DEV Community

Cover image for Setting Up AWS Config: A Practical Guide to Real-World Implementation and Use Cases
Osama Gamal
Osama Gamal

Posted on

Setting Up AWS Config: A Practical Guide to Real-World Implementation and Use Cases

Introduction

AWS Config is a config tool that helps you to

Continually assess, monitor, and record resource configuration changes to simplify change management.

Audit and evaluate compliance of your resource configurations with your organization’s policies on a continual basis.

Simplify operational troubleshooting by correlating configuration changes to particular events in your account.

In this guide we will start using Aws config and see how can we apply it to real case

Steps

start and configure AWS Config
in this step we will create and configure Aws config to track our configuration changes and compliance status

  • Set up AWS Config.

In the AWS Management Console, navigate to the "AWS Config" service. You can either use the search bar or find it under the "Management & Governance" section.
In the AWS Config console, click on the "Get Started" button.

Get Started

On the Settings page, configure your Recording Method.
On Recording strategy choose the "All resource types with customizable overrides" option to record all available resources.
On Default settings >> Recording frequency choose "Continuous recording" option to record configuration changes continuously.

Aws Config-setting-1
On Override settings we will keep it the default which exclude IAM resources type from recording.
On Data governance choose "Use an existing AWS Config service-linked role" option to create the role required for the config
On Delivery method >> "Amazon S3 bucket" section, you can either choose an existing S3 bucket or create a new one to store your AWS Config data. Click "Next" when done.

Aws Config-setting-2

Aws Config-setting-3

  • Set up rules for config.

You can set up AWS Config rules to define the desired configuration state for your resources.
you can find many AWS Managed Rules in our case we choose 2 rules
"restricted-ssh" and " ec2-instance-no-public-ip"

Aws Config-setting-4
Click "Next" when done

  • Review.

Review your settings and click "Confirm." This will start the process of setting up AWS Config.

Aws Config-Dashboard
Congratulations, we successfully created and configuring the Aws Config.

Launch Ec2 instance
Now we will launch ec2 instance with public IP and security group that allows ssh from anywhere

  • Navigate to the EC2 Dashboard:

In the AWS Management Console, navigate to the EC2 service.
Click on the "Launch Instance" button.
Choose any Amazon Machine Image (AMI).
Choose an instance type based on your needs. The default selection is usually fine for testing.

Ec2-Configuration-1

  • Configure Instance Network Settings:

Configure the instance Network and Enable "Auto-assign public IP" option

Ec2-Configuration-2

  • Configure Security Group:

Create a new security group.
The security group should allow inbound SSH traffic.
Click on "Add Rule."
Set the "Type" to "SSH."
Set the "Source" to "Anywhere" (0.0.0.0/0).

Ec2-Configuration-3

  • Review and Launch:

Review your instance configuration.
Click on "Launch."

Ec2-Review

we successfully created an ec2 instance with public IP and security group that allows ssh from anywhere.
Now we will go to AWS Config Dashboard to check the new resources compliance status.

Check Aws Config Dashboard

Now we will navigate to Aws config to check the dashboard and compliance status.
we will see 2 Noncompliant rules and 2 Noncompliant resources as shown in the below images.

Compliance status

Noncompliant Rules

Noncompliant Resources

As images shown we have 2 Noncompliant rules "restricted-ssh" and " ec2-instance-no-public-ip" and 2 Noncompliant resources Ec2 and Security group.
Now we will edit the Security group and remove the inbound rule of allowing ssh from anywhere to see what happens to dashboard.

After editing security group we noticed that "restricted-ssh" rule and Security Group resource turned into compliant.

Compliance status

We can also check the time line of the security group resource to see the configuration change

Security group timeline
now we will remove the ec2
after removing the ec2 the Non-compliant rules and Non-compliant resources become 0

you can also see time line for any resource from resource tab in Aws config.
in this point i would say Congratulations you now succeeded to Setting up AWS Config and track your configuration changes.

Note: Don't forget to clean up your environment.

Cleanup
Terminate Ec2 instance that you had created
Remove roles from Aws config
Stop Recording from the Aws config >> settings
Remove S3 bucket

Top comments (0)