In this hands-on lab, we’ll implement AWS Config rules and use Config for compliance auditing and remediation. We will configure compliance rules for evaluating EC2 instance type, if S3 versioning is enabled, EC2 instances in a VPC, and if CloudTrail is enabled. These rules will give you firsthand knowledge about how the AWS Config service works. We will then explore the configuration management aspect of Config.
NOTE: You may see other resources detected by Config; you can safely disregard those extra resources. Config takes a long time to show correctly, especially in us-east-1. Often stopping and starting Config will hurry the results.
Learning Objectives
Successfully complete this lab by achieving the following learning objectives:
- Enable Config in the account.
- Navigate to the Config service.
- Click Get started.
- Check Record all resources supported in this region.
- Choose Create a bucket, and leave the default name.
- Do not check the option to create an SNS topic at this time.
- Check Create AWS Config service-linked role, and leave the default name.
- Click Next.
- Click Skip.
- Click Confirm.
- Configure rules for resources.
- In the left-hand menu, click Rules.
- Click Add rule.
- Search for "cloudtrail".
- Select the
cloudtrail-enabled
card. - Leave the default parameters, and click Save.
- Click Add rule, and arrow over to the second page.
- Select the
desired-instance-type
card. - In the Rule parameters section, enter a value of "t2.micro".
- Click Save.
- Click Add rule, and arrow over twice to the third page.
- Select the
ec2-instances-in-vpc
card. - Open the VPC console in a new browser tab, and copy the VPC ID.
- Back in the Config browser tab, enter the VPC ID as the value under Rule parameters.
- Click Save.
- Click Add rule, and arrow over five times to the last page.
- Select the
s3-bucket-versioning-enabled
card. - Click Save.
- Configure the non-compliant resources to comply.
- Open S3 in another browser tab.
- Select the listed bucket to open it.
- Go to the Properties tab.
- Select the Versioning card.
- Click to Enable versioning.
- Click Save.
- Open CloudTrail in another tab.
- Click Create trail.
- Name the trail, (e.g., "mytrail").
- Under Storage location, choose Create a new S3 bucket, and give it a unique name.
- Click Create.
- Re-evaluate the non-compliant rules in Config.
- Navigate back to the Config tab.
- Under Rules, select the S3 bucket rule.
- Choose Re-evaluate.
- Go back to the Rules page, and wait for the S3 rule to become compliant.
- Under Rules, select the CloudTrail rule.
- Choose Re-evaluate.
- Go back to the Rules page, and wait for the CloudTrail rule to become compliant.