group as non-compliant if it does.
AWS Config Rules Best Practices
For the AWS Certified DevOps Engineer – Professional exam, you should also be familiar with the best practices related to AWS Config rules, such as:
- Minimal Permissions: Apply the principle of least privilege when setting permissions for AWS Config rules and associated Lambda functions.
- Regular Audits: Regularly audit your AWS Config rules to ensure they are effective and cover all necessary resources.
- Automation: Use automation to make real-time remediation when a resource is marked as non-compliant.
- Notification: Integrate AWS Config with Amazon SNS to receive notifications when compliance statuses change.
Conclusion
AWS Config rules are a key component in maintaining governance, compliance, and security of AWS resources. For the AWS Certified DevOps Engineer – Professional exam, mastery of AWS Config rules—including how to create, manage, and utilize them—is vital to demonstrate advanced technical skill and understanding required to effectively use AWS services in a DevOps role.
Practice Test with Explanation
True/False: AWS Config rules can automatically remediate non-compliant resources without any human intervention.
- A) True
- B) False
Answer: A) True
Explanation: AWS Config rules can be set up with remediation actions to automatically correct non-compliant resources.
Which AWS service allows you to evaluate your AWS resource configurations for compliance with desired settings?
- A) AWS CloudTrail
- B) AWS Config
- C) AWS Inspector
- D) AWS Trust Advisor
Answer: B) AWS Config
Explanation: AWS Config is the service that evaluates AWS resource configurations for compliance.
True/False: AWS Config requires you to install an agent on your AWS resources to track configuration changes.
- A) True
- B) False
Answer: B) False
Explanation: AWS Config does not require the installation of an agent; it automatically records configuration changes of supported AWS resources.
How often can AWS Config rules evaluate your resources?
- A) Only when a resource is created or changed
- B) On a scheduled basis (e.g., every 6 hours)
- C) Both A and B
- D) Only manually when initiated by a user
Answer: C) Both A and B
Explanation: AWS Config rules can evaluate resources both when they are created or changed and on a periodic scheduled basis.
True/False: AWS Config rules can be applied to all regions within an AWS account automatically.
- A) True
- B) False
Answer: B) False
Explanation: AWS Config rules need to be set up in each region where you want them to be active; they are not automatically applied to all regions.
Which of the following resource types can AWS Config monitor and record?
- A) EC2 Instances
- B) S3 Buckets
- C) IAM Users
- D) All of the above
Answer: D) All of the above
Explanation: AWS Config can monitor and record a wide range of resource types including EC2 instances, S3 buckets, and IAM users.
True/False: AWS Config supports custom rules that you can define using AWS Lambda functions.
- A) True
- B) False
Answer: A) True
Explanation: AWS Config allows you to create custom rules using AWS Lambda to evaluate specific compliance requirements.
True/False: AWS Config can aggregate compliance data from multiple accounts and regions.
- A) True
- B) False
Answer: A) True
Explanation: AWS Config supports the aggregation of compliance data across multiple accounts and regions.
In AWS Config terminology, what is a “Conformance Pack”?
- A) A collection of AWS Config rules and remediation actions
- B) A package of software to install on your instances to comply with rules
- C) A bundled set of AWS security standards and best practices
- D) A deployment option for managing AWS Config in a large organization
Answer: A) A collection of AWS Config rules and remediation actions
Explanation: A Conformance Pack in AWS Config is a collection of AWS Config rules and remediation actions that can be deployed as a single entity.
True/False: It is possible to test AWS Config custom rules in a development environment before deploying them to production.
- A) True
- B) False
Answer: A) True
Explanation: Custom rules written for AWS Config can be tested in a development or testing environment similar to any other code before being used in production.
What IAM permissions must a user have to assign an AWS Config rule to resources?
- A) config:PutConfigRule
- B) config:DescribeConfigRule
- C) config:StartConfigRulesEvaluation
- D) All of the above
Answer: D) All of the above
Explanation: The user needs ‘config:PutConfigRule’ to add or update a Config rule, ‘config:DescribeConfigRule’ to view details of the Config rule, and ‘config:StartConfigRulesEvaluation’ to manually start the evaluation of Config rules.
