5. Improving AWS Account Visibility
AWS CloudTrail
Identify individuals performing
actions within the account
re:Invent 2013
AWS Config Rules
Set up rules to check configuration
changes
AWS Config
Identify which configuration changes
have been made
re:Invent 2014 re:Invent 2015
7. AWS Config - Background
• Capturing the state of your AWS resources and
the relationships between them
– AWS Resource: Entity that can be independently created,
updated and deleted directly by a user
– Configuration Item: Captures the state of the resource at a
specific time. Contains common attributes, relationships,
related events, metadata
• Discover resources that exist in your account
• Discover resources that no longer exist in your
account
8. Configuration Change
• User opens a port within a security group
attached to an Amazon EC2 instance
• It could affect all other instances also attached
to this security group
9. Config Rules
• Rules are looking for any desirable or
undesirable condition
• User can use existing rules from AWS and
define custom rules
• Each custom rule is an AWS Lambda function
– AWS Lambda contains the logic that evaluates whether
your AWS resources comply with the rule
I highly recommend to check Jeff’s blog
10. Triggering Config Rules
• Rules can be targeted at specific resources (by
id), specific types of resources, or at tagged
resources
• Run when relevant resources change, can be
also on a periodic basis and invoked in specific
frequency
11. Evaluation
• AWS Config evaluates the resources within the
rule’s scope
• AWS Config runs evaluations when change is
detected (event-bases) or a configuration
snapshot is sent (periodic)
• The result of evaluating a config rule against a
resource - compliant or non compliant
16. Config Rules - Use Cases
• Check whether AWS CloudTrail is enabled
• Checks whether Elastic IP addresses are
attached to EC2 instances
• Checks whether your security groups block in
coming SSH traffic
• Checks whether your instances belong to a
VPC
• Checks whether your security groups block
incoming TCP traffic to specified ports
17.
18. Pricing
• No charges during preview!
• $2 per active rule per month
• Active rule has at least one evaluation per
month ($0.0001 per evaluation)
19. You can sign up now for the Config Rules
preview
https://aws.amazon.com/config/preview/
Let’s Get It Started