Aws config custom rules

Skip to content. Branch: master. Create new file Find file History. Latest commit. Latest commit 88a53b4 Mar 12, You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Jan 21, Sep 25, Permissions on the python files were not executable, which broke the …. Apr 1, Jan 29, May 7, Mar 24, Apr 10, Apr 3, Removed trailing whitespaces in test files. Mar 11, Jun 8, Changed class name from SampleTest to ComplianceTest.

May 2, Sep 17, Update for goodbot. Mar 10, Merge branch 'master' into pengkz. Apr 12, Dec 20, Jun 21, The flexible, dynamic nature of the AWS cloud gives developers and admins the flexibility to launch, configure, use, and terminate processing, storage, networking, and other resources as needed.

In any fast-paced agile environment, security guidelines and policies can be overlooked in the race to get a new product to market before the competition.

You can use existing rules from AWS and from partners, and you can also define your own custom rules.

aws config custom rules

Rules can be targeted at specific resources by idspecific types of resources, or at resources tagged in a particular way.

Rules are run when those resources are created or changed, and can also be evaluated on a periodic basis hourly, daily, and so forth. Each custom rule is simply an AWS Lambda function. After the Lambda function makes its decision compliant or not it calls the PutEvaluations function to record the decision and returns. The results of all of these rule invocations which you can think of as compliance checks are recorded and tracked on a per-resource basis and then made available to you in the AWS Management Console.

You can also access the results in a report-oriented form, or via the Config API. As usual, we will look forward to your feedback and will use it to shape and prioritize our roadmap. I open the Config Console and click on Add Rule :. I browse through the rules and decide to start with instances-in-vpc. I click on the rule and customize it as needed:. I have a lot of choices here. The Trigger type tells Config to run the rule when the resource is changed, or periodically. The Scope of changes tells Config which resources are of interest.

The scope can be specified by resource type with an optional identifier by tag name, or by a combination of tag name and value. If I am checking EC2 instances, I can trigger on any of the following:.

The parameter names, and their meaning, will be specific to the function. In this case, supplying a value for the vpcid parameter tells the function to verify that the EC2 instance is running within the specified VPC. The rule goes in to effect after I click on Save. It turns out that this instance has been sitting around for a while truth be told I forgot about it. This is a perfect example of how useful the new Config Rules can be!

I can also use the Config Console to look at the compliance status of all instances of a particular type:. Creating a New Rule I can create a new rule using any language supported by Lambda. The rule receives the Configuration Item and the rule parameters that I mentioned above, and can implement any desired logic.

The rule applies to EC2 instances, so it checks to see if was invoked on one:. If the rule was invoked on an EC2 instance, it checks to see if any one of a list of expected security groups is attached to the instance:. The rule can record results for the item being checked or for any related item.GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.

AWS Community repository of custom Config rules. Contributions welcome. Instructions for leveraging these rules are below. You can spot those rules by the fact that 1 they have their own directory, and 2 there is a parameters. You can use the sample functions in this repository to create Config rules that evaluate the configuration settings of your AWS resources.

First, you use AWS Lambda to create a function that is based on the sample code. Then, you use AWS Config to create a rule that is associated with the function. Add a rule to AWS Config by completing the following steps.

A summary of the evaluation results appears after several minutes. Skip to content. Permalink Dismiss Join GitHub today GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.

Sign up. Branch: master. Find file Copy path. Cannot retrieve contributors at this time. Raw Blame History. Verify that your region is set to one that supports AWS Config rules.

Create a Lambda function. Provide your code using the method required by the code entry type that you choose. If you are adding a Python or Node. For Handlerif you are adding a Python or Node.

aws config custom rules

If you are adding a Java function, specify the handler value for to the Java function that you want to use. After you create the function, take note of its ARN. Open the AWS Config console. Verify that your region is set to the same region in which you created the AWS Lambda function for your custom rule.

