StackZone Feature: AWS Config Rules

AWS Config is a service that has the ability to assess and audit your AWS Cloud resources against specific AWS Config Rules and records your resources as COMPLIANT or NON_COMPLIANT. A very useful tool in the world of auditing and can highlight resources which need your attention if they do not fall within best practices or standards set by your AWS Config Rules.

AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.

AWS Config will give you a broad understanding of your compliance attainment and will provide you with a global view for all your accounts and regions. When you enable AWS Config and the Config Aggregator, you will see an aggregated view of all your accounts and regions in the StackZone console Dashboard. You will also be able to check your compliance percentage across your AWS Organization. You can also receive compliance notifications in case that any of your monitored resources became non compliant.

AWS Config allows you to remediate noncompliant resources that are evaluated by AWS Config Rules. AWS Config applies remediation using AWS Systems Manager Automation documents. These documents define the actions to be performed on noncompliant AWS resources evaluated by AWS Config Rules.

StackZone provides you with more than 50 remediation rules that allows you to instantly solve non-compliant resources through automation with the click of a button.

If you would like to know more about AWS Config, please check out the documentation from Amazon, linked here.

The AWS Config Local Aggregator is able to aggregate all AWS Config Rule data within one of your accounts, from all enabled regions. The Local Aggregator is provisioned in your primary region in each AWS Account.

You can use an aggregator to get a centralized view of your resource inventory and compliance. An aggregator is an AWS Config resource type that collects AWS Config configuration and compliance data from multiple AWS accounts and AWS Regions into a single account and Region.

StackZone will construct a local aggregator in each of your AWS Accounts, this is so we can locally aggregate per AWS account your rules and resources analyzed by AWS Config.

The StackZone Global Aggregator on the other hand goes one step further and has the ability to aggregate across all of your AWS accounts in your Organization. This is constructed within the Security Account and has the ability to feedback the most non-compliant rules across all accounts and across all enabled regions.

If you would like to know more about AWS Config Aggregators, please check out the documentation from Amazon, linked here.

From StackZone Console you can easily apply AWS Config Rules from a centralized location, without the need of manual intervention or coding to any of your resources. In this case, we will enable the Amazon S3 Bucket Logging Enabled rule; this particular rule checks whether logging is enabled for any of your S3 buckets.

To enable any of the available Config Rules, login into StackZone console, locate Provisioning at the left side menu and click on Baseline Services. Then click on AWS Config Rules Global or AWS Config Rules Regional depending on your needs. For this example, the rule is located at AWS Config Rules Regional -> Amazon S3. In order to make changes, we need to first enable the Edit mode. This can be done by clicking in the toggle switch located at the top-right corner. Once enabled, locate the config rule called Amazon S3 Bucket Logging Enabled and click on the toggle switch to enable it.

Once done, click on Save Settings button then go to Provisioning -> Status and click on the Deploy button and that's it! You have just implemented a Config Rule that will inform the resource as COMPLIANT if the logging for your S3 Buckets is enabled.

Now a logical question may arise: if we found a NON_COMPLIANT resource, can we fix it in an automated fashion? The answer is yes! We can automatically remediate most of the non-compliant resources found by StackZone's config rules, with config rule remediations.

To continue with the S3 buckets topic, we will enable a remediation called Amazon S3 Public Write Denied. This remediation will automatically disable S3 public write access for any S3 buckets to be found as NON_COMPLIANT according to the config rule Amazon S3 Public Write.

In order to enable the remediation, we just need to go to Baseline Services -> AWS Config Rules Regional. Then locate the Remediation(s) card and enable Amazon S3 Public Write Denied by turning on the toggle switch. See the following screenshot as reference:

Once done, click on Save Settings button then go to Provisioning -> Status and click on the Deploy button to push the changes to AWS. As you can see, with just a couple of clicks you ensure that all S3 buckets that have public write enabled will be remediated according to the findings of the config rule.

Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here