In this hands-on lab, we’ll implement AWS Config rules and use AWS Config for compliance auditing and remediation. We will configure compliance rules for evaluating the EC2 instance type, whether S3 versioning is enabled, EC2 instances in a VPC, and whether CloudTrail is enabled. These rules will give us firsthand knowledge of how the AWS Config service works. We will then explore the configuration management aspect of AWS Config.
Learning Objectives
Successfully complete this lab by achieving the following learning objectives:
- Enable AWS Config
- Set up AWS Config so that it uses an existing AWS Config service-linked role. Ensure the delivery method creates an S3 bucket.
- Configure Rules for Resources
- Add an AWS managed rule for
cloudtrail-enabled
. - Add an AWS managed rule for
desired-instance-type
that checks whether your EC2 instances aret2.micro
. - Add an AWS managed rule for
ec2-instances-in-vpc
that checks whether your EC2 instances belong to the VPC provided with the lab. - Add an AWS managed rule for
s3-bucket-versioning-enabled
.
- Add an AWS managed rule for
- Configure the Non-Compliant Resources to Comply
- Open CloudTrail and create a new trail named
ConfigTrail
. Store it in a new S3 bucket. - Open S3 and edit the settings on your buckets to make the
s3-bucket-versioning-enabled
rule compliant.
- Open CloudTrail and create a new trail named
- Reevaluate the Non-Compliant Rules in AWS Config
- Reevaluate the S3 bucket rule.
- Wait for the S3 rule to become compliant.
- Reevaluate the CloudTrail rule.
- Wait for the CloudTrail rule to become compliant.