Skip to main content

Auditing Resource Configurations with AWS Config

Hands-On Lab

 

Photo of

Training Architect

Length

00:30:00

Difficulty

Intermediate

Welcome to this hands-on AWS Learning Activity for Working with AWS Config. This activity provides you with the opportunity to get hands-on experience implementing Config rules and using Config for configuration management. We will be configuring rules for: 1. EC2 Instance Type 2. S3 Versioning is enabled 3. EC2 Instances in a VPC 4. CloudTrail is enabled These rules will give you experience with how the AWS Config service works. The configuration management aspect of Config will then be explored. ATTENTION: Your UI may look slightly different than the video. Be sure to make sure the following options are set:- 1. Once you are in the lab and have selected CONFIG > Get Started, you will come to the Settings page. Under AMAZON S3 Bucket, you will select "CREATE A BUCKET". 2. Under AWS Config Role, select one of the following options (higher preferred) "Create a role" "Create AWS Config service-linked role" "Use an existing AWS Config service-linked role" 3. Uncheck 'Stream configuration changes and notifications to an Amazon SNS topic.' 4. You will skip AWS Config Rules page. 5. Once you are on the next page, you will hit CONFIRM. Good luck and enjoy the hands-on lab!

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Auditing Resource Configurations with AWS Config

Introduction

Welcome to this hands-on AWS lab for working with AWS Config.

This activity provides you with the opportunity to get hands-on experience implementing Config rules and using Config for configuration management. We will be configuring rules for:

  1. EC2 Instance Type
  2. S3 Versioning is enabled
  3. EC2 Instances in a VPC
  4. CloudTrail is enabled

These rules will give you experience with how the AWS Config service works. The configuration management aspect of Config will then be explored.

Log in to the AWS Portal using the credentials provided on the hands-on lab page.

Creating and Testing AWS Config Rules

Enable Config in the account

  1. Navigate to Config in the Services list, found under the Management Tools section.
  2. Click Get Started
  3. Check Record all resources supported in this region
  4. Choose Create a bucket and use the default name
  5. Do not check to create an SNS topic at this time
  6. Check Create a role and use the default name
  7. Click Next
  8. Click Skip
  9. Click Confirm

Configure Rules for resources

  1. Click Rules in the left-hand column under Dashboard
    • Click Add Rule
    • Click cloudtrail-enabled
    • Click Save
    • Click Add Rule and arrow over twice to the third page
    • Click ec2-instances-in-vpc
    • Open the VPC console in another tab to copy the VPC ID
    • Click Your VPCs
    • Check the checkbox for the SysOpsVPC VPC
    • Copy the VPC ID that is listed in the Summary tab
    • Note: Do not include " | SysOpsVPC", only copy the VPC ID value
    • Back to the Config tab, enter the VPC ID as the value for Rule parameters
    • Click Save
    • Click Add Rule and arrow over five times to the last page
    • Click s3-bucket-versioning-enabled
    • Click Save
    • Click Add Rule and arrow over to the second page
    • Click desired-instance-type
    • Enter "t2.micro" as the value for Rule parameters
    • Click Save

Configure the non-compliant resources so they comply (Cloudtrail)

  1. Open CloudTrail in another tab, found under Management Tools
    • Click Create trail
    • Name the trail (e.g., "cloudtrail")
    • Under Storage location, choose new S3 bucket and give it a name (e.g., "cloudtrail98236592")
    • Note: Be sure to give your S3 bucket a globally unique name
    • Click Create

Configure the non-compliant resources so they comply (S3 Versioning)

  1. Navigate to S3
    • Click on a bucket and choose the Properties tab
    • Click on Versioning
    • Click Enable versioning
    • Click Save
    • Repeat for the second bucket

Re-evaluate the non-compliant rules in Config

  1. Navigate back to the Config tab
    • Under Rules, click the S3 bucket rule
    • Choose Re-Evaluate
    • Go back to the Rules page and wait for the S3 rule to become compliant
    • Under Rules, click the CloudTrail rule
    • Choose Re-Evaluate
    • Go back to the Rules page and wait for the CloudTrail rule to become compliant

Conclusion

Congratulations, you've completed this hands-on lab!