11. Config – Overview
So let’s start learning AWS config. So it is such an important service and it comes up a lot at the exam. And the reason is it provides you an audit trail and compliance of your resources and also gives you a way to look at the configuration of these resources over time. So it’s a very simple setup. We don’t have to install anything. It does all the api calls for us. Then we can customize rules to see what we want to check for compliance. And then we have a compliance dashboard and we can react against it and so on. So let’s get started with the config. This is, by the way, a paid service. As soon as you have one config rule, you’re going to pay one dollars.
So just so you know, if you start using the service, you will pay some money. But if you’re preparing for the DevOps exam, I’m pretty sure you have some money to spend. So let’s get started. So first for the setup, there are some settings and you need to make sure to record all the resources supported in this region. And you can include global resources if you wanted to track how I am. Resources also are being configured. Okay then for the configuration history and the configuration snapshot files, you can create a bucket or you can choose a bucket in this account. And we’ll do this right now. I’ll use my DevOps course bucket and I’ll have the prefix AWS config in here.
And so that means that all the configuration history and configuration snapshot files will go into this bucket. Then we can have an sns topic to stream the configuration changes and notification to all the resources in your account and we’ll see how that differs from Cloud Watch events. And finally need to create a config role to provide readonly access to resources and also send this information to S Three and sns. So we’ll say, okay, create a config role for us. So next we’re good here. We have to choose rules. But what I’m going to do is just skip this step for now and click on Confirm. So what this is going to do is record all the resources in my accounts and their configuration and send this to an S Three Bucket.
Let’s confirm this. And the setup is starting. So it seems that I’m getting an error. And the error is because AWS conflict does not have sufficient permissions to send information to S Three buckets. So what we’ll do is that we’ll go into the S Three bucket and we’ll edit the Bucket policy to add the necessary permissions. So I’m going to my bucket and I’m going to permissions and go to the Bucket policy. And there is a documentation page called Permissions for the Amazon S for Buckets in AWS Config that allows us to write the correct Bucket policy. So I’m going to copy all these statements and we’ll edit them as we go. So I’ll add a comma, press Enter and add these statements.
So we are allowing the Config service to do a get bucket SEL on this bucket. So I’ll paste in my bucket name. Okay, this looks good. Then we’ll allow Config to do again a list buckets on this bucket so that makes sense. Then we’ll allow Config to do bucket delivery. So we’ll have the target bucket name again here and then the optional prefix we had was AWS Config if I remember correctly. Yes, that’s the case. And then the source account ID without hyphens is going to be the one. Maybe we can get it from here. No, let’s get it from support then. So we’re going to the support center and we are going to look at my account number here we go and paste it here and thenconfigstar so everything looks good.
And this is the whole policy. We’ll save this and this has been saved. So now if we go back into Config and click on Confirm, hopefully now the setup should go. So the Config role itself now is an existing one and everything else looks good. So next and skip this and Confirm and hopefully now this whole security setup should work. So let’s wait a little bit. And now Config is being discovered and configured so that means that Config will go across all the resources in my account and look at the configuration of them and this setup can take a little bit of time but when it’s done we will see all the resources in here. So excellence, all my resources in my account have been discovered by AWS Config and that is 171 resources.
That took a little bit of time to be honest. But we have im roles, EC, two network interfaces, EC two security group volumes, instances, S, three buckets and so on. So a lot of things are being tracked by Config. So I can click here and view all my resources in venturi and I could have them by resource, by tag or by compliance status. So the idea here is that if we take one of these resources, for example, let’s take a resource so we’ll say resource type is going to be an easy to instance and we’ll look it up. Then let’s take this instance for example as we can see in here, we can click here and view the configuration timeline and this gives me a timeline of everything that happens for this configuration of this instance.
So right now this is the initial snapshot and as we can see this is a T two micro and the instance date is stopped and we can also view the relationships of all these things. So it has relationships to an eni, to a security group, to subnet a volume and a vpc and we could look at Cloud Trail events to look at what events happened within Cloud Trail for that instance there was a run instance and then it was being stopped and so on. So we have tight integration between config and cloudtrail and also we get relationships. So anytime I will do a change to this instance, then the change will be recorded under the Changes section.
So let’s go into the resource itself. So I click on Manage Resource and let’s say for example, I’m going to take it and I’m going to change and I’m going to change the instance type to being a T Too Small. I’m not going to start the instance, I’m just changing its type. Then back into config. At some point I will see an event and the fact that the config has changed. So let me wait a little bit. And this took a little bit of time, but the config change has been recorded. And as you can see, there is a second event in my configuration timeline. And I can see the fact that this change was that the configuration of the instance type was from T two Micro to T two Small.
So this is really helpful because now we have the power to track all the resources within our accounts. So if we go back to the dashboard, we have all the resources and we can track the configuration of these resources over time. Additionally, all that data is available within the S Three Buckets. And we could use something like athena to query all the configurations on the S Three Buckets. So back in here, so we have our configuration resources, we have all the resources, they’re all being tracked and we can take a look at any of them, see the configuration, see who made the changes and so on, and look at the configuration timeline and so on.
So you need to remember this from a config perspective. There is this notion of configuration timeline, there is this notion of relationships, of interaction with cloud trail events. If we want to know who changed what. You can also export the configuration as a json document. So it is definitely possible for you to backup the configuration of all the resources within your account using this json document or the S Three Buckets that we have specified. And there’s one thing we haven’t seen, which is the compliance timeline. So what is compliance? Because this is the second biggest way to use AWS config. And we’ll see this in the next lecture.