Use the AWS Config console to add a custom rule. For Trigger typeif you are using any of the triggered samples from this repository, choose Configuration changes. If you are using any of the periodic samples from this repository, choose Periodic.When a security group is created or modified, the Config triggers the Lambda function which will then take the necessary action.

If a change is detected it can send you an email, or execute a Lambda function. At the time same it maintains a record of changes.

The power comes when you start writing custom Lambda functions to make necessary changes to a resource. You could write the Lambda functions in the languages supported by AWS. We will be writing the Lambda function in Python. The function will be triggered when a security group is modified or created. The triggering aspect is fully managed by AWS Config. The function will check if the security group has a public accessible rule and remove it.

However, some security group needs to be public as a result we will configure an exclusion list of such security groups. When a security group is modified, AWS Config publishes an event which passes a request to the Lambda. Click here to download the Lambda script.

Our Lambda handler is plain and simple. We decode the response received and pass it to our method which will perform the logic. This is very important as we would like to inform it about the outcome of the script.

Config monitors the resources in your AWS account and can trigger alerts and events. With config, you could automatically run security compliance code on resources. Config allows this functionality by a terminology called Rules. Rules are the desired configuration settings of the AWS resources.

The screenshot below is of the Rules section of Config. For example when an EC2 instance is launched. This is recorded in Cloudtrail as an event. Your Privacy is protected.

AWS Custom Rule

Soroush Atarod. Subscribe Now.If you've got a moment, please tell us what we did right so we can do more of it. Thanks for letting us know this page needs work. We're sorry we let you down. If you've got a moment, please tell us how we can make the documentation better. Complete the following procedure to create a custom rule. To create a custom rule, you first create an AWS Lambda function, which contains the evaluation logic for the rule.

Then you associate the function with a custom rule that you create in AWS Config. A Lambda function is custom code that you upload to AWS Lambda, and it is invoked by events that are published to it by an event source.

The Lambda function then evaluates the configuration information that is sent by AWS Config, and it returns the evaluation results. You can use a programming language that is supported by AWS Lambda to create a Lambda function for a custom rule. The AWS Lambda console provides sample functions, or blueprintswhich you can customize by adding your own evaluation logic. When you create a function, you can choose one of the following blueprints:. A public repository of sample functions for custom rules is available on GitHub, a web-based code hosting and sharing service.

The sample functions are developed and contributed by the AWS community. If you want to use a sample, you can copy its code into a new AWS Lambda function. On the Select blueprint page, you can choose one of the blueprint functions for AWS Config rules as a starting point, or you can proceed without a blueprint by choosing Skip.

On the Configure triggers page, choose Next. On the Configure function page, type a name and description. For Runtimechoose the programming language in which your function is written. For Code entry typechoose your preferred entry type.

If you are using a blueprint, keep Edit code inline. Provide your code using the method required by the code entry type that you selected. If you are using a blueprint, the function code is provided in the code editor, and you can customize it to include your own evaluation logic.

Your code can evaluate the event data that AWS Config provides when it invokes your function:.

AWS Config Custom Rules

For functions based on the config-rule-change-triggered blueprint, or for functions triggered by configuration changes, the event data is the configuration item or an oversized configuration item object for the AWS resource that changed. For functions based on the config-rule-periodic blueprint, or for functions triggered at a frequency that you choose, the event data is a JSON object that includes information about when the evaluation was triggered.For example, you can check that your Amazon S3 buckets are not publicly accessible or that your instances are associated with a security group.

AWS CodeStar is a centralized dashboard, from which you and your team can collaborate to develop, build, and deploy applications on AWS. AWS CodeStar includes project templates for common development platforms to enable provisioning of projects and resources for coding, building, testing, deploying, and running your software project. In order to make the process of authoring Config rules easier, AWS CodeStar recently announced support for AWS Config custom rule templates, which allow you and your team to work together to define and author the set of Config rules that fit your organization.

