MMS • RSS
Amazon Web Services (AWS) recently added the capability to aggregate compliance data produced by AWS Config rules across multiple accounts and/or regions to enable centralized auditing and governance of AWS resources. A new aggregated dashboard view displays non-compliant rules across the organization. Users can then drill down to view details about resources that are violating any rules.
AWS Config is a service that continuously monitors supported AWS resource types and records point-in-time views of their various attributes as configuration items. The recorded configuration history and resource relationships can then be manually inspected, and changes can be automatically evaluated via a rules engine that supports predefined managed rules and custom rules implemented as AWS Lambda functions. Resource changes and evaluation results can also be delivered to S3 buckets and monitored via SNS notifications or (as of recently) CloudWatch events (previous coverage) to trigger analysis and reactive remediation via other AWS services or third-party tools for “compliance auditing, security analysis, change management, and operational troubleshooting”.
AWS Config also correlates resource configuration changes with API actions recorded by AWS CloudTrail (previous coverage) to reveal details such as who requested a change, at what time, and from which IP address, which can help to identify the root cause of operational issues or provide forensics for security incidents.
While it has always been possible to record configuration items in and send notifications to other accounts, reasoning about the compliance status across multiple regions and accounts has been tedious and often required integration with third-party vendors. AWS has now followed up on the increasing multi-account usage by providing its own aggregated dashboard view within the AWS Config console, where users can drill down into details about compliance violations across their organization.
Image: AWS Config aggregated view dashboard (via introductory blog post)
- Configuring an aggregator within the desired target account and region
- Specifying source accounts, either individually or automatically via AWS Organizations‘ multi-account support (previous coverage)
- Specifying source regions, or simply all regions, optionally including future regions
- Providing authorization from the source account owner to the aggregator account, which is only required if the source account is not part of an AWS Organization
As usual, these steps can be performed via the AWS Management Console, the AWS CLI, and via AWS CloudFormation, which makes it trivial to provision AWS Config across a huge number of accounts. While this is a notable simplification from a compliance management perspective, users should be aware of possibly unexpected cost implications, which prompted AWS community hero Eric Hammond to request a “better pricing scheme for AWS Config”:
Activating a single AWS Config Rule across all 15 current regions in all 28 personal accounts would cost over $10,000 per year. The vast majority of these account regions should have basically nothing going on.
In related news, AWS Config has since introduced lower pricing for rules at higher usage tiers, added the ability to specify a data retention period for configuration items, and also integrated resource configuration and compliance change notifications with Amazon CloudWatch Events (previous coverage).
There are various open-source tools that can be used as an alternative or in addition to AWS Config rules, with notable solutions being:
- Capital One’s Cloud Custodian, which “allows users to define policies to enable a well managed cloud infrastructure, that’s both secure and cost optimized”
- Netflix’s Security Monkey, which “monitors your AWS and GCP accounts for policy changes and alerts on insecure configurations”
- Toni de la Fuente’s Prowler, which provides “AWS account security assessment and hardening, following guidelines of the CIS Amazon Web Services Foundations Benchmark 1.1“
AWS itself provides additional solutions that overlap with AWS Config’s feature set, for example the AWS GuardDuty managed threat detection service (previous coverage) and its AWS Trusted Advisor premium support offering (previous coverage).
Microsoft Azure meanwhile also offers a compliance solution with a similar feature set via its new Azure Policy service, which is currently free of charge, though only available as a public preview at this point.
The AWS Config documentation features a developer guide, including a getting started section, the AWS CLI reference, and the API reference. AWS also provides the AWS Config Rules Repository and a AWS Config Rules Development Kit (RDK) to help developers “set up, author and test custom Config rules” with a “compliance-as-code” workflow. Support is provided via the AWS Config forum. There is a one-time charge for each configuration item and a monthly fee for each active rule, as further detailed in AWS Config pricing. Recording configuration snapshots and history files is free, the required storage is subject to regular usage based Amazon S3 pricing.