AWS Config Rules
AWS Config rules are used to evaluate whether your AWS resources comply with common best practices. AWS provides default Config rules which can be directly used in your environment, other one is a custom Config rule that you need to define as per your requirements.
Config rules allow you to audit the resource configuration history and notify you when configuration changes.
AWS managed rules - Predefined by AWS and require no configurations, managed fully by AWS.
Customer managed rules - Custom rules defined by the user using Lambda and executed in your account as per the requirement.
Trigger types
When you add a rule to your account, you can specify when you want AWS Config to run the rule; this is called a trigger. AWS Config evaluates your resource configurations against the rule when the trigger occurs.
Configuration changes - This trigger runs evaluations for the rule when certain types of resources are created, changed, or deleted.
You will define a rule’s scope for the config to trigger the evaluation. The scope can include the following:
- One or more resource types.
- A combination of a resource type and a resource ID.
- A combination of a tag key and value.
- When any recorded resource is created, updated, or deleted.
Periodic - AWS Config runs evaluations for the rule at a frequency that you choose (for example, every 24 hours).
If you choose configuration changes and periodic, AWS Config invokes your Lambda function when it detects a configuration change and also at the frequency that you specify.
Time for hands-on…..
AWS managed Config rule - “ec2-ebs-encryption-by-default”.
Checks that Amazon Elastic Block Store (EBS) encryption is enabled by default. The rule is NON_COMPLIANT if the encryption is not enabled.
Let's see how to set this up in our console.
step1: Login to console > Config > Rules > Add rule.
step2: Select “add AWS managed rule” and search for “ebs” as seen in the below snip and click next.
step3: Fill in the name of the rule, select trigger as Resources, and under Resources find AWS EC2 Volume and click next.
step4: Review and Create, click add a rule.
The same task can be achieved by using Cloudformation also, do refer the link below to learn more.
Pricing
With AWS Config, you are charged based on the number of configuration items recorded, the number of active AWS Config rule evaluations and the number of conformance pack evaluations in your account.
You pay $0.003 per configuration item recorded in your AWS account per AWS Region. A configuration item is recorded whenever a resource undergoes a configuration change or a relationship change. The resource could be an AWS, third-party or custom resource.
Conclusion
Be it a small environment or a large Enterprise AWS Config rule play a vital role in keeping your environment compliant with organization standards. “Just to your information i would like to quote that big enterprises are paying 10000+ USD bill per month just for Config rule by running them for each and every resources”. Custom Config rules allow you to secure your environment to the finest level possible, this service is fully managed and highly available. Any team MUST include this service as their primary service so can keep the environment safe and compliant.
Knowledge credit - AWS official document and KnowledeIndia youtube channel.
— — — — — — — — — — — — — — — — — — — — — — — — —
I would be happy to hear your feedbacks, appreciations and if any suggestions for the coming topics in my blog.
Enjoy failure and learn from it. You can never learn from Success.
Keep following me for the AWS services.
Cheers,
Yogendra.
