AWS Config: A Configuration Manager To Save The Day

AWS security

Part 2: How to Make AWS Config Work for You

One of the biggest fears that CIOs of the digital age have is not only server crashes, but the inability to recover the system to its last-known state. This is particularly painful in compliance-heavy industries that are subject to external audits to make sure everything is being performed to industry standards and within federal compliance. AWS Config is a service which picks out a detailed account of what happens with your AWS configuration while giving you the critical ability to go back in time and verify or check the state your AWS resources were at a given point of time.

In Part 2 of our account of fictional CIO Ashok Kumar, whose company ABC Media Solutions has just suffered an irrecoverable server crash, we dig deep into the technical aspect of AWS Config to explore how it works, and more importantly, how it can work for you.

When and How?

On a broader level, the AWS Config can be used for one or more of the below purposes.

  1. Security analysis (Safety and security considerations for the resource and environment)
  2. Audit compliance (HIPAA, PCI DSS, etc.)
  3. Change management (Effect of change in one resource to another)
  4. Troubleshooting configuration changes
  5. Discover (Resource discovery)

The simplest way to activate the AWS resource is through the AWS Management Console. During the activation, choose a simple S3 bucket and SNS service from the console to enable this service.

Diving Deep

The AWS Config deals with three basic parameters, while storing the AWS configuration information.

  1. AWS Resource - e.g Amazon EC2 instances, VPC, Elastic IP, etc.
  2. Relationship - Relationships between different AWS resources, such as a particular Amazon EC2 relation with an RDS instance.
  3. Configuration Item (CI) - This is the core information of a resource that is emitted every time it is changed. It contains all the attributes of a given resource at a given point in time. This is basically the configuration information as a collection of various JSON attributes.
    • Configuration Stream - This is the stream of CIs for all the changes in an account. One can use this stream for one’s programmatic processing. One can channel the stream through the SNS service for this purpose. Every time an AWS resource is changed, along with the CI, a “diff” view of the changed attribute(s), with respect to the resource’s previous state, is also streamed through the SNS service.
    • Configuration Snapshot - Apart from streaming the CIs through a SNS service, one can also get the collection of CIs from the AWS Management Console and optionally choose to save them to the S3 bucket that one specified while initiating the AWS Config service for one's account.
    • Configuration History - This is a resource oriented view of all the CIs that changed during the given period of time. It can be archived into an S3 bucket, for say, audit or compliance purposes.

A simple way to explore the configuration history through a CLI is as below:

aws configservice get-resource-config-history --resource-type AWS::EC2::SecurityGroup  --resource-id sg-6fbb3807

A successful command will yield:

{
   "configurationItems": [
       {
           "configurationItemCaptureTime": 1414708529.9219999,
           "relationships": [
               {
                   "resourceType": "AWS::EC2::Instance",
                   "resourceId": "i-7a3b232a",
                   "relationshipName": "Is associated with Instance"
               },
               {
                   "resourceType": "AWS::EC2::Instance",
                   "resourceId": "i-8b6eb2ab",
                   "relationshipName": "Is associated with Instance"
               },
               {
                   "resourceType": "AWS::EC2::Instance",
                   "resourceId": "i-c478efe5",
                   "relationshipName": "Is associated with Instance"
               },
               {
                   "resourceType": "AWS::EC2::Instance",
                   "resourceId": "i-e4cbe38d",
                   "relationshipName": "Is associated with Instance"
               }
           ],
           "availabilityZone": "Not Applicable",
           "tags": {},
           "resourceType": "AWS::EC2::SecurityGroup",
           "resourceId": "sg-6fbb3807",
           "configurationStateId": "1",
           "relatedEvents": [],
           "arn": "arn:aws:ec2:us-east-1:012345678912:security-group/default",
           "version": "1.0",
           "configurationItemMD5Hash": "860aa81fc3869e186b2ee00bc638a01a",
           "configuration": "{\"ownerId\":\"605053316265\",\"groupName\":\"default\",\"groupId\":\"sg-6fbb3807\",\"description\":\"default group\",\"ipPermissions\":[{\"ipProtocol\":\"tcp\",\"fromPort\":80,\"toPort\":80,\"userIdGroupPairs\":[{\"userId\":\"amazon-elb\",\"groupName\":\"amazon-elb-sg\",\"groupId\":\"sg-843f59ed\"}],\"ipRanges\":[\"0.0.0.0/0\"]},{\"ipProtocol\":\"tcp\",\"fromPort\":0,\"toPort\":65535,\"userIdGroupPairs\":[{\"userId\":\"605053316265\",\"groupName\":\"default\",\"groupId\":\"sg-6fbb3807\"}],\"ipRanges\":[]},{\"ipProtocol\":\"udp\",\"fromPort\":0,\"toPort\":65535,\"userIdGroupPairs\":[{\"userId\":\"605053316265\",\"groupName\":\"default\",\"groupId\":\"sg-6fbb3807\"}],\"ipRanges\":[]},{\"ipProtocol\":\"icmp\",\"fromPort\":-1,\"toPort\":-1,\"userIdGroupPairs\":[{\"userId\":\"605053316265\",\"groupName\":\"default\",\"groupId\":\"sg-6fbb3807\"}],\"ipRanges\":[]},{\"ipProtocol\":\"tcp\",\"fromPort\":1433,\"toPort\":1433,\"userIdGroupPairs\":[],\"ipRanges\":[\"0.0.0.0/0\"]},{\"ipProtocol\":\"tcp\",\"fromPort\":3389,\"toPort\":3389,\"userIdGroupPairs\":[],\"ipRanges\":[\"207.171.160.0/19\"]}],\"ipPermissionsEgress\":[],\"vpcId\":null,\"tags\":[]}",
           "configurationItemStatus": "ResourceDiscovered",
           "accountId": "605053316265"
       }
   ],
   "nextToken":
    ..........  

Use AWS Config to Confirm Last Known State and Ease Audit, Compliance

To summarize, here’s how activating AWS Config worked for the CIO of ABC MediSoft Solutions:

  1. Ashok can now check the state of the machine at any point of time when a change has been made. He simply has to choose his S3 instance and go through the CI of that particular instance.
  2. Knowing the state of a particular instance or AWS resource by going back in time has never been easier, whether it is for audit or compliance requirement.
  3. Ashok now knows for sure what his team tells him is the truth by cross checking it with AWS Config history.

Making changes to the configuration and knowing you can go back to the same configuration any time by referring the AWS Config, has never been easier.

Did you find this useful?  

Interested in getting tips, best practices and commentary delivered regularly from Flux7 AWS Security experts? Click the button below to sign up for our blog and set your topic and frequency preferences.

Sign Me Up!



References

  1. AWS Config Introduction. AWS Config
  2. AWS Documentation. What Is AWS Config?
  3. AWS re:Invent 2014 | (SEC315) NEW LAUNCH: Get Deep Visibility into Resource Configurations. YouTube Link, SEC315

About the Author

Ashay Chitnis

Join Us

Join thousands of technology enthusiasts, subscribe and get expert perspective in your inbox.

Connect With Us