Maintaining improved compliance with AWS Config Rules is a delicate balance: too many restrictions can slow progress and spur savvy individuals into avoiding the rules all together, too few restrictions, or a lack of monitoring, and vulnerabilities, increased costs or fees can stack up. Knowing how important configuration management can be to development, production and security, AWS offers AWS Config, a service that allows users to track the configurations of their AWS resources automatically, walking the line between a traffic cop and speed radar monitoring. It provides both an understanding of the relationship between different AWS resources and allows users to actively track their configs against desired – or best practice – settings. AWS Config allows organizations to monitor their AWS Configs for compliance with corporate guidelines.
Helping give organizations a jump start in the process of optimizing their AWS environment, AWS has built several Managed Config Rules, which are predefined, yet customizable rules that the AWS Config service uses to evaluate whether an AWS resource complies with common best practices. Here we walk you through the process of configuring some of the most common — and most helpful — AWS Managed Config Rules.
Use Flux7’s AWS Config Rules Guide to set up your own AWS managed rules to automatically:
- Ensure only specified EC2 instances are being used
- Check whether EC2 instances belong to a VPC
- Disallow unrestricted incoming SSH traffic and incoming TCP traffic to a specified port
- Check EBS volume encryption
- Check AWS CloudTrail enablement
Know instantly when change occurs, including:
- Improper AWS account use
- Negligent or willful misuse
- Rule violations
- Non-compliance with best practices