12. Config – Rules
So we’re back in config. And for now, we’ve seen the dashboard, we’ve seen the settings, but what we’d like to see now is the rules. And the rules is the most important. And I think one of the coolest feature of a device, config, because it will allow us to define rules and maintain compliance for all the resources according to these rules. And what we’ll get out of it is an audit trail and a compliance status and a dashboard, and it has strong integration with Cloud Watch events as well. So let’s get started with our first role. So let’s have a rule. And each time you add a role in Config, it will cost you one dollars per month.
So this is something that will cost you money. And so, as you can see, aws has 102 managed roles and you keep on adding them over time. And so these rules can be whatever you want. It could be, for example, to check if there is http to https redirection configured on all listeners for your load balancers, that will ensure, for example, that all the traffic is encrypted to your alb. So this is a quite a complex one, but if I look for Ssh, restricted Ssh is a very simple one. So this rule that I just clicked on checks whether security groups are in used disallow unrestricted incoming Ssh traffic. So we’ll look at configuration changes to configure this rule.
So that means that anytime a security group will change its configuration, this rule will be triggered. And the scope of changes is going to be on resources and only on my security groups. That make sense because we’re looking for restricted Ssh security group rules. Okay, excellent. And do we want a remediation action? No, for now we won’t do this. So I’ll just scroll down and click on Save. And this is our first rule, and it’s called restricted Ssh. And it will look and scan all my EC Two security groups and ensure that they don’t have the incoming Ssh traffic allowed on all parts. So let’s wait a little bit and then we’ll see the results.
And now I’m going to refresh this page, and as I refer to this page, we now see that six of my security groups are non compliant, and about six of them as well are compliant. So this is really helpful because this rule allows us to see that six of the security groups do have the Ssh port open. So what I can do is click on this resource. For example, it will take me straight into the resource detail and I can see that it’s not compliant. So I have a compliant timeline in here. And so what I can do is manage the resource. So I’ll go to EC Two and find the Launch wizard Five. So let’s go to security groups and I’ll find my Launch wizard Five. Here we go.
So in, inbounds. I’m going to remove the ssh rule for example, and I just saved it. And so now when Config checks against the configuration timeline and sees that there has been a configuration change for the security group, hopefully the compliance timeline will tell me as well. That my instance that my security group is now compliant. So let’s wait a little bit and see this. So now as we can see the configuration change has been recorded and as we can see this port 22 from anywhere has been removed. And so if we go to the compliance timeline we still see it’s being non compliant. So we need to wait for the rule to run.
So something I could do is also force the rules run by doing a refresh but I will wait a little bit for the rule to run and now we can see that this resource is now compliant and the rules just turn green. So if we go back in this we can now see that five resources are non compliance in this rule. So rules are really helpful to help us see the type of resources in our accounts that don’t comply and we’ll see how we can do custom rules as well. So now let’s talk about custom rules. So if we click on add a rule we can choose one of all of aws’s management rules but we can also add a custom rule and this gives us complete ownership around how we want this rule to work.
So I’ll call it my custom rule and I need to provide a lambda function ARN. So let’s go into the lambda console and create one. So for this I will use a blueprint and in this blueprint you can just type Config. So this will be a config rule change triggered and we’ll take this one and then we’ll click on Configure and we’ll call it Lambda aws config. We’ll create a new role from policy templates and the role name is going to be called Lambda role for Config. And we have a permission already that is going to allow us access to get to Config and estrate. So the function code looks like this and you can have a look at the code itself.
But the idea is that you need to have a configuration function that checks whether or not a resource is compliant or not. And the result should be is it compliant or is it not compliant. So this is good and then we’ll create this function and as we can see this function has been created. So back into the Config console I’m able to provide the ARN of this function. So I’ll copy this and then I will paste it here and we are good to go. Now let’s talk about the trigger. So we need to talk about how often will this function be evaluated. And so there is two type of triggers in Config and this applies not only to custom rules but also to general rules.
So it could be configuration change, meaning that whenever a resource has a change in configuration, then this lambda function will be triggered and then the lambda function will declare whether or not the resource is compliant or not compliant. And you can also have periodic changes, for example checking every 24 hours if all the resources are compliant. So you can have both trigger types. So for this one I’ll just use configuration change and then you need to specify the scope of changes. So what do you want to check? So you could specify any of these resource types in here, or you can specify by tags or all changes.
In this way you would look at all the resources. So all changes could be very helpful. For example, if you’re checking tags on any resource that gets created. And resources is very helpful, for example, if you just want to apply a rule, for example, to rds, db instances or tags can be helpful if you want to restrict the scope of changes and so on. So here, for example, we’ll say resources and we’ll say okay, we want to check EC two instances. So we’ll say EC two instance and we’re good to go. You can pass some parameters to the rule. For example, a required tag ornament rebates. But here we’re not passing anything, but this will get passed to the end of function.
And then finally the remediation action will just skip it for now and I’ll click on save. And again, this will cost you one dollars if you do this with me. And now my customer rule will be evaluated on all the EC two instances. Now, I don’t know if this is going to be any conclusive because I didn’t really watch this function of what it does and so on, but I just wanted to go through the process of creating a custom rule. To evaluate the resources in a way you want so you can have any kind of rule you can think of and program and then create a custom rule in config. And then this will make sure to have your resources being compliant or non compliance.
So that’s it for rules. Just remember out of this lecture that’s from the dashboard we get all the resources and we get an idea of how many rules we have and how many resources are compliant or non compliance. And then it’s up to us to change the resource configuration for now and make sure that they go into compliance. And so this can be really helpful over time to audit, track and get a dashboard of all the compliance and so on. And we can see how we can build automations on top of config to make sure that we can address these compliance issues automatically. So I hope that was helpful for you and I will see you in the next lecture.
