Automatic Resource Remediation with AWS Config

Hands-On Lab

 

Photo of Mark Richman

Mark Richman

AWS Training Architect II in Content

Length

01:30:00

Difficulty

Intermediate

Welcome to this AWS hands-on lab for Automatic Resource Remediation with AWS Config. This activity provides you with the opportunity to get hands-on experience creating rules in AWS Config and implementing remediations using Lambda functions. This approach helps maintain a highly secure networking architecture inside of AWS. Good luck and enjoy the hands-on lab! Resources for this activity are on the Github Repository. Note: If AWS Config has trouble detecting changes after a reasonable amount of time, go under AWS Config Settings and toggle it off and on again.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Automatic Resource Remediation with AWS Config

Introduction

Welcome to this AWS hands-on lab for Automatic Resource Remediation with AWS Config.

This activity provides you with the opportunity to get hands-on experience creating rules in AWS Config and implementing remediations using Lambda functions. This approach helps maintain a highly secure networking architecture inside of AWS.

Good luck and enjoy the hands-on lab!

Resources for this activity are on the Github Repository.

Solution

Log in to the AWS Console using the credentials provided on the hands-on lab page.

Remediate Security Group Using Config and Lambda

  1. Create AWS Config Rule

    1. Navigate to the Config service in the AWS Console
      • Click Get started
      • In the AWS Config role section, select Choose a role from your account
      • Click in the Role name field and select the first option
      • Click Next
      • Search for ssh and click on the restricted-ssh box to select it
      • Click Next
      • Click Confirm
      • Once the Config rule has been created, the Dashboard will be populated with data.
      • Click the restricted-ssh rule in the Noncompliant rules section
      • Click the Manage resource icon for the Noncompliant resource type
      • In the Inbound section, we can see the Source is set to 0.0.0.0/0
      • Create SNS Topic
    2. Navigate to the SNS service in the AWS Console
      • Click Create topic
      • Topic name: mytopic
      • Click Create topic
      • Click Create subscription
      • Protocol: Email
      • Endpoint: Provide your email address
      • Click Create subscription
      • Confirm the subscription confirmation in the email you receive to your email address
      • Create Lambda Function
    3. Navigate to the Lambda service in the AWS Console

    4. Navigate to the CloudWatch service in the AWS Console
    5. Click Rules in the menu on the left under Events
    6. Click Create rule
    7. Under Event Source, check the box for Schedule
      • Fixed rate of: 1 Minutes
    8. Under Targets, click Add target
      • Function: remediate-sg
    9. Click Configure details
      • Name: remediate-sg
    10. Click Create rule

After a moment, you will receive an email notification from the Lambda function.

After about 20 minutes, the Config dashboard will show that all rules are now compliant.

Remediate S3 Bucket ACL Using Config and Lambda

  1. Create an S3 Bucket

    1. Navigate to the S3 service
    2. Click Create bucket

      • Name: remediate-s3-public-bucket

      > Remember that S3 bucket names need to be globally unique.

      • Uncheck all boxes in both sections that state:
        • Manage public access control lists (ACLs) for this bucket
        • Manage public bucket policies for this bucket
      • Click Create bucket
      • Create AWS Config Rule
    3. Navigate to the Config service in the AWS Console
    4. Click Rules
    5. Click Add rule
    6. Search for s3 and select the box for s3-bucket-public-read-prohibited
    7. Click Save
    8. After a few moments, the new rule should state there is 1 noncompliant resource
      • Create SNS Topic
      • This should be created from the previous step.
      • Create Lambda Function
    9. Navigate to the Lambda service in the AWS Console
    10. Click Create function

    11. Navigate to the CloudWatch service in the AWS Console
    12. Click Rules in the menu on the left under Events
    13. Click Create rule
    14. Under Event Source, check the box for Schedule
      • Fixed rate of: 1 Minutes
    15. Under Targets, click Add target
      • Function: remediate-s3-acl
    16. Click Configure details
      • Name: remediate-s3-acl
    17. Click Create rule

After a moment, you will receive an email notification from the Lambda function.

When we check our S3 bucket, it will now show as Not public. Our Config rule should also show that all rules are now compliant.

Conclusion

Congratulations, you've completed this hands-on lab!