Using the out-of-the-box tools that come with AWS is a great start when it comes to securing your environment and reducing your blast radius. In this post, we’ll cover 12 AWS Config rules that should be considered a bare minimum requirement for any account.
Because most of security is doing the basic things. (Don’t “hide” your laptop under a hoodie on the passenger seat, and it’s a little less likely to wind up missing.) But, when it comes to securing your AWS environment, the basic things can be kind of hard.
Are you looking to begin your AWS career or take your skills to the next level? Our AWS learning paths offers customized paths to excel your cloud journey!
What is AWS Config?
One key step for securing your AWS environment is to create an asset inventory.
There are various ways you can build an asset inventory. You can use third-party tools or CLI scripts, but there’s a quick and easy way and that’s using AWS Config.
AWS Config lets you record and assess the configurations of your AWS resources. It has two basic functions.
- It can record all of the configuration data that runs through the system.
- It can build rules to help us ensure compliance.
Securing Your AWS Environment
In this free, on-demand webinar, get a breakdown of taking complex AWS environments from zero to secure.
Enabling AWS Config
To get started, you’ll need to enable AWS Config. You can get details on the full process here. During this process you’ll do the following:
- Create an S3 bucket to hold configuration data
- Create a Config configuration recorder
- Create a Delivery channel
- Verify with the AWS CLI:
- aws configservice describe-delivery-channels
- aws configservice describe-configuration-recorders
- aws configservice describe-configuration-recorder-status
Once we’re done, the system is going to start collecting assets and storing them. We can see them in AWS Config and see changes from that point forward.
With the inventory configured, you can now:
- See counts on resources across the account
- Search the inventory with SQL
- View details on the assets
- Enable or create AWS Config rules to ensure compliance
If doing this in many accounts, it’s important to note that Config can be centrally collected for all accounts under your control.
12 recommended AWS Config rules
AWS Config has managed rules for many resources. As a bare minimum, here are 12 recommended Config rules courtesy of cloud architect and security engineer Don Magee, Cloud Security Lead at Stedi.
|AWS Config rule||Action|
|cloudformation-stack-drift-detection-check||All stacks should have no drift|
|s3-bucket-level-public-acess-prohibited||S3 buckets should not be public|
|ec2-instance-no-public-ip||EC2 instances should not have public IPs|
|ebs-snapshot-public-restorable-check||Your server snapshots should not be public|
|iam-root-access-key-check||The root user should not have access keys|
|cloudtrail-enabled||CloudTrail should always be enabled|
|ec2-ebs-encryption-by-default||All EBS volumes should be encrypted by default|
|s3-bucket-server-side-encryption-enabled||S3 should be encrypted by default|
|vpc-default-security-group-closed||The default security group should not be in use|
|acm-certificate-expiration-check||Ensure your certificates are not about to expire|
|access-keys-rotated||Ensures IAM user access keys are rotated|
|iam-user-unused-credentials-check||Find inactive accounts to disable|
How does cost work with AWS Config?
From a cost perspective, the recorder (storing in S3) and each rule does have a charge. But these shouldn’t be too costly for most organizations.
Don said his organization eventually moved off of Config as it grew in search of a better dashboard than AWS could provide, but they were at 30 accounts and 26 Config rules and the cost was not prohibitive at that point.
Lock down your AWS security skills.
Want to learn more about security in the cloud? Check out our Mastering the AWS Well-Architected Framework course, or dig into our massive library of hands-on cloud learning.