Custom rules created with AWS Config and AWS Lambda enables organizations to inspect, assess, and remediate changes to AWS resources. These tools provide the development speed and flexibility required for your team to quickly start and finish a job before it becomes an issue for your client. In this workshop, you practice using AWS Lambda to design and implement the AWS Config rules that you think an organization should have ready at a moment’s notice before their next client contacts them about an issue.

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS re:INVENT
Making Things Right with
AWS Config Rules and AWS Lambda
A n d r e w B a i r d — A W S S o l u t i o n s A r c h i t e c t
S R V 3 3 4
N o v e m b e r 2 7 , 2 0 1 7

2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Agenda
• AWS Config and Config Rules Introduction
• AWS Lambda Introduction
• Workshop Overview
• Hands-On!!

3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config & Config Rules—
Overview

4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config & Config Rules
A continuous recording and continuous assessment service.
Changing resources
AWS Config
Config Rules
History, Snapshot
Notifications
API Access
Normalized
Answer the questions:
How are my resources configured over time?
Is a change that just occurred to a resource compliant?

5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config Rules—Key Concepts

6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Configuration Item
Definition:
All configuration attributes for a given resource at a given point in time, captured on every
configuration change

7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Component Description Contains
Metadata Information about this configuration
item
Version ID, configuration item ID, time
when the configuration item was
captured, state ID indicating the
ordering of the configuration items of a
resource, MD5Hash, etc.
Common Attributes Resource attributes Resource ID, tags, resource type,
Amazon Resource Name (ARN)
Availability Zone, etc.
Relationships How the resource is related to other
resources associated with the account
EBS volume vol-1234567 is attached to
an EC2 instance i-a1b2c3d4
Current Configuration Information returned through a call to
the Describe or List API of the resource
For example, for EBS Volume
State of DeleteOnTermination flag,
type of volume, for example, gp2,
io1, or standard
Related Events The AWS CloudTrail events that are
related to the current configuration of
the resource
AWS CloudTrail event ID
Configuration Item

8. Sample Configuration Item
"configuration": {
"volumeId": "vol-ce676ccc",
"size": 1,
"snapshotId": "",
"availabilityZone": "us-west-2b",
"state": "in-use",
"createTime": "2014-02-……",
"attachments": [
{
"volumeId": "vol-ce676ccc",
"instanceId": "i-344c463d",
"device": "/dev/sdf",
"state": "attached",
"attachTime": "2014-03-",
"deleteOnTermination": false
}
],
"tags": [
{
"tagName": "environment",
"tagValue": "PROD"
Configuration

9. Sample Configuration Item
"configurationItemVersion": "1.0",
"configurationItemCaptureTime": "2014…",
"configurationStateID": “….",
"configurationItemStatus": "OK",
"resourceId": "vol-ce676ccc",
"arn": "arn:aws:us-west-………",
"accountId": "12345678910",
"availibilityZone": "us-west-2b",
"resourceType": "AWS::EC2::Volume",
"resourceCreationTime": "2014-02..",
"tags": {},
"relationships": [
{
"resourceId": "i-344c463d",
"resourceType": "AWS::EC2::Instance",
"name": "Attached to Instance"
}
],
"relatedEvents": [
"06c12a39-eb35-11de-ae07-db69edbb1e4",
],
Metadata
Common Attributes
Relationships
Related Events

10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Config Rule
• AWS managed rules
Defined by AWS
Require minimal (or no) configuration
Rules are managed by AWS
• Customer managed rules
Authored by you using AWS Lambda
Rules execute in your account
You maintain the rule
A rule that checks the validity of configurations recorded

11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Config Rules—Triggers
• Triggered by changes: rules invoked when relevant resources
change
Scoped by changes to:
• Tag key/value
• Resource types
• Specific resource ID
For example, S3 Buckets with names containing “-private-” should never allow public read
access
• Triggered periodically: rules invoked at specified frequency
For example, account should have no long-running EC2 instances tagged “bastion”; every 3
hours

12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Evaluations
The result of evaluating a Config rule against a resource
• Report evaluation of {Rule, ResourceType, ResourceID} directly
from the rule itself

13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Config Rules—Example
function evaluateCompliance(configurationItem, ruleParameters) {
if((configurationItem.configuration.imageId === ruleParameters.approvedImage1) ||
(configurationItem.configuration.imageId === ruleParameters.approvedImage2))
return 'COMPLIANT';
else return 'NON_COMPLIANT';
}
exports.handler = function(event, context) {
var invokingEvent = JSON.parse(event.invokingEvent);
var ruleParameters = JSON.parse(event.ruleParameters);
...
compliance = evaluateCompliance(invokingEvent.configurationItem, ruleParameters, context);
ComplianceResourceType: invokingEvent.configurationItem.resourceType,
ComplianceResourceId: invokingEvent.configurationItem.resourceId,
ComplianceType: compliance,
...
config.putEvaluations(putEvaluationsRequest, function (err, data)

14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Lambda—Overview

15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Owning Servers Means Dealing With ...
Operations and management Scaling
Provisioning and utilization Availability and fault
tolerance

16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Benefits of Lambda and Serverless
Compute
No servers to provision
or manage
Scales with usage
Never pay for idle Availability and fault
tolerance built in

17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Lambda Programming Model
Bring your own code
• Node.js, Java, Python
• Bring your own libraries
(even native ones)
Simple resource model
• Select power rating from
128 MB to 1.5 GB
• CPU and network allocated
proportionately
• Reports actual usage
Programming model
• AWS SDK built in (Python
and Node.js)
• Lambda is the “webserver”
• Use processes, threads,
/tmp, sockets normally
Stateless
• Persist data using Amazon
DynamoDB, S3, or Amazon
ElastiCache
• No affinity to infrastructure
(can’t “log in to the box”)

18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Lambda Architecture—Simplified
Changing resources
AWS Config
AWS Config Rules
(AWS Lambda)

19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Workshop Overview

20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Welcome to the Team!!

21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Your Role
Changing resources
AWS Config
AWS Config Rules
(AWS Lambda)
Write/Complete These

22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Your Goal
High Score

23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The Details
https://github.com/aws-samples/aws-serverless-config-rules-workshop

24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!