In our experience working with hundreds of organizations on compliance projects ranging from AWS PCI compliance and AWS HIPAA compliance to internal risk management initiatives, it’s clear that achieving and maintaining compliance is a delicate balance. Too many rules can slow progress and sometimes even cause teams to avoid complying at all. And too few guidelines can obviously result in unwanted fines, or in a worst case scenario, a security vulnerability that causes the business serious harm. Central to establishing and ensuring AWS risk and compliance efforts is the well-known practice of AWS configuration management. It plays a central role in keeping systems in a known, good state and with the application of automation can help organizations strike an optimal balance.
Knowing how important AWS configuration management can be to development, production and security, AWS offers AWS Config. This service allows users to track the configurations of their AWS resources automatically, helping businesses ensure config compliance while reducing the effort needed by teams to comply. Which, in turn, helps increase the rate of compliance.
AWS Config is a favorite tool of the AWS DevOps experts at Flux7 as it provides both an understanding of the relationship between different AWS resources and allows users to actively track their configs against desired - or best practice - settings. Notably, AWS Config allows organizations to monitor their AWS Configs for compliance to corporate guidelines.
AWS Managed Config Rules
Helping give organizations a jump start in the process of optimizing their AWS environment, AWS has built several Managed Config Rules, which are predefined, yet customizable rules that the AWS Config service uses to evaluate whether an AWS resource complies with common AWS best practices. Flux7 AWS engineers have created a resource that walks readers through the process of configuring six of the most common -- and most helpful -- AWS Managed Config Rules, including Desired Instance Types; EC2 Instances In VPC; Encrypted Volumes and more.
Download a copy of the guide here.
Compliance as Code
AWS provides roughly 35 Managed Config Rules in all which help ensure configurations abide by common AWS best practices in areas ranging from management tools to security and storage. Configuring these rules to meet specific organizational needs is an easy process. And, once complete, users can track which resources comply with their rules and which don’t through the AWS Config console.
Importantly, organizational best practices help ensure consistency through standardization, reduce risk, ensure cloud compliance, and more. Configuration management as a practice has a long history of streamlining development, protecting against risk and creating efficiencies. When AWS best practices and AWS configuration management are combined with the advantages of DevOps-based AWS automation, the resulting benefits can be applied in a way that simultaneously grows the efficacy of development, operations and security.
Users can build on their AWS Managed Config Rules foundation with custom rules that can also be continuously monitored and reported on vis SNS and/or through the AWS Config console. Additionally, Lambda functions can be used to define parameters on virtually any corporate compliance issue.
Flux7 recently worked with an enterprise to add consistent tagging to any newly provisioned resource. And, for a large manufacturer, we set up an audit and notification system using serverless tools. The goal of the notification system was to alert operations and information security teams of any known issues surfacing in the account, such as a VPC which is running out of IP addresses; or violations of the corporate security standard; or all volumes of Amazon RDS databases are encrypted and have a particular tag defined. The customer was not only looking for this system to be low maintenance but also wanted it to be extensible so that new rules could be conveniently added and the same system could be used to audit multiple AWS accounts. We took a serverless approach to this notification system.
One of the core tenets of DevOps is applying automation to increase the efficiency and effectiveness of development, operations and security. With AWS Config and AWS Managed Config Rules, organizations are able to apply automation to actively maintain their configuration compliance -- without slowing down their team’s other priorities. By automating configuration checks, teams are able to understand when a configuration has drifted from a known, good state and quickly return it to compliance, ensuring near continuous configuration compliance. Kickstart your AWS configuration compliance today with our AWS Compliance Tutorial, A Visual Guide to Configuring Top AWS Managed Config Rules.