Auditing Resource Compliance with AWS Config

1.75 hours
  • 4 Learning Objectives

About this Hands-on Lab

In this hands-on lab, we’ll implement AWS Config rules and use Config for compliance auditing and remediation. We will configure compliance rules for evaluating EC2 instance type, if S3 versioning is enabled, EC2 instances in a VPC, and if CloudTrail is enabled. These rules will give you firsthand knowledge about how the AWS Config service works. We will then explore the configuration management aspect of Config.

NOTE: You may see other resources detected by Config; you can safely disregard those extra resources. Config takes a long time to show correctly, especially in us-east-1. Often stopping and starting Config will hurry the results.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Enable Config in the account.
  1. Navigate to the Config service.
  2. Click Get started.
  3. Check Record all resources supported in this region.
  4. Choose Create a bucket, and leave the default name.
  5. Do not check the option to create an SNS topic at this time.
  6. Check Create AWS Config service-linked role, and leave the default name.
  7. Click Next.
  8. Click Skip.
  9. Click Confirm.
Configure rules for resources.
  1. In the left-hand menu, click Rules.
  2. Click Add rule.
  3. Search for "cloudtrail".
  4. Select the cloudtrail-enabled card.
  5. Leave the default parameters, and click Save.
  6. Click Add rule, and arrow over to the second page.
  7. Select the desired-instance-type card.
  8. In the Rule parameters section, enter a value of "t2.micro".
  9. Click Save.
  10. Click Add rule, and arrow over twice to the third page.
  11. Select the ec2-instances-in-vpc card.
  12. Open the VPC console in a new browser tab, and copy the VPC ID.
  13. Back in the Config browser tab, enter the VPC ID as the value under Rule parameters.
  14. Click Save.
  15. Click Add rule, and arrow over five times to the last page.
  16. Select the s3-bucket-versioning-enabled card.
  17. Click Save.
Configure the non-compliant resources to comply.
  1. Open S3 in another browser tab.
  2. Select the listed bucket to open it.
  3. Go to the Properties tab.
  4. Select the Versioning card.
  5. Click to Enable versioning.
  6. Click Save.
  7. Open CloudTrail in another tab.
  8. Click Create trail.
  9. Name the trail, (e.g., "mytrail").
  10. Under Storage location, choose Create a new S3 bucket, and give it a unique name.
  11. Click Create.
Re-evaluate the non-compliant rules in Config.
  1. Navigate back to the Config tab.
  2. Under Rules, select the S3 bucket rule.
  3. Choose Re-evaluate.
  4. Go back to the Rules page, and wait for the S3 rule to become compliant.
  5. Under Rules, select the CloudTrail rule.
  6. Choose Re-evaluate.
  7. Go back to the Rules page, and wait for the CloudTrail rule to become compliant.

Additional Resources

Please log in to the live environment with the cloud_user credentials provided.

Make sure you are using the N. Virginia (us-east-1) region throughout the lab.

Note: AWS Config sometimes needs to be toggled off and back on again in its settings if it does not report correctly after a reasonable length of time.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Get Started
Who’s going to be learning?

How many seats do you need?

  • $499 USD per seat per year
  • Billed Annually
  • Renews in 12 months

Ready to accelerate learning?

For over 25 licenses, a member of our sales team will walk you through a custom tailored solution for your business.


Sign In
Welcome Back!
Thanks for reaching out!

You’ll hear from us shortly. In the meantime, why not check out what our customers have to say about ACG?