Audit AWS Resources Using AWS Config

In my previous blog , I have explained on How you can setup a monitoring systems for tracking IAM users activity and the API usage in the AWS services, Check here.

In this guide , We will learn how to setup a auditing system for the AWS resources using AWS Config.

What Is AWS Config?

The public cloud providers such as AWS offers a variety of features such as High availability , Scaling , Serverless and much more.

But the most important thing is to ensure that the services we use are secure enough , That’s where AWS config has come in.

AWS Config is used for assessing , auditing and monitoring configuration changes in the AWS cloud.

It gives a detailed view of all the configurations of the AWS resources such as EBS , EC2 , VPC , security group and so on.

What AWS Config Can Do?

  • It helps us to provide the configurations of one or more services in the aws account.
  • Helps us to evaluate AWS resource configurations for desired settings.
  • Provides the backup of the current settings applied to the AWS resources.
  • Provides historical configurations of one or more resources.
  • Send out a notification whenever a change happens such as create , delete and modify.
  • Provide a information about the relationship between AWS services.

Different Ways To Use AWS Config

  • Resource Administration
  • Managing and troubleshooting configuration changes
  • Auditing and Compliance
  • Security Analysis

How AWS Config Works?

When the AWS config is enabled for the first time , It scans all the supported existing AWS resources and create a configuration item for each resources.

When there is a change in the existing resources or new resources are created , AWS config will also records the same and maintains a historical records for the configuration items.

We can either allow the AWS config to create configuration item for all the supported AWS resources or we can enable only for the particular AWS services.

Setting Up AWS Config Using Console

To setup AWS config , Login to AWS Config console.

and then click Get started

Lists of Supported Resource Types : API Gateway , Cloudwatch , Cloudfront , Dynamo DB , EBS , EC2 , Elasticsearch , Redshift , RDS , Quantum Ledger database , S3 , SQS , SNS , VPC , Auto scaling , ACM , Cloudformation , Cloudtrail , CodeBuild , CodePipeline , Elastic Beanstalk , IAM , KMS , Lambda , Secrets Manager , Shield , Service Catalog , Systems Manager , WAF , X-Ray and Elastic Load Balancing.

Under Settings , You can enable AWS config to record configurations for all the supported AWS resources or you can enable only for the particular AWS resources.

To enable for all resources , Choose All resources and to track global services such as IAM , Enable it.

I would suggest you to enable IAM to keep track of changes in the IAM users , groups , Roles and Policies.

To enable for particular resources , Under Specific types , Select the services

You can select the multiple AWS services.

Under Amazon S3 bucket , The S3 bucket will be used to stored the snapshot of all the configuration items and the configuration history which is recorded by the AWS config.

You can create a bucket from here on the go , Or you can use the existing S3 bucket. Check here for more detail

You can also store the AWS config snapshot in the S3 bucket which is in another AWS account.But Make sure the permission to store the configuration item is provide for the AWS config.

We can also use the folder / prefix within the bucket to store the configs.

Under Amazon SNS Topic , We can use SNS topic to alert us for the following cases such as Configuration history delivery , compliance , configuration snapshot delivery.

You can use existing topic or you can create an SNS topic with subscriber in your account.

We can also choose SNS topic from the another AWS account , But make sure the SNS topic has granted permission for the AWS config.

Under AWS Config role , Here we need to grant read only permission for the AWS config for all the supported AWS services .

Also we should grant permission to put config items to S3 and SNS access to sent notifications.

We can use the existing service-linked role , already created by AWS or you can create a role and assign the same to the AWS config.

and then click Next

For AWS Config rules , We can apply existing one or more rules against the AWS resources.

We can either apply the existing rule while creating the AWS config , or we can apply the existing rules after the AWS config is created.

We can also create our own custom rules and we can apply the same.

It will be highlighted If you select the rules.

and then Click Next

Review the Settings of the AWS config and then click Confirm.

It will take some time to setup the AWS config.

Once the AWS config is created , From the Dashboard , Click Status

You will get the status of the configurations.

Configuration Snapshot : It is the collection of configuration items for the supported AWS resources that exists in your account.

Configuration History : A collection of configuration items over a given period of time for the provided AWS resources.

Configuration Stream : It’s an automatically updated list of all the configuration items for the resources that AWS config is recording.

This is how the AWS config dashboard represents all the details.

It will take some time to discover all the resources.

Conclusion

We have successfully implemented an auditing system for the AWS resources using AWS config.

Hope you find it helpful.Please check out my other publications.

Migrate Ec2 Instance To Another Vpc

Enable MFA Delete For S3 Bucket

How To Schedule Tasks In Windows Servers

AWS Backup – Creating On-Demand Backup

Setup MFA For Ssh On Ubuntu