Introduction
AWS Config is a config tool that helps you to
Continually assess, monitor, and record resource configuration changes to simplify change management.
Audit and evaluate compliance of your resource configurations with your organization’s policies on a continual basis.
Simplify operational troubleshooting by correlating configuration changes to particular events in your account.
In this guide we will start using Aws config and see how can we apply it to real case
Steps
start and configure AWS Config
in this step we will create and configure Aws config to track our configuration changes and compliance status
- Set up AWS Config.
In the AWS Management Console, navigate to the "AWS Config" service. You can either use the search bar or find it under the "Management & Governance" section.
In the AWS Config console, click on the "Get Started" button.
On the Settings page, configure your Recording Method.
On Recording strategy choose the "All resource types with customizable overrides" option to record all available resources.
On Default settings >> Recording frequency choose "Continuous recording" option to record configuration changes continuously.
On Override settings we will keep it the default which exclude IAM resources type from recording.
On Data governance choose "Use an existing AWS Config service-linked role" option to create the role required for the config
On Delivery method >> "Amazon S3 bucket" section, you can either choose an existing S3 bucket or create a new one to store your AWS Config data. Click "Next" when done.
- Set up rules for config.
You can set up AWS Config rules to define the desired configuration state for your resources.
you can find many AWS Managed Rules in our case we choose 2 rules
"restricted-ssh" and " ec2-instance-no-public-ip"
Click "Next" when done
- Review.
Review your settings and click "Confirm." This will start the process of setting up AWS Config.
Congratulations, we successfully created and configuring the Aws Config.
Launch Ec2 instance
Now we will launch ec2 instance with public IP and security group that allows ssh from anywhere
- Navigate to the EC2 Dashboard:
In the AWS Management Console, navigate to the EC2 service.
Click on the "Launch Instance" button.
Choose any Amazon Machine Image (AMI).
Choose an instance type based on your needs. The default selection is usually fine for testing.
- Configure Instance Network Settings:
Configure the instance Network and Enable "Auto-assign public IP" option
- Configure Security Group:
Create a new security group.
The security group should allow inbound SSH traffic.
Click on "Add Rule."
Set the "Type" to "SSH."
Set the "Source" to "Anywhere" (0.0.0.0/0).
- Review and Launch:
Review your instance configuration.
Click on "Launch."
we successfully created an ec2 instance with public IP and security group that allows ssh from anywhere.
Now we will go to AWS Config Dashboard to check the new resources compliance status.
Check Aws Config Dashboard
Now we will navigate to Aws config to check the dashboard and compliance status.
we will see 2 Noncompliant rules and 2 Noncompliant resources as shown in the below images.
As images shown we have 2 Noncompliant rules "restricted-ssh" and " ec2-instance-no-public-ip" and 2 Noncompliant resources Ec2 and Security group.
Now we will edit the Security group and remove the inbound rule of allowing ssh from anywhere to see what happens to dashboard.
After editing security group we noticed that "restricted-ssh" rule and Security Group resource turned into compliant.
We can also check the time line of the security group resource to see the configuration change
now we will remove the ec2
after removing the ec2 the Non-compliant rules and Non-compliant resources become 0
you can also see time line for any resource from resource tab in Aws config.
in this point i would say Congratulations you now succeeded to Setting up AWS Config and track your configuration changes.
Note: Don't forget to clean up your environment.
Cleanup
Terminate Ec2 instance that you had created
Remove roles from Aws config
Stop Recording from the Aws config >> settings
Remove S3 bucket
Top comments (0)