Keeping track of all of your settings and configuration changes on AWS can be difficult if you try to do it by hand. Fortunately, AWS offers a service to automate the process called AWS Config. This article explains what AWS Config is, and show you how to get started using AWS Config rules.
What is AWS Config?
The official description of AWS Config reads as follows:
AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.
Reading a description like that will really start the wheels turning in any SysOps professional’s head. In the datacenter, many attempts were made, sometimes successfully, to manage inventory and changes. With an AWS account, there is a defined boundary in which to monitor. There is tagging on almost every resource type that can be provisioned, and everything that can be deployed fits neatly into a resource type definition. AWS Config ends up being an ideal tool to provide infrastructure visibility within an AWS account.
Getting Started
To begin setting up AWS Config, a tutorial is provided in the AWS Management Console. This tutorial walks the user through configuration items and establishes all components needed to begin using AWS Config. The setup allows the user to select resources in the region and configure global resources. An item worth noting is that AWS Config is set up on a region by region basis. The setup will also ask for an S3 bucket in which to store the AWS Config record. At the same time, an Amazon SNS topic can be set to send notifications and an IAM role can be applied to grant permission to interact with Amazon SNS and Amazon S3.
- The setup provides a number of suggested AWS Config template rules to select, including:
- Root-account-mfa-enabled – Ensures the root AWS account has multi-factor authentication enabled
- Cloudtrail-enabled – Checks if AWS CloudTrail (auditing of API calls) is enabled
- Eip-attached – Looks for unused Elastic IP addresses
- Encrypted-volumes – Checks to ensure that any EBS volumes that are in use are encrypted
All four, at the present time, are very useful in their own way. It is recommended that all be added to the AWS account before confirming changes.
Creating Rules
Once confirmed, AWS Config will provide two primary navigation items along the left side of the screen—Rules and Resources. The Rules screen is used to configure—as one might expect, rules—to monitor configuration changes to Resources in the AWS account. AWS provides a healthy number of template rules, covering a number of primary use cases for using AWS Config. Three common template rules that should be enabled immediately include:
- Require-tags – Require specific tags on a resource. This is especially useful in preventing orphaned EC2 instances with unknown purposes.
- Restrict-SSH – Ensures SSH has not been enabled for a Security Group that should have permit inbound SSH requests
- Restricted-common-ports – Another rule to ensure common ports are not open to instances that should not be accessible.
AWS Config can also leverage custom rules that can be configured in the same menu. Custom rules can be triggered either by a configuration change on the AWS account or on a periodic basis. A resource type or key value pair can be selected as a target of the rule. For even more complex rules logic, an AWS Lambda function can be invoked as well.
Reviewing Configuration
AWS Config provides two primary ways of consuming the configuration state of the AWS account—the Resources tab in the AWS Config console, and SNS notification. For periodic review, the Resources tab contains a couple of selectors that allow for searching either records associated with resources, or tags. This is also the screen where announcements are made about new resource types being supported in config. The other method is to configure AWS Simple Notification Service (SNS) to send an email or text message when a rule becomes non-compliant. One downside to either method is that it does not take steps to remediate the issue. That falls to the administrator who received the notification.
Sumo Logic App for AWS Config
AWS Config provides a great way to monitor how an AWS account is configured. For any account that has a lot of individuals, generating a large number of changes, AWS Config is an invaluable tool to provide continuous visibility into the infrastructure.
The Sumo Logic App for AWS Config adds to this by presenting notifications containing snapshots of resource configurations and information about the modifications made to a resource. The app also provides predefined Live and Interactive Dashboards and filters that give you a greater level of visibility into your environment for real-time analysis of overall usage. If you don’t already have a Sumo Logic account, sign up for a Free Trial and take the app for a test drive.
About the Author
Over the last 10 years, Sara Jeanes has held numerous program management, engineering, and operations roles. She has led multiple team transformations and knows first-hand the pain of traditional waterfall development. She is a vocal advocate for DevOps, microservices, and the cloud as tools to create better products and services. Sara is currently a Contributor at Fixate.io and can be found on Twitter @sarajeanes.
Getting Started with AWS Config Rules is published by the Sumo Logic DevOps Community. If you’d like to learn more or contribute, visit devops.sumologic.com. Also, be sure to check out Sumo Logic Developers for free tools and code that will enable you to monitor and troubleshoot applications from code to production.