AWS Config Rules - Advanced AWS Meetup
-
Upload
ariel-smoliar -
Category
Software
-
view
941 -
download
0
Transcript of AWS Config Rules - Advanced AWS Meetup
![Page 1: AWS Config Rules - Advanced AWS Meetup](https://reader035.fdocuments.us/reader035/viewer/2022062302/587ff91d1a28ab3a1e8b5a1d/html5/thumbnails/1.jpg)
@ariel_smoliar
AWS Config RulesAdvanced AWS Meetup
![Page 2: AWS Config Rules - Advanced AWS Meetup](https://reader035.fdocuments.us/reader035/viewer/2022062302/587ff91d1a28ab3a1e8b5a1d/html5/thumbnails/2.jpg)
![Page 3: AWS Config Rules - Advanced AWS Meetup](https://reader035.fdocuments.us/reader035/viewer/2022062302/587ff91d1a28ab3a1e8b5a1d/html5/thumbnails/3.jpg)
![Page 4: AWS Config Rules - Advanced AWS Meetup](https://reader035.fdocuments.us/reader035/viewer/2022062302/587ff91d1a28ab3a1e8b5a1d/html5/thumbnails/4.jpg)
New Security Capabilities
![Page 5: AWS Config Rules - Advanced AWS Meetup](https://reader035.fdocuments.us/reader035/viewer/2022062302/587ff91d1a28ab3a1e8b5a1d/html5/thumbnails/5.jpg)
Improving AWS Account Visibility
AWS CloudTrail
Identify individuals performing actions within the account
re:Invent 2013
AWS Config Rules
Set up rules to check configuration changes
AWS Config
Identify which configuration changes have been made
re:Invent 2014 re:Invent 2015
![Page 6: AWS Config Rules - Advanced AWS Meetup](https://reader035.fdocuments.us/reader035/viewer/2022062302/587ff91d1a28ab3a1e8b5a1d/html5/thumbnails/6.jpg)
Management Tools
![Page 7: AWS Config Rules - Advanced AWS Meetup](https://reader035.fdocuments.us/reader035/viewer/2022062302/587ff91d1a28ab3a1e8b5a1d/html5/thumbnails/7.jpg)
AWS Config - Background
• Capturing the state of your AWS resources and the relationships between them– AWS Resource: Entity that can be independently created,
updated and deleted directly by a user– Configuration Item: Captures the state of the resource at a
specific time. Contains common attributes, relationships, related events, metadata
• Discover resources that exist in your account• Discover resources that no longer exist in your
account
![Page 8: AWS Config Rules - Advanced AWS Meetup](https://reader035.fdocuments.us/reader035/viewer/2022062302/587ff91d1a28ab3a1e8b5a1d/html5/thumbnails/8.jpg)
Configuration Change
• User opens a port within a security group attached to an Amazon EC2 instance
• It could affect all other instances also attached to this security group
![Page 9: AWS Config Rules - Advanced AWS Meetup](https://reader035.fdocuments.us/reader035/viewer/2022062302/587ff91d1a28ab3a1e8b5a1d/html5/thumbnails/9.jpg)
Config Rules
• Rules are looking for any desirable or undesirable condition
• User can use existing rules from AWS and define custom rules
• Each custom rule is an AWS Lambda function– AWS Lambda contains the logic that evaluates whether
your AWS resources comply with the rule
I highly recommend to check Jeff’s blog
![Page 10: AWS Config Rules - Advanced AWS Meetup](https://reader035.fdocuments.us/reader035/viewer/2022062302/587ff91d1a28ab3a1e8b5a1d/html5/thumbnails/10.jpg)
Triggering Config Rules
• Rules can be targeted at specific resources (by id), specific types of resources, or at tagged resources
• Run when relevant resources change, can be also on a periodic basis and invoked in specific frequency
![Page 11: AWS Config Rules - Advanced AWS Meetup](https://reader035.fdocuments.us/reader035/viewer/2022062302/587ff91d1a28ab3a1e8b5a1d/html5/thumbnails/11.jpg)
Evaluation
• AWS Config evaluates the resources within the rule’s scope
• AWS Config runs evaluations when change is detected (event-bases) or a configuration snapshot is sent (periodic)
• The result of evaluating a config rule against a resource - compliant or non compliant
![Page 12: AWS Config Rules - Advanced AWS Meetup](https://reader035.fdocuments.us/reader035/viewer/2022062302/587ff91d1a28ab3a1e8b5a1d/html5/thumbnails/12.jpg)
![Page 13: AWS Config Rules - Advanced AWS Meetup](https://reader035.fdocuments.us/reader035/viewer/2022062302/587ff91d1a28ab3a1e8b5a1d/html5/thumbnails/13.jpg)
![Page 14: AWS Config Rules - Advanced AWS Meetup](https://reader035.fdocuments.us/reader035/viewer/2022062302/587ff91d1a28ab3a1e8b5a1d/html5/thumbnails/14.jpg)
![Page 15: AWS Config Rules - Advanced AWS Meetup](https://reader035.fdocuments.us/reader035/viewer/2022062302/587ff91d1a28ab3a1e8b5a1d/html5/thumbnails/15.jpg)
“Patterns are solutions to recurring problems in a context.”
(Christopher Alexander)
![Page 16: AWS Config Rules - Advanced AWS Meetup](https://reader035.fdocuments.us/reader035/viewer/2022062302/587ff91d1a28ab3a1e8b5a1d/html5/thumbnails/16.jpg)
Config Rules - Use Cases
• Check whether AWS CloudTrail is enabled• Checks whether Elastic IP addresses are
attached to EC2 instances• Checks whether your security groups block in
coming SSH traffic• Checks whether your instances belong to a VPC• Checks whether your security groups block
incoming TCP traffic to specified ports
![Page 17: AWS Config Rules - Advanced AWS Meetup](https://reader035.fdocuments.us/reader035/viewer/2022062302/587ff91d1a28ab3a1e8b5a1d/html5/thumbnails/17.jpg)
![Page 18: AWS Config Rules - Advanced AWS Meetup](https://reader035.fdocuments.us/reader035/viewer/2022062302/587ff91d1a28ab3a1e8b5a1d/html5/thumbnails/18.jpg)
Pricing
• No charges during preview!• $2 per active rule per month • Active rule has at least one evaluation per
month ($0.0001 per evaluation)
![Page 19: AWS Config Rules - Advanced AWS Meetup](https://reader035.fdocuments.us/reader035/viewer/2022062302/587ff91d1a28ab3a1e8b5a1d/html5/thumbnails/19.jpg)
You can sign up now for the Config Rules previewhttps://aws.amazon.com/config/preview/
Let’s Get It Started
![Page 20: AWS Config Rules - Advanced AWS Meetup](https://reader035.fdocuments.us/reader035/viewer/2022062302/587ff91d1a28ab3a1e8b5a1d/html5/thumbnails/20.jpg)
Thank You!