DEV Community

Jasper Rodda
Jasper Rodda

Posted on • Edited on

AWS Config: Run Org rules to check Resource compliance via Lambda functions.

This project will use AWS Config to run organization defined custom rules to check for resource to be in compliance via Lambda functions.

Steps:

  1. Create Two EC2 instances.
  2. Create Lambda function
  3. Create Config Rule
  4. Monitor for non-compliant resources

1. Create 2 EC2 resources.

-- create an instance with Monitoring Enabled.
-- create an instance with Monitoring Disabled.
Enter fullscreen mode Exit fullscreen mode

Image description

2. Create Lambda function.

Note: Configure lambda to trigger timeout for 10 secs (Lambda, Config tab, timeout)

import boto3
import json

def lambda_handler(event, context):

    # Get the specific EC2 instance.
    ec2_client = boto3.client('ec2')

    # Assume compliant by default
    compliance_status = "COMPLIANT"  

    # Extract the configuration item from the invokingEvent
    config = json.loads(event['invokingEvent'])

    configuration_item = config["configurationItem"]

    # Extract the instanceId
    instance_id = configuration_item['configuration']['instanceId']

    # Get complete Instance details
    instance = ec2_client.describe_instances(InstanceIds=[instance_id])['Reservations'][0]['Instances'][0]

    # Check if the specific EC2 instance has Cloud Trail logging enabled.

    if not instance['Monitoring']['State'] == "enabled":
        compliance_status = "NON_COMPLIANT"

    evaluation = {
        'ComplianceResourceType': 'AWS::EC2::Instance',
        'ComplianceResourceId': instance_id,
        'ComplianceType': compliance_status,
        'Annotation': 'Detailed monitoring is not enabled.',
        'OrderingTimestamp': config['notificationCreationTime']
    }

    config_client = boto3.client('config')

    response = config_client.put_evaluations(
        Evaluations=[evaluation],
        ResultToken=event['resultToken']
    )  

    return response

Enter fullscreen mode Exit fullscreen mode

3. Create Config Rule

  • AWS Config --> Rule --> Add rule --> Custom Lambda Rule
  • Give the Following details
  • Name : rule-ec2-compliance A unique name for the rule.
  • Description - optional Describe what the rule evaluates and how to fix resources that don't comply.
  • AWS Lambda function ARN: arn:aws:lambda:us-east-1:9879879878665:function:rule-ec2-compliance
  • Evaluation mode : When configuration changes
  • Click Next and Save Rule.

4. Monitor resources based on rules.

Image description

Credits:
Thanks to Abhishek Veeramalla

Image of Datadog

The Future of AI, LLMs, and Observability on Google Cloud

Datadog sat down with Google’s Director of AI to discuss the current and future states of AI, ML, and LLMs on Google Cloud. Discover 7 key insights for technical leaders, covering everything from upskilling teams to observability best practices

Learn More

Top comments (0)

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more