"AWS Config enables you to discover what resources are used on AWS, understand how resources are configured and gives you unprecedented visibility into changes to configurations over time – all without disrupting end user productivity. With Config Rules, you can continuously evaluate whether changes to resources are compliant with policies. You can set up predefined rules, provided and managed by AWS, or author your own rules using Amazon Lambda, and these rules are evaluated whenever relevant resources are modified. You can use this visibility and control to assess and improve your security and compliance posture. We will dive deep into other new capabilities in AWS Config and cover how you can integrate with IT service management, configuration management, and other tools. In this session, we will look at: AWS Config Rules – how to create and use rules that govern configuration changes recorded by AWS Config. New capabilities in AWS Config – Usability changes, better controls and other enhancements Mechanisms to aggregate deep visibility across AWS to gain insights into your overall security and operational posture. This session is best suited for administrators, security-ops and developers with a focus on audit, security and compliance."

1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Prashant Prahlad, Amazon Web Services
October 2015
SEC314
NEW LAUNCH!
AWS Config/Config Rules
Using Config Rules to Improve Governance
over Configuration Changes to Your Resources

2. What to expect from the session
After this session, you will be able to
• Start using AWS Config to gain visibility into
configuration changes on your resources
• Integrate with existing tools/processes and aggregate
data across accounts
• Config Rules: Get better control over changes by
setting up rules that evaluate configurations recorded
• Feature announcements for AWS Config

3. What you want to see
Visibility: A foundational element for security
What you’re likely to see
In your datacenter…

4. Administrator pains
• “I don’t know who bought this server or what’s running in
there. I have great records for my services and I just
support legacy systems that came in before my time,
and hope it’s working correctly” – Anonymous administrator
• “I have a CMDB that works most of the time. I can’t
really act on this information because it’s pretty stale” –
Security team at Enterprise

5. • Infrastructure = software!
• Change is frequent, automated, and impactful
• Resources are connected
• Can’t take away powers: Self service and agility
Visibility: A foundational element for security
In the cloud…

6. Options:
• Poll Describe APIs for changes
• Maintain infrastructure to capture changes
• Waste resources with a lot of duplicate data
• Normalize results from different service endpoints
Visibility: A foundational element for security
In the cloud…
Can this be cheaper, faster, and less error-prone?

7. AWS Config
• Get inventory of AWS resources
• Discover new and deleted resources
• Record configuration changes continuously
• Get notified when configurations change

8. NormalizeRecordChanging
Resources
AWS Config
Deliver
Stream
Snapshot (ex. 2014-11-05)
AWS Config
APIs
Store
History

9. Config Rules
(preview)
• Set up rules to check configuration changes recorded
• Use pre-built rules provided by AWS
• Author custom rules using AWS Lambda
• Invoked automatically for continuous assessment
• Use dashboard for visualizing compliance and identifying
offending changes

10. NormalizeRecordChanging
Resources
AWS Config & Config Rules
Deliver
Stream
Snapshot (ex. 2014-11-05)
AWS Config
APIs
Store
History
Rules

12. Getting Started

14. Multi-region aggregation of delivered data
Region 1
Region 2
Region 3
Common S3 bucket
Amazon S3 policies should permit accounts to write Config data
Amazon SQS/Amazon SNS publish/subscribe permissions
should be set
SNS Topic: Region 1
SNS Topic: Region 2
SNS Topic: Region 3
Common SQS queue

15. Key Concepts

16. Configuration Item
All configuration attributes for a given resource at a given
point in time, captured on every configuration change

17. Component Description Contains
Metadata Information about this configuration
item
Version ID, Configuration item ID,
Time when the configuration item
was captured, State ID indicating
the ordering of the configuration
items of a resource, MD5Hash, etc.
Common Attributes Resource attributes Resource ID, tags, Resource type.
Amazon Resource Name (ARN)
Availability Zone, etc.
Relationships How the resource is related to other
resources associated with the
account
EBS volume vol-1234567 is
attached to an EC2 instance i-
a1b2c3d4
Current Configuration Information returned through a call
to the Describe or List API of the
resource
e.g. for EBS Volume
State of DeleteOnTermination flag
Type of volume. For example, gp2,
io1, or standard
Related Events The AWS CloudTrail events that are
related to the current configuration
of the resource
AWS CloudTrail event ID
Configuration Item

18. Sample Configuration Item
"configurationItemVersion": "1.0",
"configurationItemCaptureTime": "2014…",
"configurationStateID": “….",
"configurationItemStatus": "OK",
"resourceId": "vol-ce676ccc",
"arn": "arn:aws:us-west-………",
"accountId": "12345678910",
"availibilityZone": "us-west-2b",
"resourceType": "AWS::EC2::Volume",
"resourceCreationTime": "2014-02..",
"tags": {},
"relationships": [
{
"resourceId": "i-344c463d",
"resourceType": "AWS::EC2::Instance",
"name": "Attached to Instance"
}
],
"relatedEvents": [
"06c12a39-eb35-11de-ae07-db69edbb1e4",
],
Metadata
Common Attributes
Relationships
Related Events

