AWS Security Essentials – Using Config to Audit Resources
AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.
With Config, you can review changes in configurations and relationships between AWS resources, dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines. This enables you to simplify compliance auditing, security analysis, change management, and operational troubleshooting.
In this lab, the student will gain experience with how to configure rules in AWS Config and how to see the results of the resulting audit in the console.
Using Config to Audit Resources
In this lab, we use AWS Config to set up rules that allow us to audit resources.
Before getting started, make sure you're logged in to the AWS web console and have selected the N. Virginia region (us-east-1).
In the first part of this lab, we'll set up some resources so that we have something to audit.
Create an EC2 Instance
Navigate to EC2 from the services menu and click Launch Instance. Select the Amazon Linux AMI and set the size to t2.micro. On the Configure Instance Details screen, set its subnet to DMZ1public and enable the auto-assign public IP option. We'll continue through the setup until reaching the Configure Security Group screen. Here, we'll choose the option to select an existing security group and choose the default group from the list below.
Click Review and Launch, then Launch. From the first dropdown menu, select Create a new keypair and name it configlab. Download the key pair and click Launch Instances.
Create an S3 Bucket
To begin, navigate to S3 from the services menu and click Create bucket. Provide a name like test followed by a long string of random numbers to ensure it is globally unique and click Next. Click Next again and set the public permissions to Grant public read access to this bucket. Click Next and then click Create bucket.
Using AWS Config
Now that we have some resources in our account, we can audit them.
Navigate to Config from the services menu (it can be found under the Management Tools section). On the main Config service page, click Get started. On the Settings screen, we can leave the default settings as they are. Click Next. We can also leave the default rules; click Next again. Finally, click Confirm.
Next, we can start to customize our Config setup. From the dashboard, click Add rule. From the list, look for a rule called "desired-instance-type" and select it. In the Rule Parameters section, enter t2.small as the value for the InstanceType key. Click Save.
We can set an additional rule to check our S3 bucket's versioning setting. From the dashboard, click Add rule again. From the list, find a rule called "s3-bucket-versioning-enabled" and select it. No configuration is required for this rule; click Save.
Finally, we'll set a third rule to check the permissions on our S3 bucket. From the dashboard, click Add rule again. From the list, find a rule called "s3-bucket-public-read-prohibited" and select it. No configuration is required for this rule; click Save.
On the Config dashboard, we'll see a list of the rules we created along with a compliance status for each.
To examine what these rules can tell us, click the s3-bucket-versioning-enabled rule. We should see two S3 buckets that are not in compliance with this rule. The first will be the bucket created by Config, and the second will be the bucket we created above. The noncompliance status of these buckets mean that neither one has versioning enabled.
Go back to the dashboard and select the s3-bucket-public-read-prohibited rule. In this rule, we should have one bucket that complies and one that does not. The test bucket we created should be listed as noncompliant, while the Config bucket should be listed as compliant. This tells us that only the bucket created by Config is inaccessible to the public.
Finally, return to the dashboard and select the final rule, desired-instance-type. We'll see the EC2 instance we created is listed as noncompliant. This happens because we created it with the type t2.micro while this rule checks for t2.small.
AWS Config is a tool that we can use to ensure all of our resources adhere to a set of specified rules. When set up properly, Config can be used to create a full audit that can be used to check whether the users of an AWS account are creating any unintended resources.
Congratulations! You've completed the lab on using Config to audit resources.