Using AWS Config to Monitor CloudFormation Stack Resources

Hands-On Lab

 

Photo of Craig Arcuri

Craig Arcuri

AWS Training Architect II in Content

Length

01:15:00

Difficulty

Advanced

In this hands-on lab, we will use AWS Config to monitor resources within an AWS environment. We will use a CloudFormation template to create an AWS Config rule to monitor the EC2 instances in an environment. The rule will detect whether instances launched in the environment comply with the instance types specified as accepted within the Config rule.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Using AWS Config to Monitor CloudFormation Stack Resources

Introduction

In this hands-on lab, we will use AWS Config to monitor resources within an AWS environment. We will use a CloudFormation template to create an AWS Config rule to monitor the EC2 instances in an environment. The rule will detect whether instances launched in the environment comply with the instance types specified as accepted within the Config rule.

Solution

Log in to the AWS environment using the credentials provided. Make sure you are using us-east-1 (N. Virginia) as the selected region.

There are three templates for this lab, which you can download from the lab's GitHub repository.

Create a Stack that Contains Three EC2 Instances

Create Stack

  1. Navigate to CloudFormation.
  2. Click Create stack.
  3. In the Prerequisite - Prepare template section, select Create template in Designer.
  4. Click Create template in designer.
  5. Click the Template tab at the bottom.
  6. Copy everything in the badSG.json file (from the lab GitHub), and paste it into the Template window.
  7. In a new browser tab, navigate to EC2 > Key Pairs.
  8. Click Create Key Pair.
  9. Give it a key pair name of "configLab", and click Create.
  10. Click Security Groups in the left-hand menu.
  11. Copy the security group ID (of the non-default security group) and paste it into a text file, since we'll need it in a minute.
  12. Navigate to VPC > Your VPCs.
  13. Copy the VPC ID, and paste it into the same text file.
  14. Click Subnets in the left-hand menu.
  15. Select one of the listed subnets, and copy its subnet ID. Paste it into the same text file.
  16. Back in the CloudFormation template window, click the checkbox at the top to validate the template, and then click the cloud icon with the up arrow to create the stack.
  17. Click Next.
  18. On the stack details page, set the following values:
    • Stack name: configLab
    • Instance1: t2.small
    • Instance2: t2.small
    • Instance3: t2.micro
    • KeyName: configLab
    • MySG: Paste in the security group ID you copied earlier
    • MySubnet: Paste in the subnet ID you copied earlier
    • MyVPC: Paste in the VPC ID you copied earlier
  19. Click Next.
  20. Leave the defaults on the stack options page, and click Next.
  21. Click Create stack. After a minute or so, we should see the stack creation fail.

Update Stack

  1. Click the Template tab.
  2. Click View in Designer.
  3. Copy everything in the goodSG.json file (from the lab GitHub), and paste it into the Template window.
  4. Click the checkbox at the top to validate the template, and then click the cloud icon with the up arrow to create the stack.
  5. On the stack details page, set the following values:
    • Stack name: configLab2
    • Instance1: t2.small
    • Instance2: t2.small
    • Instance3: t2.micro
    • KeyName: configLab
    • MySG: Paste in the security group ID you copied earlier
    • MySubnet: Paste in the subnet ID you copied earlier
    • MyVPC: Paste in the VPC ID you copied earlier
  6. Click Next.
  7. Leave the defaults on the stack options page, and click Next.
  8. Click Create stack. This time, stack creation should be successful.

Create Stack That Deploys an AWS Config Rule to Evaluate EC2 Instances

Create Stack

  1. Click Create stack.
  2. In the Prerequisite - Prepare template section, select Create template in Designer.
  3. Click Create template in designer.
  4. Click the Template tab at the bottom.
  5. Copy everything in the awsconfigrule.json file (from the lab GitHub), and paste it into the Template window.
  6. Click the checkbox at the top to validate the template, and then click the cloud icon with the up arrow to create the stack.
  7. Click Next.
  8. On the stack details page, set the following values:
    • Stack name: configrule
    • instanceType: t2.micro
  9. Click Next.
  10. Leave the defaults on the stack options page, and click Next.
  11. Click Create stack. After a minute or so, we should see the stack creation fail.
  12. With the configrule stack selected, click Delete.
  13. In the confirmation dialog that pops up, click Delete stack.
  14. Select the configLab stack, and click Delete.
  15. In the confirmation dialog that pops up, click Delete stack.

Set Up AWS Config

  1. In a new browser tab, navigate to AWS Config.
  2. Click Get started.
  3. For All resources, check the box to Record all resources supported in this region.
  4. For Amazon S3 bucket, select Create a bucket.
  5. For AWS Config role, select Use an existing AWS Config service-linked role.
  6. Click Next.
  7. On the AWS Config rules page, click Next.
  8. On the Review page, click Confirm.
  9. On the Config dashboard, click Settings in the left-hand menu.
  10. Verify that recording is on.

Create Another Stack

  1. Back in the CloudFormation browser tab, click Create stack.
  2. In the Prerequisite - Prepare template section, select Template is ready.
  3. In the Specify template section, select Upload a template file.
  4. Click Choose file, and upload theawsconfigrule.json file.
  5. Click Next.
  6. On the stack details page, set the following values:
    • Stack name: configrule
    • instanceType: t2.micro
  7. Click Next.
  8. Leave the defaults on the stack options page, and click Next.
  9. Click Create stack. After a few moments, the stack creation should succeed.
  10. Back in AWS Config, if it still says Taking inventory..., you may need to turn recording off and then immediately back on in order for that message to go away.
  11. Click Rules in the left-hand menu. We should see it says there are two noncompliant resources.
  12. Click the desired-instance-type rule name to view the noncompliant resources — it's our two instances that are t2.small instead of t2.micro.

Make EC2 Instances Compliant with Config Rule

  1. Back in CloudFormation, select our configLab stack and click Update.
  2. Select Use current template, and click Next.
  3. Change Instance1 and Instance2 to t2.micro.
  4. Click Next.
  5. Leave the defaults on the stack options page, and click Next.
  6. Click Update stack.
  7. In a new browser tab, navigate to EC2 > Instances. We should see our two modified instances are updating.
  8. Back in CloudFormation, check the stack status to make sure it updates alright.
  9. Check the instances in EC2 to make sure they finished updating alright.
  10. Back in AWS Config, click Re-evaluate. After 5–10 minutes, we should see all of our resources are now compliant.

Conclusion

Congratulations on successfully completing this hands-on lab!