UPCOMING EVENT Discover how nOps streamlines your cost optimization at AWS re: Invent - BOOK A MEETING
NEW Featured eBook: AWS Cloud Cost Allocation: The Complete Guide - Download Now
This rule checks whether AWS config is enabled in your AWS account.
AWS Config is a service that allows you to inspect, audit, and review your AWS resource configurations. Config monitors and records all AWS resource configurations in real-time, enabling you to match recorded configurations against desired configurations seamlessly.
AWS Config also helps to analyze changes in AWS resource configurations, dig into particular resource configuration histories, and evaluate compliance with the configuration defined in your internal policies.
nOps recommends you consider enabling AWS Config for better security.
This rule can help you with the following:
1. Access the Config dashboard at https://console.aws.amazon.com/config/
2. The landing page result will help determine whether you have AWS Config enabled in the current region or not:
a. If you see a Get Started page as shown below, then AWS Config is not enabled in your AWS Account for this region
b. If you see a Config Dashboard as shown below, this means AWS Config is (or was in the past) enabled for your AWS Account in this region
c. Now go to Settings
in the Left Navigation panel and check the status of Recorder. If it says, Recording is on
with a Green tick; this means that AWS Config is currently enabled in your AWS account for the current region.
3. Switch to another AWS region using the top navigation panel and repeat Step 2 to verify if AWS Config recording is enabled in that region.
1. Execute the get-status
command with an accompanying --region
parameter to To discover the current state of AWS Config’s generated Recorders and Delivery Channels
aws configservice get-status \\
--region us-east-1
2. Examine the output to see if AWS Config Service is enabled in this region or not as follows:
a. If the resulting output returns an empty Configuration Recorders
and Delivery Channels
value, then AWS Config is not enabled in this region
**Output**
Configuration Recorders:
Delivery Channels:
b. If the output returns some values for Configuration Recorders and Delivery Channels, but the value for Recorder is OFF, then the AWS Config Service was previously enabled but is now turned OFF.
**Output**
Configuration Recorders:
name: default
recorder: OFF
Delivery Channels:
name: default
last stream delivery status: NOT_APPLICABLE
last history delivery status: SUCCESS
3. Switch to another AWS region by changing --region
parameter to determine AWS Config status in another region.
1. Access the Config dashboard at https://console.aws.amazon.com/config/
2. Click on the Get Started
button and configure the recording settings as specified on the next page.
3. Configure General Settings as detailed below**:**
a. Resource types to record
all
supported resources in your AWS account, choose the followingRecord specific resource types
option and choose the desired Resource category
and Resource Type
.b. Next, for the AWS Config role, you can either decide to create a new AWS Config service-linked role
or select an existing AWS Role
with the required permissions in your account.
4. In the Delivery Method
section, choose one of the following for the Amazon S3 bucket
sub-section:
a. Create a bucket – to store configuration history using a new S3 bucket.
b. Choose a bucket from your account – to store configuration history using an existing bucket.
c. Choose a bucket from another account – to store configuration history using an existing bucket from another different AWS account.
For simplicity, we will choose to Create a bucket
in this example.
5. (Optional), if you want AWS Config to send configuration changes notifications to an SNS topic, then select the Stream configuration changes and notifications to an Amazon SNS topic
box under Amazon SNS topic
. This will provide more configuration options to choose from, as shown below:
a. Create a topic – Enter the Topic Name to select a new SNS topic for notifications.
b. Choose a topic from your account – to select an existing SNS Topic in the same AWS account.
c. Choose a topic from another account – If you choose this option, you need to provide a complete ARN of the SNS topic from another account rather than just its name.
For simplicity, we will choose to Create a topic
with the name config-topic
.
6. Click the Next button to proceed to the Rules
page. On this page, you will have the option to select pre-configured **AWS Managed Rules**
. If you don’t want to use any AWS Managed Rules
, you can skip this step and click on the Next button.
7. Review the settings on the next page and Confirm
8. Wait until AWS Config discovers and records the configurations of resources in this region (or global resources if you specified them in Step 2).
