Best Practices for Centrally Monitoring Resource Configuration & Compliance (ENT332-R1) - AWS re:Invent 2018

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Best Practices for Centrally Monitoring
Resource Configuration & Compliance
Sid Gupta
Senior Product Manager
AWS Config
E N T 3 3 2 - R
Bradley Segobiano
Senior Software Engineer
Genesys

What to expect from this session
• About AWS Management Tools
• Key pillars of an effective governance framework
• Role of AWS Config
• Customer case study (Genesys)
• Centralized monitoring of resource configuration and compliance

AWS Management Tools
Integrated & interoperable

Inventory and configuration management
• Maintains a real-time inventory of cloud resources
• Maintains the current and historical configuration of cloud resources

Inventory and configuration management
• What’s currently out there? (Real-time resource inventory)
• What is the latest configuration state of my resources? (Configuration snapshot)
• What relationships exist between my resources? (Resource relationships)
• What configuration changes occurred in the last ‘X’ days? (Configuration history)
• Which Amazon Elastic Compute Cloud (Amazon EC2) instances are built on top of
a certain machine image (e.g., ami-234314)?

Configuration compliance management
• Are my resources properly configured? (Best practice configuration checks)
• Do my resources comply with regulatory requirements (e.g., PCI, HIPAA and so on)
• How do I ensure continuous compliance? (Check for policy violations immediately
after a configuration change)
• How can I get notified in real-time if certain resources go out of compliance?
(Real-time compliance change notifications)

Summary
Inventory & configuration management and configuration compliance management
• Support governance initiatives by providing accurate configuration information to
assist with decision making
• Minimize the number of quality and compliance issues caused by incorrect or
inaccurate configuration

AWS Config rules
Analyze configuration changes
60+ pre-built rules provided by AWS
Custom rules using AWS Lambda
GitHub repo: Community sourced rules
Aggregate compliance into a central account
Compliance history

Compliance history timeline

Common use cases
Audit & compliance
Maintain a history of all configuration changes for audits
Verify configuration changes do not violate policies
Security intelligence
Security incident/breach analysis
Identifying vulnerable resources
Operational governance
DevOps compliance (e.g., remove deleted or unused resources)
Ensure configuration changes are tied to approved change requests
Integration with ITSM/CMDB
Integration with asset/inventory management systems
Change management, incident management

Supported services: 24 AWS services and 60+ resource types

Overview
• Infrastructure scale
• Problems we were trying to solve
• Architecture
• Why AWS Config?
• Future plans

Genesys
Gartner names Genesys a leader in
the 2018 Magic Quadrant for
Contact Center Infrastructure…
(23 times and counting)

Infrastructure scale
AWS Resource Count
EC2::Instance 7021
AutoScaling::AutoScalingGroups 3049
Lambda::Function 1054
EC2::Volume 16120
ElasticLoadBalancing::LoadBalancer 1624
AWS::DynamoDB::Table 4328
EC2::Snapshots 22130
EC2::Images 25301
get-discovered-resource-counts

Deployments per week
1527
505
348
1 2 3

Problem we are trying to solve
• Eliminate waste
• Reduce cost
• Avoid AWS resource limits
• Maintain compliant resources
• Compliant == Not needed

Problems with other tools
• Ran introspective scans
• Out of date data
• Cost (idle servers)
• Large number of API calls
• API rate limiting
• No centralized reporting
• Lack of support
• Newer AWS resources
• Utilized older AWS technologies

Custom Config rules
AWS Resource Rule
Instance Instance is not part of an ASG or Stopped
AutoScalingGroups Is an empty ASG or no scaling activity
Launch Configurations Not in use by an ASG
Volume Unattached Volumes
ENI Available and not part of a CF stack
EIP No Associations or part of a CF stack
Snapshots Has no generated AMI
Images Not in use by an Instance or Launch Config

Architecture
Infra Shared AWS account
Dev AWS Account
Test AWS Account
Prod AWS Account

Architecture
Dev AWS account Infra Shared AWS account
Not Applicable

Tips for success
One rule per resource type
• Simpler rules & easier to debug
• No conflicting rules
Periodic & configuration changes
• Compliance requirements change
• New accounts may have existing resources
Unsupported resources can be done
using periodic rules
• You need to get the diff between runs to
send N/A to config

Why use AWS Config?
Event driven
• Reduces the API calls
• Live view of the world
Completely serverless
• No more idle servers
Centralized reporting & notifications
Extensibility
• New rules are simply and easy to write

Daily resources count 8/26 – 9/1
SUN MON TUE WED THU FRI SAT
Marked for
Deletion
287 319 353 252 462 297 233

Total evaluations 8/26 – 9/1
0
10,000
20,000
30,000
40,000
50,000
60,000
70,000
80,000
90,000
1 2 3 4 5 6 7
Series1 Series2 Series3

Future use of AWS Config
More rules
Security compliance
• Rules for security auditing
Reducing API calls
• Calls about infrastructure
• Get-resource-config-history
Configuration item aggregation

Problem statement
I have 200+ accounts in my enterprise. As a central IT Admin, how can I
get an enterprise-wide view of my resource inventory, configuration and
compliance status?

