Skip to main content

Continuous Compliance and Automated Incident Response with AWS CodePipeline and AWS Config

Hands-On Lab

 

Photo of

Training Architect

Length

00:30:00

Difficulty

Intermediate

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. In this hands-on lab, we will leverage AWS Config to monitor resources deployed from our AWS CodePipeline to ensure they meet our company's compliance standards. If AWS Config finds any violations, it will notify us by email through Amazon Simple Notification Service.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Continuous Compliance and Automated Incident Response with AWS CodePipeline and AWS Config

Introduction

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. In this hands-on lab, we will leverage AWS Config to monitor resources deployed from our AWS CodePipeline to ensure they meet our company's compliance standards. If AWS Config finds any violations, it will notify us by email through Amazon Simple Notification Service.

Solution

Log in to the live AWS environment using the credentials provided. Make sure you're in the N. Virginia (us-east-1) region throughout the lab.

Create an AWS Config Rule

  1. Navigate to Config.
  2. Click Get started.
  3. On the Settings page, set the following values:
    • Resource types to record
      • All resources: Check Record all resources supported in this region
    • Amazon S3 bucket
      • Select Create a bucket
      • Bucket name: Leave as-is
    • Amazon SNS topic
      • Check Stream configuration changes and notifications to an Amazon SNS topic.
      • Select Create a topic
      • Topic name: Leave as-is
    • AWS Config role
      • Select Use an existing AWS Config service-linked role
  4. Click Next.
  5. On the Rules page, search for "s3-".
  6. Select the s3-bucket-server-side-encryption-enabled card.
  7. Click Next.
  8. On the Review page, click Confirm.

Create an AWS Simple Notification Service Subscription

  1. Navigate to SNS.
  2. Select the config-topic we just created.
  3. Click Create subscription.
  4. In the dialog, set the following values:
    • Protocol: Email
    • Endpoint: Enter your email address
  5. Click Create subscription.
  6. Check your email.
  7. In the subscription confirmation email, click Confirm subscription.

Create an AWS IAM Role

  1. Navigate to IAM.
  2. Click Roles from the left-hand menu.
  3. Click Create role.
  4. Select CloudFormation as the service that will use the role.
  5. Click Next: Permissions.
  6. On the permissions policies page, select the AdministratorAccess policy.
  7. Click Next: Tags
  8. Click Next: Review.
  9. Enter a Role name of "pipelinerole".
  10. Click Create role.

Create an AWS CodeCommit Repository

  1. Open a terminal session, and run the following command to clone the repo to your local workstation or laptop:

    git clone https://github.com/linuxacademy/content-aws-continous-compliance
  2. In the AWS Management Console, navigate to CodeCommit.

  3. Click Create repository.

  4. Give it a repository name of "cloudformationtemplate".

  5. Click Create.

  6. Click Add file and select Upload file.

  7. Click Choose file.

  8. Select s3.json and click Open.

  9. Enter your name as Author name and your email address.

  10. Click Commit changes.

Create an AWS CodePipeline

  1. In the left-hand menu, click Pipeline and select Pipelines.
  2. Click Create pipeline.
  3. Give it a name of "s3unencrypted".
  4. Leave the other settings as-is, and click Next.
  5. On the Add source stage page, set the following values:
    • Source provider: AWS CodeCommit
    • Repository name: Select our repository
    • Branch: master
  6. Click Next.
  7. Click Skip build stage and then Skip in the dialog box.
  8. On the Add deploy stage page, set the following values:
    • Deploy provider: AWS CloudFormation
    • Region: US East - (N. Virginia)
    • Action mode: Create or update a stack
    • Stack name: s3unencrypted
    • Artifact name: SourceArtifact
    • File name: s3.json
    • Role name: pipelinerole
  9. Click Next.
  10. Click Create pipeline.

Monitor Compliance

  1. Navigate to AWS Config. After a few minutes, we should see there are two noncompliant resources. If it seems to be taking a while, select the rule and then click Re-evaluate.
  2. Click one of the non-compliant resources to view its details.
  3. Check your email to see the AWS Config notifications you've received.

Conclusion

Congratulations on successfully completing this hands-on lab!