19. Sample Configuration Item
"configuration": {
"volumeId": "vol-ce676ccc",
"size": 1,
"snapshotId": "",
"availabilityZone": "us-west-2b",
"state": "in-use",
"createTime": "2014-02-……",
"attachments": [
{
"volumeId": "vol-ce676ccc",
"instanceId": "i-344c463d",
"device": "/dev/sdf",
"state": "attached",
"attachTime": "2014-03-",
"deleteOnTermination": false
}
],
"tags": [
{
"tagName": "environment",
"tagValue": "PROD"
Configuration

21. Relationships
Bi-directional map of
dependencies automatically
assigned
Change to a resource
propagates to create
Configuration Items for related
resources
EC2 Instance Elastic IP

22. Config Rule
• AWS managed rules
Defined by AWS
Require minimal (or no) configuration
Rules are managed by AWS
• Customer managed rules
Authored by you using AWS Lambda
Rules execute in your account
You maintain the rule
A rule that checks the validity of configurations recorded

23. Config Rules - Triggers
• Triggered by changes: Rules invoked when relevant resources
change
Scoped by changes to:
• Tag key/value
• Resource types
• Specific resource ID
e.g. EBS volumes tagged “Production” should be attached to EC2 instances
• Triggered periodically: Rules invoked at specified frequency
e.g. Account should have no more than 3 “PCI v3” EC2 instances; every 3 hrs

24. Evaluations
The result of evaluating a Config rule against a resource
• Report evaluation of {Rule, ResourceType, ResourceID}
directly from the rule itself

25. Config Rules - Example
function evaluateCompliance(configurationItem, ruleParameters) {
if((configurationItem.configuration.imageId === ruleParameters.approvedImage1) ||
(configurationItem.configuration.imageId === ruleParameters.approvedImage2))
return 'COMPLIANT';
else return 'NON_COMPLIANT';
}
exports.handler = function(event, context) {
var invokingEvent = JSON.parse(event.invokingEvent);
var ruleParameters = JSON.parse(event.ruleParameters);
...
compliance = evaluateCompliance(invokingEvent.configurationItem, ruleParameters,
context);
ComplianceResourceType: invokingEvent.configurationItem.resourceType,
ComplianceResourceId: invokingEvent.configurationItem.resourceId,
ComplianceType: compliance,
..,
config.putEvaluations(putEvaluationsRequest, function (err, data)

26. Use Cases

27. Use cases enabled
Security analysis: Am I safe?
Audit compliance: Where is the evidence?
Change management: What will this change affect?
Troubleshooting: What has changed?
Discovery: What resources exist?

28. Am I safe?
Properly configured resources
are critical to security
AWS Config continuously
monitors configuration changes
and helps you evaluate these
configurations for potential
security weaknesses using
Config Rules

30. AWS managed rules
1. All EC2 instances must be inside a VPC.
2. All attached EBS volumes must be encrypted, with KMS ID.
3. CloudTrail must be enabled, optionally with S3 bucket, SNS topic
and CloudWatch Logs.
4. All security groups in attached state should not have unrestricted
access to port 22.
5. All EIPs allocated for use in the VPC are attached to instances.
6. All resources being monitored must be tagged with specified tag
keys:values.
7. All security groups in attached state should not have unrestricted
access to these specific ports.

31. Custom rules
• Codify and automate your own practices
• Get started with samples in AWS Lambda
• Implement guidelines for security best practices and
compliance
• Use rules from different AWS Partners
• View compliance in one dashboard

33. Evidence for compliance
Many compliance audits require
access to the state of your
systems at arbitrary times (i.e.,
PCI, HIPAA).
A complete inventory of all
resources and their configuration
attributes is available for any
point in time.
But what does a jellyfish have
to do with compliance?

34. AWS CLI
aws config-service get-resource-config-history
--resource-type AWS::EC2::VPC
--resource-id vpc-47fa0322
--earlier-time 2015-10-01
...

35. Change management: Option 1
Account 1
Account 2
Account 3
Common S3 bucket
Common SNS topic
Adaptor is custom software to convert JSON into
CMDB’s format
BMC, HP,
Custom
CMDB
Adaptor
Data pipe into existing CMDB

36. Change management: Option 2
Account 1
Account 2
Account 3
AWS
Config
BMC
HP
API
AdaptorAdaptor
Adaptor is custom software needed to convert JSON
into CMDB’s format
Use in federated form

37. What resources exist?
Discover resources that exist in
your account
Discover resources that no longer
exist in your account
A complete inventory of all
resources and their configuration
attributes available via API and
console

39. What changed?
It is critical to be able to quickly
answer, “What has changed?”
You can quickly identify the
recent configuration changes to
your resources by using the
console or by building custom
integrations with the regularly
exported resource history files.