True/False: AWS Config rules only evaluate changes to the resource’s configuration.
- A) True
- B) False
Answer: B) False
Explanation: AWS Config rules evaluate resources against the desired configurations upon changes, but they can also be scheduled to do periodic evaluations.
Interview Questions
What is AWS Config, and how do AWS Config rules contribute to compliance and resource management?
AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. AWS Config rules allow you to create desired configuration guidelines for your AWS resources and then automatically check whether those resources comply with the defined configurations. This helps in maintaining compliance with company policies or regulatory standards and aids in resource management by identifying misconfigured resources.
Can you explain the difference between AWS Config managed rules and custom rules?
AWS Config managed rules are predefined, customizable rules provided by AWS that can help you evaluate whether your AWS resource configurations comply with common best practices. Custom rules, on the other hand, are user-defined rules created using AWS Lambda that allow for more flexibility and can address specific compliance needs that aren’t covered by the managed rules.
How can you remediate non-compliant resources identified by AWS Config rules?
Remediation can be performed manually by adjusting the resource configuration as per the required guidelines or it can be automated by setting up AWS Config to execute a Lambda function or an SSM automation document when a non-compliant resource is detected. The automated action will rectify the configuration to bring the resource back into compliance.
What types of AWS resources can be monitored with AWS Config?
AWS Config can monitor a wide variety of AWS resource types, including but not limited to EC2 instances, EBS volumes, VPCs, RDS databases, IAM resources, and many others. AWS continues to add support for additional resource types as the service evolves.
What is the difference between AWS Config and AWS CloudTrail, and when would you use each service?
AWS Config is primarily used for assessing, auditing, and evaluating the configurations of your AWS resources, providing a detailed view of the configuration history and changes. AWS CloudTrail, on the other hand, focuses on logging and tracking API calls made within your AWS account, including actions taken through the AWS Management Console, AWS CLI, or AWS SDKs. Therefore, AWS Config is used for configuration compliance and resource management, while CloudTrail is used for auditing and tracking user activity and API usage.
Is it possible to aggregate AWS Config data from multiple accounts/regions, and if so, how?
Yes, it is possible. AWS Config supports multi-account, multi-region data aggregation, which allows you to collect, view, and evaluate your resource configurations across different AWS accounts and regions. This can be done by setting up an aggregator in the AWS Config console, which will act as a centralized location to view the compliance and configuration data.
How does AWS Config handle change management, and what benefits does it offer in terms of change tracking?
AWS Config continuously monitors and records configuration changes across your AWS resources, which aids in change management by providing a history of configuration changes. This helps in troubleshooting, auditing, and understanding the evolution of your resource configurations over time, which can benefit security analysis, compliance auditing, and operational troubleshooting.
What format does AWS Config use for the configuration snapshots, and how often can these snapshots be delivered?
AWS Config uses JSON as the format for configuration snapshots. These snapshots can be set up for delivery to an Amazon S3 bucket on a frequency that you choose, with a minimum frequency being once every 6 hours and a maximum frequency of once every 24 hours.
Can AWS Config rules trigger notifications for resource configuration changes, and how would you set this up?
Yes, AWS Config can trigger SNS notifications whenever there is a configuration change or when a resource is found to be non-compliant with a rule. You set this up by configuring an Amazon SNS topic and then specifying this topic as the recipient of notifications sent by AWS Config.
What permissions are required for AWS Config to record and evaluate AWS resource configurations?
AWS Config requires permissions to make Describe or List calls to AWS resources in order to record their configurations. These permissions are usually set via an IAM role that AWS Config assumes. This role needs to have sufficient read-level permissions to access the configurations of the resources being monitored.
This blog post was an excellent read!
Can AWS Config work alongside third-party compliance tools?
This blog post on AWS Config rules is very informative. Thanks for sharing!
Can someone explain how AWS Config rules help in compliance management?
Do AWS Config rules apply to all AWS regions?
I found this blog very helpful, particularly the sections on remediation actions.
Does anyone have experience using AWS Config rules in an enterprise setting?
Informative post, but I think it missed out on how to price AWS Config.