@ariel_smoliar

AWS Config RulesAdvanced AWS Meetup

New Security Capabilities

Improving AWS Account Visibility

AWS CloudTrail

Identify individuals performing actions within the account

re:Invent 2013

AWS Config Rules

Set up rules to check configuration changes

AWS Config

Identify which configuration changes have been made

re:Invent 2014 re:Invent 2015

Management Tools

AWS Config - Background

• Capturing the state of your AWS resources and the relationships between them– AWS Resource: Entity that can be independently created,

updated and deleted directly by a user– Configuration Item: Captures the state of the resource at a

specific time. Contains common attributes, relationships, related events, metadata

• Discover resources that exist in your account• Discover resources that no longer exist in your

account

Configuration Change

• User opens a port within a security group attached to an Amazon EC2 instance

• It could affect all other instances also attached to this security group

Config Rules

• Rules are looking for any desirable or undesirable condition

• User can use existing rules from AWS and define custom rules

• Each custom rule is an AWS Lambda function– AWS Lambda contains the logic that evaluates whether

your AWS resources comply with the rule

I highly recommend to check Jeff’s blog

Triggering Config Rules

• Rules can be targeted at specific resources (by id), specific types of resources, or at tagged resources

• Run when relevant resources change, can be also on a periodic basis and invoked in specific frequency

Evaluation

• AWS Config evaluates the resources within the rule’s scope

• AWS Config runs evaluations when change is detected (event-bases) or a configuration snapshot is sent (periodic)

• The result of evaluating a config rule against a resource - compliant or non compliant

“Patterns are solutions to recurring problems in a context.”

(Christopher Alexander)

Config Rules - Use Cases

• Check whether AWS CloudTrail is enabled• Checks whether Elastic IP addresses are

attached to EC2 instances• Checks whether your security groups block in

coming SSH traffic• Checks whether your instances belong to a VPC• Checks whether your security groups block

incoming TCP traffic to specified ports

Pricing

• No charges during preview!• $2 per active rule per month • Active rule has at least one evaluation per

month ($0.0001 per evaluation)

You can sign up now for the Config Rules previewhttps://aws.amazon.com/config/preview/

Let’s Get It Started

Thank You!