Managing compliance the Serverless way with AWS Config custom rules

AWS Config is a tool for continuous monitoring and conducting compliance checks across your resources in AWS. With the growing services in an AWS account, managing security and conducting routine audits can become cumbersome. This is where AWS Config can do all the heavy lifting with a few clicks. With detailed reports of the configuration history, this service simplifies auditing and maintaining compliance with any internal guidelines you may have.

In this article, we will take a quick look at how to get started with AWS Config and also explore on how you can create your own custom rules that allow you to run evaluations against specific resources, along with using SNS for delivering changes in configurations.

Overview:

• How to set up AWS Config
• SNS Event rule
• Brief about Conformance packs
• Creating custom AWS Config rule with Lambda
• Conclusion

Getting started:

Setting up AWS managed rules:

In the first instance of using the service, you will be asked to create rules either for AWS resources or for the third party resource apps that your account may have been integrated with (eg. DataDog, Jfrog, Stackery etc). This can always be altered later by going to Settings at the dashboard.

AWS Config

After specifying the bucket name for delivering the Config reports, you can optionally choose to associate an SNS topic which will then trigger notifications whenever there are configuration changes to your resources that Config is able to capture. We will get to set this up a little later.

Choose S3 bucket and SNS topic

On the next page, you can handpick the AWS managed rules for the resources against which the evaluation should be done. These rules will be triggered in two ways (depending on rule type)

• By frequency (value between 1h to 24h)
• Configuration changes (either by changes to some specific resource Id or changes to resources based on associated tags)

Rules for evaluation

SNS Event rule:

For configuring the SNS event notifications, head over to the Eventbridge dashboard and set up the AWS event for Config.

SNS Config event type

You can configure the event type and custom JSON message for that event type. For now, we will stick to a simple setup for triggering notifications when there is a configuration change for all resources.

Proceed to associate the SNS topic that was provided in the initial setup at the AWS Config dashboard.

Conformance packs:

Conformance packs are preset templates containing rules and configurations that provide a general-purpose framework for security and operational governance checks. Think of them as starter templates/rules which you should ideally extend to build compliance regulations that are in line with the organization’s standards.

Here I have chosen the Serverless conformance pack that includes checks against the usual serverless resources: DynamoDb, API Gateway, Lambda and VPC endpoint setup to name some of the items in the list.

Serverless conformance pack

Creating your own Config custom rule :

Let’s consider a specific scenario wherein you want to ensure that all Lambda functions belonging to a specific VPC do not have an open 0.0.0.0/0 outbound rule in the Security group.

On the rule creation page, choose the custom Lambda rule.

Custom Lambda rule

Fill in the function ARN (you will need to create a function beforehand), the trigger type, and rule parameters (here I have specified as vpcid).

Trigger type and Rule parameter

After creating the rule, paste the following code into your Lambda function.

The logic is essentially doing this,

• Pull all Lambda functions associated with the provided VPC ID (part of the incoming Config event as rule parameter)
• Get the Security group details.
• Filter those Security group IDs that have an outbound rule to 0.0.0.0/0.
• Return the evaluation result back to Config.

When you manually invoke this rule’s evaluation, any changes to security group will trigger an SNS event. You can review the results at Config dashboard and see the list of those Security group IDs that are non-compliant.

We can also set up an automated remediation response when the evaluation fails. In this case, choosing the CloseSecurityGroup action from the list.

Automatic remediation after compliance failure

If in case a preset remediation action doesn’t exist, we could leverage the SNS event as a trigger for another Lambda function which will then carry out the remediation action for us, thereby automating the whole process of event detection and remediation without any manual intervention. The flow would then look something like this,

Conclusion:

Compliance setups can get complicated as the number of services expands within an AWS account. With Config, it’s also possible to aggregate evaluation reports across multiple accounts which simplifies auditing when there are distributed resources in different regions belonging to other accounts.

Different business units within an organization may have varied audit requirements and it can certainly get a whole lot more difficult to control and manage. Especially in cases when an organization is wanting to maintain strict compliance as per PCI standards, AWS Config can definitely be of great help in offloading those internal audits and security management tasks.