41. Coverage

42. Supported resource types
Resource Type Resource
Amazon EC2 EC2 Instance
EC2 Elastic IP (VPC only)
EC2 Security Group
EC2 Network Interface
Amazon EBS EBS Volume
Amazon VPC VPCs
Network ACLs
Route Table
Subnet
VPN Connection
Internet Gateway
Customer Gateway
VPN Gateway
AWS CloudTrail Trail

43. AWS Identity and Access Management
• Gain visibility into users, groups, roles, and policies
• Answer
• What policies did user joe have on May 30, 2014?
• Did anything change in the “dbUser” policy I created?
• Who used the “dbUser” policy between November 10 and
November 15?
• Config Rules
• Create Config rules that check or validate policies attached to
users, groups, or roles
• Establish strong governance on changes to policy documents

44. Amazon EC2 Dedicated Hosts
• Gain visibility into Amazon EC2 hosts which run your
instances
• Use data for assessing compliance with OS licensing
See CMP203: EC2 Enhancements for the Enterprise
Thursday, October 8, 1:30pm – 2:30pm
Palazzo H

45. Supported resource types
Resource Type Resource
Amazon EC2 EC2 Instance
EC2 Elastic IP (VPC only)
EC2 Security Group
EC2 Network Interface
Amazon EBS EBS Volume
Amazon VPC VPCs
Network ACLs
Route Table
Subnet
VPN Connection
Internet Gateway
Customer Gateway
VPN Gateway
AWS CloudTrail Trail
Identity and Access Management IAM Users
IAM Groups
IAM Roles
IAM Customer Managed Policies
Amazon EC2 Dedicated Hosts

46. AWS Config: Nine public AWS regions
US East
(N. Virginia)
US West
(Oregon)
US West
(N.California)
South America
(Sao Paulo)
EU
(Ireland)
EU (Frankfurt)
Asia Pacific (Tokyo)
Asia Pacific (Sydney)
Asia Pacific
(Singapore)

47. AWS Config Rules preview: US East (N. Virginia)
US East
(N. Virginia)

48. Growing Ecosystem

50. https://aws.amazon.com/config/partners/loggly

51. Example: Splunk app for AWS

52. Config Rules: Partners we are working with

53. Pricing

54. AWS Config pricing
Pay one time only per configuration item (CI) recorded:
$0.003 per CI (all regions)
Amazon S3/Amazon SNS charges applicable. No
additional charges for CI storage or retrieval via APIs.

55. Config Rules pricing
Priced based on number of active rules per month
$2.00 per active rule per month with account-level allowance of
20,000 evaluations per active rule. Overage of $0.0001 per
evaluation
• Evaluation: Single result reported for the rule/resource. Evaluations
are shared across rules in account.
• Active rule: Rule with at least one evaluation that month
• Customer managed rules may incur additional charges from AWS
Lambda

56. Pricing example
2,500 CIs per month from all configuration changes
5 active Config rules, reporting total 100 evaluations/day
Total evaluations per month = 100*30 = 3,000 evaluations
Allowance for 5 Config rules = 5 * 20,000 = 100,000 evaluations
Config configuration items: 2,500 * $0.003 = $7.5
5 active Config rules : 5 * $2.0 = $10.0
Evaluation charges : $0
Total charges $17.5

57. AWS security tools: What to use?
AWS Security and Compliance
Security of the cloud
Services and tools to aid
security in the cloud
Service Type Use cases
On-demand
evaluations
Security insights into your
application deployments
running inside your EC2
instance
Continuous
evaluations
Codified internal best
practices, misconfigurations,
security vulnerabilities, or
actions on changes
Periodic evaluations
Cost, performance, reliability,
and security checks that apply
broadly
Inspector
Config
Rules
Trusted
Advisor

58. AWS Config: In 2015 (Recap)
General Availability – Feb 2015
AWS Config general availability
Optional + Email friendly notifications - March 2015
Turn off SNS notifications, or use filter notifications
in email
New Regions - April 2015
Description: All 9 public AWS regions
New Partner: LogStorage - April 2015
Integration with AWS Config for Enterprise
Management (Japan)
Selective Resource - June 2015
Select a subset of AWS resources for AWS Config to
track
Discovery and Inventory – Aug 2015
New API and console to discover existing and
deleted resources by simply providing resource type
New Partner: Loggly – Oct 2015
Analyze, track, and alert on AWS Config details with
Loggly
Config Rules – Oct 2015 (Preview)
Rules to evaluate and report results
IAM resources – (Announced)
Track historical and current configurations for users,
groups, roles, and policies
EC2 Dedicated Hosts– (Announced)
Track usage of dedicated hosts for assessing
compliance with licensing

59. Don’t forget
• Sign up for the Config Rules preview NOW!
• https://aws.amazon.com/config/preview
• Contact us via AWS Config forums
https://forums.aws.amazon.com/forum.jspa?forumID=184
• Enjoy re:Play!

60. Remember to complete
your evaluations!

61. Thank you!

62. Questions?