Multi-account, multi-region data aggregation
Central dashboard
that provides an
aggregated view
Multi-account,
multi-region
Integrates with
AWS Organizations
Available at no
additional charge

New concepts
Aggregator
A new resource type
in AWS Config that
identifies the sources
(accounts and regions)
of the compliance data
to be aggregated
Aggregator
account
An AWS account that
owns one or more
aggregators
Source
account
An AWS account that
has compliance data
to be aggregated
Authorization
An action that
authorizes the
aggregator account
to collect AWS Config
data from a
source account
Aggregated
view
A dashboard that
shows compliance
status for an
aggregator

Multi-account, multi-region data aggregation
feature in AWS Config
Accounts and regions
Select the source accounts and
regions from where you want to
collect AWS Config data
AWS Config data
Collection of AWS Config
data from multiple source
accounts and regions
Aggregator
Contains the resource configuration
information and the compliance
data recorded in AWS Config
Aggregated view
View all compliant and
non-compliant rules and
resources for each aggregator

Getting started
Enable AWS Config/Config rules across your enterprise01
Create an aggregator in the aggregator account02
Authorize the aggregator account/region to collect your AWS Config data03
View the aggregated dashboard in the aggregator account04

You can aggregate AWS Config data from all accounts in your organization
Aggregator can only be created in the master account
Authorization step is not needed in the member accounts
Aggregator automatically gets updated when accounts join or leave the organization
AWS
Organizations

Best practice: Use multi-account, multi-region data
aggregation feature in AWS Config
Aggregates resource configuration and AWS Config rule compliance data
Supports single-account, multi-region aggregation
Supports multi-account, multi-region aggregation
Integrates with AWS Organizations
Available at no additional charge
Available in all AWS public regions

“AWS Config’s multi-account, multi-region data aggregation feature eliminates
the problem of configuration drift across 50+ AWS accounts and multiple
regions. It increases our team’s productivity by allowing us to remediate
misconfigurations in real time and at scale. This improves our security as well
as environment parity.”
Blayze Stefaniak,
Lead Cloud Engineer at UPMC Enterprises

“With the launch of AWS Config’s multi-account, multi-region data
aggregation feature, we now have a centralized view of compliance state for
all AWS resources. This greatly simplifies our management across multiple
AWS accounts. This feature also allows us to optimize our AWS spend by
quickly identifying and removing noncompliant or unneeded resources.”
Bradley Segobiano, Software
Engineer at Genesys PureCloud

Additional best practices
Collect AWS Config snapshots and history in a central Amazon Simple Storage Service (Amazon S3) bucket
Send AWS Config notifications to a common SNS topic, or use CloudWatch Events Bus

Key takeaways: Best practices for centrally monitoring
resource configuration & compliance
Use AWS Config for effective governance of resource configuration and compliance
Get centralized visibility using the multi-account, multi-region data aggregation capability
Leverage AWS Organizations integration in AWS Config
Collect AWS Config snapshots and history in a central S3 bucket
Send AWS Config notifications to a common SNS topic, or use CloudWatch Events Bus

Useful links
https://docs.aws.amazon.com/config/latest/developerguide/getting-started.html
https://docs.aws.amazon.com/config/latest/developerguide/aggregate-data.html
https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html
https://aws.amazon.com/config/partners/
https://aws.amazon.com/blogs/aws/aws-config-update-aggregate-compliance-data-across-accounts-regions/
https://aws-blogs-prod.amazon.com/mt/aws-config-best-practices/
https://aws.amazon.com/blogs/mt/how-to-query-your-aws-resource-configuration-states-using-aws-config-
and-amazon-athena/

Thank you!
Sid Gupta
sidgup@amazon.com
Bradley Segobiano
(Genesys)

Best Practices for Centrally Monitoring Resource Configuration & Compliance (ENT332-R1) - AWS re:Invent 2018

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Best Practices for Centrally Monitoring Resource Configuration & Compliance (ENT332-R1) - AWS re:Invent 2018

Similar to Best Practices for Centrally Monitoring Resource Configuration & Compliance (ENT332-R1) - AWS re:Invent 2018 (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Best Practices for Centrally Monitoring Resource Configuration & Compliance (ENT332-R1) - AWS re:Invent 2018