1. To enable AWS Config, you must first create an S3 bucket
to store the recorded configurations history/snapshots, an IAM Role
for AWS Config Service to access resources in your account, and optionally an SNS Topic
to notify in case of configuration changes. These can be accomplished as follows:
a. S3 bucket: To create an S3 bucket in the specified region, execute the create-bucket
command with the associated parameters as shown below.
aws s3api create-bucket \\
--bucket my-config-demo-bucket \\
--region us-east-1 \\
--create-bucket-configuration LocationConstraint=us-east-1
**Output**
{
"Location": "/my-config-demo-bucket"
}
LocationConstraint
is not required for us-east-1 as that is the default region selected by the cli command.
b. SNS Topic: To create an SNS topic in the specified region, execute the create-topic
command as shown below:
aws sns create-topic \\
--region us-east-1 \\
--name config-topic
**Output**
{
"TopicArn": "arn:aws:sns:us-east-1:XXXXXXXXXXX:config-topic"
}
c. IAM Role: To create an IAM Role with the required permissions, carry out the following actions:
a. First, let’s create a trust policy for AWS Config to assume the role. To do that, create a trust-policy.json
file with the following details:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
b. Next, to create the IAM role, execute the create-role
command with the --assume-role-policy-document
parameter as shown below
aws iam create-role \\
--role-name my-config-role \\
--assume-role-policy-document file://*trust-policy.json
Output*
{
"Role": {
"Path": "/",
"RoleName": "my-config-role",
"RoleId": "AROAZKBUAKOU6MYI6CY",
"Arn": "arn:aws:iam::XXXXXXXXXX:role/my-config-role",
"CreateDate": "2021-11-26T22:37:54+00:00",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
}
}
c. After that, create an IAM Policy
to add permissions to the role so that AWS Config can record configurations.
A sample policy file has been given below, but you can create your policy based on what resources you want AWS Config to monitor and record.
Create a role-policy.json
file with the content given below
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"appstream:Get*",
"autoscaling:Describe*",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackResources",
"cloudformation:GetTemplate",
"cloudformation:List*",
"cloudfront:Get*",
"cloudfront:List*",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*",
"config:Put*",
"directconnect:Describe*",
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:DescribeTable",
"dynamodb:ListTables",
"ec2:Describe*",
"elasticache:Describe*",
"elasticbeanstalk:Check*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"elasticloadbalancing:Describe*",
"elastictranscoder:Read*",
"elastictranscoder:List*",
"iam:List*",
"iam:Get*",
"kinesis:Describe*",
"kinesis:Get*",
"kinesis:List*",
"opsworks:Describe*",
"opsworks:Get*",
"route53:Get*",
"route53:List*",
"redshift:Describe*",
"redshift:ViewQueriesInConsole",
"rds:Describe*",
"rds:ListTagsForResource",
"s3:Get*",
"s3:List*",
"sdb:GetAttributes",
"sdb:List*",
"sdb:Select*",
"ses:Get*",
"ses:List*",
"sns:Get*",
"sns:List*",
"sqs:GetQueueAttributes",
"sqs:ListQueues",
"sqs:ReceiveMessage",
"storagegateway:List*",
"storagegateway:Describe*",
"trustedadvisor:Describe*"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject*"
],
"Resource": [
"arn:aws:s3:::my-config-demo-bucket/*"
],
"Condition": {
"StringLike": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketAcl"
],
"Resource": "arn:aws:s3::: my-config-demo-bucket"
},
{
"Effect": "Allow",
"Action": "sns:Publish",
"Resource": "arn:aws:sns:us-east-1:XXXXXXXX:config-topic"
}
]
}
d. Lastly, attach the IAM Policy to the IAM Role created above by executing the put-role-policy
command as shown below:
aws iam put-role-policy \\
--role-name my-config-role \\
--policy-name config-policy \\
--policy-document file://role-policy.json \\
--profile smartique
**Output**
None
2. Execute the subscribe
command to register Delivery Channels and Recorders for AWS Config Service as shown below:
aws configservice subscribe \\
--region us-east-1 \\
--s3-bucket my-config-demo-bucket \\
--sns-topic arn:aws:sns:us-east-1:XXXXXXXXX:config-topic \\
--iam-role arn:aws:iam::XXXXXXXXXX:role/my-config-role \\
--profile smartique
**Output**
Using existing S3 bucket: my-config-demo-bucket
Using existing SNS topic: arn:aws:sns:us-east-1:XXXXXXXXX:config-topic
Subscribe succeeded:
Configuration Recorders: [
{
"name": "default",
"roleARN": "arn:aws:iam::XXXXXXXXX:role/my-config-role",
"recordingGroup": {
"allSupported": true,
"includeGlobalResourceTypes": false,
"resourceTypes": []
}
}
]
Delivery Channels: [
{
"name": "default",
"s3BucketName": "my-config-demo-bucket",
"snsTopicARN": "arn:aws:sns:us-east-1:XXXXXXXX:config-topic"
}
]
3. Switch to a different region and repeat steps 2 and 3 to enable AWS Config in that region.
© nOps 2024. All Rights Reserved.