AWS Config – Continuous monitoring, change management of your AWS Account to keep it secure

AWS Config is a service that provides continuous monitoring of your account from a small change to a big one. It not only monitors but also warns you about key security issues and also helps you enforce security rules. This is great since you will have a clear overview of your AWS account security. As your business grows, more changes happen and these changes increase risk. This is why AWS Config becomes extremely useful.

For example: The below screenshot displays the AWS config dashboard. We could easily come to know that this account has a few issues that needs to be addressed.

How to get started with AWS Config?

AWS Config is region specific, however, you can configure it to monitor other regions as well.

  1. Select AWS-Config from the menu
  2. Click on Get Started

1. If this is your first time, it’s best to select “Record all resource supported in this region“. This is the recommended option for first time use.

2. Select which S3 bucket you would like AWS Config records to be saved.

3 Create an SNS Topic! This is important! You could subscribe to it using Sumo Logic to view it in a dashboard or be notified of changes via email.

4 Select the first option. AWS Config only needs read access.

Selecting Rules

The most important part of AWS Config are its rules. Rules are conditions that you want AWS Config to monitor. Rules can be custom  made as well depending on your organization’s security compliance.

It is  recommended, to select all on the first time.

 

Once, you have selected the rules click on Next and you will be greeted by the AWS Config dashboard.

 

 

The dashboard highlights, the key issues concerning your account. The noncompliant resources are the ones that have failed to meet the rules created by AWS. Let’s you view details of a resource.  Simply click on the resources and AWS config will display the config of the resource.

Viewing issues of a rule

By default, AWS creates few rules. One of these is restricted-ssh.  This rule checks whether SSH access is restricted to an IP or not.

This has been flagged as noncompliant. Let’s view more details of it.

  1. Click on the Rules on the left nav bar
  2. Select the rule name which is noncompliant (restricted-ssh)

 

3. restricted-ssh

In this page, we could view the security groups – to see which rules have been flagged noncompliant. By clicking on any of them we could view a timeline of the changes.

 

 

4. Timeline of changes

We could come to know that this rule was created on 1st September. When it was created the SSH access was left open to the world. Any changes to this security group are now monitored by AWS Config. AWS Config also displays the relationship of this resource. It shows that this security group is assigned to the VPC number 04f68.

If we restricted the SSH access, AWS Config will pick up the change. It also describes the changes made. If you have created an SNS topic you will receive this change as-well.

 

By using AWS Config, we could monitor the changes in our AWS account, enforce changes and have a clear overview of which services are non-compliant. All this is done and managed by AWS without a single line of scripts. If you need to create custom rules, it is very easy. Custom rules will invoke a Lambda function.

 

Do you have AWS Config? If you do, please leave your feedback in the comment sections below.