Introduction

AWS Config is a service provided by Amazon Web Services (AWS) that helps us assess, audit, and monitor the configuration of our AWS resources. It enables us to track changes to our resources and their compliance with our desired designs, and it also provides insights into resource relationships and dependencies.

About

In the organization, we may have different configuration rules for defining the resources. There can be specific rules and regulations following that the resources need to be used like there may be the case where we have to enable the detailed monitoring of the EC2 instances. In those, we can use the AWS config to set the rule that will check the Compliant and non-compliant AWS resources and will help us to keep track. we can also use notifications to aware the developer about the resources that do not follow the complaint of the organization.

Demo

Here in the short demo, we have created two EC2 instances one with the monitoring enabled and one not having the monitoring enabled.

Step1:

We create the EC2 instances.

Here in those two instances, we enabled the monitoring in the demo-instance-1 whereas left another one not enabling the monitoring

Step2:

Now we will create the AWS Config Rule where we will create the rule which will look for the EC2 instance and work as invoking the lambda function which will look after the EC2 instance configuration status and return the result where it is Compliant or Non Compliant.

For the AWS Config rule, we first create the Lambda function.

import boto3
import json

def lambda_handler(event, context):

    # Get the specific EC2 instance.
    ec2_client = boto3.client('ec2')

    # Assume compliant by default
    compliance_status = "COMPLIANT"  

    # Extract the configuration item from the invokingEvent
    config = json.loads(event['invokingEvent'])

    configuration_item = config["configurationItem"]

    # Extract the instanceId
    instance_id = configuration_item['configuration']['instanceId']

    # Get complete Instance details
    instance = ec2_client.describe_instances(InstanceIds=[instance_id])['Reservations'][0]['Instances'][0]

    # Check if the specific EC2 instance has Cloud Trail logging enabled.

    if not instance['Monitoring']['State'] == "enabled":
        compliance_status = "NON_COMPLIANT"

    evaluation = {
        'ComplianceResourceType': 'AWS::EC2::Instance',
        'ComplianceResourceId': instance_id,
        'ComplianceType': compliance_status,
        'Annotation': 'Detailed monitoring is not enabled.',
        'OrderingTimestamp': config['notificationCreationTime']
    }

    config_client = boto3.client('config')

    response = config_client.put_evaluations(
        Evaluations=[evaluation],
        ResultToken=event['resultToken']
    )  

    return response

Step3:

Now we will create the AWS Config rule that will look after the EC2 instance and invoke the lambda function to tell us which is compliant and which are not compliant.

Step4:

After that will look after the AWS Config that will tell us which one of the EC2 instance have followed the rule and which doesn't.

Conclusion

By using AWS Config to identify compliant and non-compliant resources, We can maintain a better understanding of the state of our AWS environment, ensuring that it adheres to our organization's policies. This helps us to take action to mitigate risks or issues related to resource misconfigurations or non-compliance. In doing so, We can improve the overall security and reliability of our AWS infrastructure.