Introduction

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. It continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. AWS Config rules allow you to assess whether your AWS resources comply with certain conditions and policies. There are two types of rules: *AWS Config Managed Rules* and *AWS Config Custom Rules*. AWS Config Managed Rules are predefined, customizable rules created by AWS Config. AWS Config Custom Rules are rules that you create from scratch.

For this demo we will use AWS Config Custom Rules created with Lambda. The Lambda function contains the logic that evaluates whether the AWS resource complies with the rule. The Lambda function is associated with the AWS Config rule, AWS Config invokes it when the rule is initiated and the function then evaluates the configuration information that is sent by AWS Config, sending back the evaluation results.

There are 3 trigger types for the rule evaluation: configuration changes, periodic and hybrid. For this demo we will trigger the rule evaluation based on configuration changes to our resources. For simplicity, we will use rdk(Rules Development Kit) and rdklib to reduce the effort associated with creating resources needed by custom rules.

We want to create 2 rules:

  1. Evaluate if any instance has an instance type different to t2.micro
  2. Evaluate if any instance has a public IP address

Architecture

alt

Steps

  1. Enable AWS Config in your region. For this demo, the 1-click setup is enough, it is accessible from the AWS console.
  2. Clone the aws-config-custom-lambda-demo repository and change your directory inside it. NOTE: The scaffolding code was created for Python 3.12. If you use another Python version either upgrade to the latest one or generate a new template using the rdk create command (same applies if you prefer another language to Python).
  3. Create a Python virtual environment and install rdk and rdklib via pip (documentation here and here)
python -m venv venv
source venv/bin/activate
pip install rdk
pip install rdklib
  1. In the rules’ evaluation logic we will use several modules from the rdklib package. The package will be shared with the Lambda function via a Lambda layer. It is distributed as a serverlessrepo. Run the command below and copy the ChangeSetId from the output:
aws serverlessrepo create-cloud-formation-change-set --application-id arn:aws:serverlessrepo:ap-southeast-1:711761543063:applications/rdklib \
--stack-name RDKlib-Layer

Create the resources associated with the stack, replacing CHANGE_SET_ID with the ChangeSetId from command above:

aws cloudformation execute-change-set --change-set-name CHANGE_SET_ID

Get the ARN of the Lambda layer by either going to the Cloudformation stack outputs section or by running the below command and copying the PhysicalResourceId:

aws cloudformation describe-stack-resources --stack-name serverlessrepo-RDKlib-Layer
  1. You need to create the role for the Lambda function to assume. The policy to be used by the role is the AWS_ConfigRole managed policy. The trust policy for this role is shown below:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "config.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::YOUR_ACCOUNT_ID:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringLike": {
          "aws:PrincipalArn": "arn:aws:iam::YOUR_ACCOUNT_ID:role/rdk/*"
        }
      }
    }
  ]
}
  1. Given that you already have the scaffolding code in place, you just need to add the execution roles for each of the Lambda functions:
rdk modify EC2_PUBLIC_IP_RULE --input-parameters '{"ExecutionRoleName":"ROLE_NAME_FROM_STEP_4"}'
rdk modify EC2_INSTANCE_TYPE_RULE --input-parameters '{"ExecutionRoleName":"ROLE_NAME_FROM_STEP_4"}'
  1. Run the command below to deploy the rules:
rdk deploy EC2_PUBLIC_IP_RULE --rdklib-layer-arn YOUR_RDKLIB_LAYER_ARN
rdk deploy EC2_INSTANCE_TYPE_RULE --rdklib-layer-arn YOUR_RDKLIB_LAYER_ARN

The commands above will each create a CloudFormation stack containing the Lambda function responsible for rule evaluation, the Config Rule and the Lambda execution role which allows Lambda to update Config evaluations.

Testing

  1. Deploy 1 private instance and 1 public instance. Feel free to use the default VPC. By default you will have a public subnet in all AZs in the region you are working in. Create a separate RT and associate one of the subnets to it, in this way you will make it a private subnet. Deploy one instance in the private subnet with the ’t2.small’ type and another instance in the public instance with the Auto-assign public IP setting enabled and the ’t2.micro’ type. You can see my 2 instances deployed below:
alt 2. Go to the AWS Config Rules menu. You can see the 2 rules displayed like below: alt 3. Check the EC2_PUBLIC_IP_RULE. In case no resources were detected yet, click on Actions/Re-evaluate to generate a new rule evaluation. You should see your EC2 instances, one compliant and the other one noncompliant. alt 4. Repeat step 4 for the EC2_INSTANCE_TYPE_RULE. You should see once instance being compliant and the other one noncompliant. alt

Remediation actions

You can create a remediation action for your noncompliant resources. You can either choose the remediation action from a prepopulated list or create your own custom remediation actions using SSM documents.

For this demo let’s use a preconfigured remediation action and terminate the instances which are in a non-compliant state. You will need to create a role for SSM Automation to assume. You need to attach the AmazonSSMAutomationRole managed policy to the role and use the ssm.amazonaws.com service as a trusted principal in the trust policy.

Choose the AWS-TerminateEC2Instance Remediation Action and the InstanceId as an action parameter. After configuring it, it should look like below: alt After a couple of minutes the Remediation Action should kick in and the noncompliant instances will be deleted, as shown in the CloudTrail events below: alt

Conclusion

AWS Config Custom Lambda rules offer a robust solution for maintaining compliance across your cloud environment. Their high configurability allows them to address specific compliance requirements, catering to diverse needs. When integrated with SSM Automation for noncompliance remediation, they provide a comprehensive solution for automated cloud governance. I hope you found this post informative. Happy learning ✨!