You can then deploy the necessary resources so that you have a working Config Rule at the click of a button. This means that Config records the configuration states of your resources whenever they are created or modified. Follow the steps in:. Now, get started creating your Config rule. For this example, you will write a rule to check that the S3 buckets in your account have versioning enabled. Inside the IDE, you see the project directory with the code for the example rule and the AWS CloudFormation template to be used create the Config rule and Lambda function for this project.

Then, look in the Configuration Item that was sent by Config to this Lambda function to check if versioning is enabled.

Change the rule name to something more descriptive like S3BucketVersioningEnabledadd a description for what the rule does, and change the scope of the rule to only apply to S3 buckets. Push the change and watch it go through all the related services. Watch as the change is pushed into the CodeCommit repository. Then, CodeDeploy takes that build from S3 and creates your Config rule backed by the Lambda function that you just wrote.

Also accessible from the dashboard is a link to the Config rule console where you can see your rule in action. You can see that the Config rule evaluated all of your S3 buckets. In his spare time, he likes to play basketball, eat, and enjoy the sun when Seattle is in a giving mood. Now, make the necessary changes to your CloudFormation template.Different organizations have different compliance and security requirements for their resources and accounts. AWS Config makes it easier for customers to implement these controls.

While AWS Config offers customers a wide selection of managed AWS Config rules that help them comply with their requirements, there are customers who require more customized control and can take advantage of building their own custom AWS Config rules as well as custom remediations.

Once those rules have been configured, customers want a way to scale out their rules to their AWS Organizations and deploy the rules using organization-wide deployment while still maintaining control of the rules themselves at the master account level.

Remediate Non-Compliance Using AWS Config Rules, AWS CloudWatch Events, & AWS Lambda Functions

The new feature, conformance packs, allows customers to create a collection of AWS Config rules and remediations in a single pack that can be deployed across an AWS Organization. This blog post demonstrates how customers can use conformance packs to deploy custom AWS Config rules with custom remediation across their organizations. This means that any Security Group rule added that is larger— Once the custom AWS Config rule marks it as non-compliant, it triggers an SSM automation document that calls the remediation Lambda function that removes the non-compliant rule from the Security Group.

Download this StackSet and deploy it from the master account. The execution roles you create for the Lambda functions in the member account are extracted in the Lambda code in the master account, therefore the role name must be the same in all the member accounts. Run the following command to allow the AutomationSecurityGroupConformance function to be invoked by the AutomationRole in the member accounts.

Change the Member Account ID to your member account for multiple member accounts, run this command for each account number :. The SSM automation document defines the automation remediation action that is taken when a resource is non-compliant. Next, share the SSM automation document that defines your remediation action with all your member accounts.

Run the command after you make these changes. In all the member accounts in your AWS Organization, you are able to see the rule that you created.

aws config custom rules

In this example, you add a Security Group rule that has a source of Therefore, it triggers your AWS Config rule as shown in the following screenshot:.

Once the Action Status for remediation is Action Executed Successfullyyou can go back to the Security Group that was non-compliant, refresh the page, and see that the non-compliant rule has been removed, as shown in the following screenshot. This blog post demonstrated how you can use conformance packs to centrally manage custom AWS Config rules with custom remediation across your organization.

Recently, the team behind AWS Read more…. However, users launching multiple instances can cause issues because: Some instances are Read more…. It is important to have a well-defined proactive disaster recovery strategy for efficient and uninterrupted flow of data across an organization. This applies to all components of your application architecture, including the database layer.

While Read more…. Walkthrough This blog post goes over the following steps: Deploy an AWS CloudFormation template in the master account that creates two Lambda functions—one for the AWS Config rule and one for remediation—as well as the appropriate IAM roles for cross-account execution in member accounts.

Deploy a StackSet to create IAM roles in the member accounts that are assumed by the Lambda functions in the master account.

Aws config custom rules