Saturday, 17 March 2018

AWS Config

Overview
  • Inventory of all AWS resources.
  • History of changes
  • Use cases
    • Resource governance
    • Compliance
    • Forensics

Use cases
  • Discover new and deleted resources
  • Record configuration changes
  • Get notified when configuration changes
  • Compliance audits
  • "Time travel" across resources
  • Discovery
    • Including deleted resources
  • Change Management
  • Security Analysis and forensics
  • Troubleshooting
    • What changed
  • IAM changes tracking
    • What permission Joe had between 5 Nov and 11 Nov
  • IAM rules enforcement 
    • make sure no user has full access


Model
  • What it does
    • Records
    • Normalizes (all resources to common format)
    • Stores data in S3
    • Check rules 
    • Delivers SNS notifications
  • CMDB - change management Database
    • External products, uses workflow

DeliveryChannel
  • Physical location of configuration data
  • ConfigSnapshotDelivery
    • How frequent data is delivered (Hours: 1/3/6/12/24)
  • S3BucketName
  • S3KeyPrefix
  • SNSTopicArn
    • Notification that configuration change has been delivered
  • Max 1 per AWS account

ConfigurationRecorder
  • Records changes to configuration
  • Can be stopped
  • RecordingGroup
    • allSupported = [true,false]
      • [false] -> resourceTypes
        • AWS::EC2::Instance, etc.
    • includeGlobalResourceTypes = [true,false]
  • RoleARN - gives AWS access to delivery channel
    • so that it can store files in S3

Configuration Item
  • Representation of configuration attributes of a resource at specific point in time
  • Components
    • Metadata - information about configuration item (VersionId, Time captured etc.)
    • Common Attributes - (Resource Id, Tags, Resource Type, ARN, AZ)
    • Relationships - (EBS volume attached to EC2 instance)
    • Current Configuration - result of Describe/List - full copy
    • Related Events - AWS CloudTrail Event Id (if changes was due to API call)


Configuration Rule
  • Desired configuration state for the resource
  • Pre-built rules from AWS available
    • Examples: EC2 must be in VPC, No orphaned EIPs, Unrestricted SSH, etc.
  • Custom rules 
    • Invoke Lambda function
  • Results available on the dashboard
  • Trigger
    • On resource change
    • On time (every 1/3/6/12/24h)
  • Evaluation 
    • Result of evaluating a resource against rule
    • Rule is compliant when all the resources applicable to the rule are compliant
  • Result: COMPLIANT or NON-COMPLIANT
  • Use case
    • Check if configuration change made is OK (e.g. security compliance)


Relationships
  • Bi-directional (symmetrical)
  • Maintained by AWS Config
  • Example: EC2 Instance <-> EBS Volume



at

No comments:

Post a Comment