Aws notes/Getting Serious About AWS Config Rules

Overview

There are a suite of service in AWS that can help you get yourself to an auditable position:

• AWS config
• AWS Cloudtrails

You can define rule about how your cloud account should be, and make an immutable record of how it is and changes over time with these two services.

There are published best practices , so you can go and roll your own setup.

You could pay someone else to do it:

• Evident.io ( bought by Palo Alto Networks https://www.paloaltonetworks.com/products/secure-the-cloud/evident )
• Cloudcheckr ( https://cloudcheckr.com/ ) - I can recommend this. I've used this in anger. It is a great tool, lots more than just compliance ( cost control and reporting as well )

Or you can use some open source tools:

• AWS Config Rules Development Kit
• AWS Rules

The OS way

For those of you who just want results. ( not for those of you who want to write your own rules ). THink of this as 80/20. For 20% work, you get 80% of the functionality and effect. If you have nthing, or little time, this is for you.

• You have the right amount of know-how.
• You want the right amount of automation.
• And open source is the right price.

0. ensure your env has AWS api keys loaded.

1. install rdk ( rule development kit )

pip install rdk

2. clone the rules:

cd ~/work
git clone git@github.com:awslabs/aws-config-rules.git
cd aws-config
cd python
rdk init
rdk deploy ANY_ONE_OF_RULE_IN_THIS_DIR

Then go take a look in the console to see how you are doing.

To Do

• reporting
• management
• reconcile