View
944
Download
0
Category
Preview:
Citation preview
@ariel_smoliar
AWS Config RulesAdvanced AWS Meetup
New Security Capabilities
Improving AWS Account Visibility
AWS CloudTrail
Identify individuals performing actions within the account
re:Invent 2013
AWS Config Rules
Set up rules to check configuration changes
AWS Config
Identify which configuration changes have been made
re:Invent 2014 re:Invent 2015
Management Tools
AWS Config - Background
• Capturing the state of your AWS resources and the relationships between them– AWS Resource: Entity that can be independently created,
updated and deleted directly by a user– Configuration Item: Captures the state of the resource at a
specific time. Contains common attributes, relationships, related events, metadata
• Discover resources that exist in your account• Discover resources that no longer exist in your
account
Configuration Change
• User opens a port within a security group attached to an Amazon EC2 instance
• It could affect all other instances also attached to this security group
Config Rules
• Rules are looking for any desirable or undesirable condition
• User can use existing rules from AWS and define custom rules
• Each custom rule is an AWS Lambda function– AWS Lambda contains the logic that evaluates whether
your AWS resources comply with the rule
I highly recommend to check Jeff’s blog
Triggering Config Rules
• Rules can be targeted at specific resources (by id), specific types of resources, or at tagged resources
• Run when relevant resources change, can be also on a periodic basis and invoked in specific frequency
Evaluation
• AWS Config evaluates the resources within the rule’s scope
• AWS Config runs evaluations when change is detected (event-bases) or a configuration snapshot is sent (periodic)
• The result of evaluating a config rule against a resource - compliant or non compliant
“Patterns are solutions to recurring problems in a context.”
(Christopher Alexander)
Config Rules - Use Cases
• Check whether AWS CloudTrail is enabled• Checks whether Elastic IP addresses are
attached to EC2 instances• Checks whether your security groups block in
coming SSH traffic• Checks whether your instances belong to a VPC• Checks whether your security groups block
incoming TCP traffic to specified ports
Pricing
• No charges during preview!• $2 per active rule per month • Active rule has at least one evaluation per
month ($0.0001 per evaluation)
You can sign up now for the Config Rules previewhttps://aws.amazon.com/config/preview/
Let’s Get It Started
Thank You!
Recommended