Ensure that all the evaluation results returned for the Amazon Config rules created within your AWS account are compliant. AWS Config rules represent your desired configuration settings. You can use the predefined rules available in your AWS account (also known as managed rules) or you can define your own custom rules to suit your needs. Rules can be targeted at specific resources (by ID, e.g. "sg-0b2abb7c"), specific types of resources (e.g. "EC2 security group"), or at resources tagged in a particular way (e.g. "Stage": "Production"). Rules are executed when those resources are created or changed, but can also be evaluated on a periodic basis (hourly, daily, monthly, etc). The Config service evaluates whether your AWS resource configurations comply with the defined rules and return the necessary evaluation results. Each evaluation result indicates which AWS resources were evaluated by the rule, when each resource was last evaluated and whether each resource complies with the rule. The rule evaluation results are available within your Cloud Conformity account as result of Real-Time Threat Monitoring and Analysis (RTMA) seamless integration with Amazon Config service. With RTMA-Config integration, the noncompliant evaluation results are highlighted on your Cloud Conformity dashboard and alert notifications are sent via established communication channels. The communication channels for sending alert notifications can be easily configured in your Cloud Conformity account. The list of supported communication channels are Email, SMS, Slack, JIRA, PagerDuty and ServiceNow.
Using Amazon Config and Cloud Conformity for compliance checks will help you avoid misconfigurations and close security gaps by defining the desired and the most secure configuration settings for your AWS resources.
Note 1: The evaluation results for custom AWS Config rules, created using Lambda functions, would be available on your Cloud Conformity dashboard as well. Noncompliant results from custom rules would also trigger Cloud Conformity alert notifications.
Note 2: As example, this conformity rule will demonstrate how to find and reconfigure AWS resources based on noncompliant evaluation results returned by an AWS Config managed rule named "restricted-ssh". This managed rule checks whether security groups that are in use within your AWS account disallow unrestricted incoming SSH traffic on port 22.
To check for noncompliant Config rule evaluation results, perform the following actions:
To reconfigure an AWS resource, referenced by a noncompliant evaluation result, in order to comply with the needed configuration settings, perform the following actions:Note: As example, this section will provide step by step instructions on how to solve a noncompliant evaluation result returned by a managed AWS Config rule, (i.e. "restricted-ssh") by updating the inbound configuration of a security group to restrict SSH access to specific (trusted) IP address or IP range.