Day 24 of 30 Days of AWS: Mastering AWS Config Service! 🚀

✍️ Introduction:

Hey there, fellow cloud enthusiasts! Welcome back to our exciting journey through the world of AWS. Today, on day 24 of our 30 Days of AWS series, we're diving deep into the AWS Config Service, a vital tool for maintaining control and visibility over your AWS environment. 🛡️

✍️Understanding AWS Config Service:

AWS Config Service empowers you to monitor, audit, and assess your AWS resource configurations with ease. Let's break down its key components and functionalities:

➤ Configuration Recorder:

The configuration recorder is the backbone of AWS Config. It continuously tracks changes to your AWS resources and records their configurations. You can specify which AWS resources you want to monitor, ensuring you have visibility into the aspects of your infrastructure that matter most to you.

➤ Rules:

AWS Config allows you to define rules that evaluate your resource configurations against desired configurations. You can choose from a wide range of predefined rules covering best practices and compliance standards or create custom rules tailored to your specific requirements. These rules help you ensure that your AWS resources adhere to organizational policies, security standards, and regulatory requirements.

➤ Compliance Dashboard:

The compliance dashboard provides a centralized view of your AWS resources' compliance status. It highlights any resources that are non-compliant with your defined rules, making it easy for you to identify and address configuration drifts or violations promptly.

➤ Delivery Channel:

The delivery channel specifies where AWS Config sends configuration snapshots and change notifications. You can configure it to deliver configuration history snapshots to an Amazon S3 bucket, send notifications via Amazon SNS topics, or stream configuration changes to an AWS Config stream for real-time processing.

✍️Let's Get Started:

Now that we have a basic understanding of AWS Config Service, let's walk through the steps to set it up and perform a hands-on demo:

1. Enable AWS Config:

• Head to the AWS Management Console.

• Navigate to the AWS Config service.

• Click on "Get Started Now" or "Set up AWS Config."

• Follow the prompts to enable AWS Config.

2. Configuration Recorder Setup:

• Configure a recorder to capture configurations.

• Select the AWS resources you want to monitor.

• Specify the recording frequency and AWS Key Management Service (KMS) key if encryption is desired.

3. Rule Configuration:

• Set up rules to evaluate resource configurations.

• Choose from predefined rules or create custom ones.

• Define the scope of the rules and configure their triggers and remediation actions as needed.

4. Delivery Channel Configuration:

• Set up a delivery channel to define where AWS Config sends configuration snapshots and change notifications.

• Choose options like Amazon S3, Amazon SNS, or AWS Config streams for delivery.

• Configure delivery frequency and encryption settings if required.

✍️Hands-on Demo: Tracking Resource Changes

Let's put our knowledge into action with a practical demo:

Scenario:

Alright, imagine this: We're about to embark on a journey where we'll set up two instances and keep a close eye on them, ensuring they're in line with our compliance standards. But wait, what exactly do we mean by compliant and non-compliant? Let me demystify that for you! 🕵️‍♂️

Picture this: If our instance's Monitoring Option is toggled on, it's a thumbs-up from Compliance Central! That means it's compliant, meeting all our monitoring requirements. 🎉 However, if that option is left unchecked, it's a red flag, signaling non-compliance. 😬

But here's where it gets exciting: We're not babysitting these instances manually. Oh no! We've got a Lambda function up our sleeves that's going to handle all of this for us, automatically sorting instances into their rightful categories. How cool is that? 😎

So, are you ready for this adventure? Let's dive in and make compliance monitoring a breeze! 🌟

➦ Launch an EC2 Instance:

➜ Navigate to the EC2 Dashboard.

➜Launch a new instance with your preferred settings.

➜ I am launching the 2 Ubuntu Flavour EC2 Instance.

➜ Click on the Launch Instance

➜ Now fill in the name and Select the AMI according to you.

➜ Scroll down select the key pair and hit on the launch instance.

➜ Now we have 2 instance names Config-Service-1 and Config-Service-2

➦ Creating the Lambda function:

➜ Here's the plan: We're going to craft a Lambda function that's like our very own detective, always on the lookout for any changes in our EC2 instances. 🕵️‍♀️ Whenever an instance is created, deleted, modified, or updated, bam! our Lambda function will spring into action, triggered automatically like clockwork.

➜ But wait, there's more! 🚨 We're not just stopping at detecting changes; we're taking it up a notch with the help of AWS Config Service. This powerful service will provide us with all the juicy details we need to determine whether each instance is compliant or non-compliant with our standards.

➜ Imagine it: Our Lambda detective receives a signal, swoops in to investigate, and with the magic of AWS Config, it swiftly categorizes the instance as either compliant 🌟 or non-compliant 😬. All of this happening seamlessly in the background, keeping our infrastructure in check without us lifting a finger!

➜ Here I am giving the Lambda function code:

import boto3
import json

def lambda_handler(event, context):

    # Get the specific EC2 instance.
    ec2_client = boto3.client('ec2')

    # Assume compliant by default
    compliance_status = "COMPLIANT"  

    # Extract the configuration item from the invokingEvent
    config = json.loads(event['invokingEvent'])

    configuration_item = config["configurationItem"]

    # Extract the instanceId
    instance_id = configuration_item['configuration']['instanceId']

    # Get complete Instance details
    instance = ec2_client.describe_instances(InstanceIds=[instance_id])['Reservations'][0]['Instances'][0]

    # Check if the specific EC2 instance has Cloud Trail logging enabled.

    if not instance['Monitoring']['State'] == "enabled":
        compliance_status = "NON_COMPLIANT"

    evaluation = {
        'ComplianceResourceType': 'AWS::EC2::Instance',
        'ComplianceResourceId': instance_id,
        'ComplianceType': compliance_status,
        'Annotation': 'Detailed monitoring is not enabled.',
        'OrderingTimestamp': config['notificationCreationTime']
    }

    config_client = boto3.client('config')

    response = config_client.put_evaluations(
        Evaluations=[evaluation],
        ResultToken=event['resultToken']
    )  

    return response

➜ This is our Lambda function code.

➜ Now we will Navigate to the AWS Lambda service

➜ Click on the Create Function.

➜ Configure this

➜ Give the function name Runtime.

➜ Go to the Configuration section and select the permission

➜Click on the Role name you will redirect to the IAM role page

➜ Now Click on the Add Permission

➜ Give these four permissions to this

➜ Now come back to the function and change the default time of lambda function execution from 3s to 10s

➜ In the Lambda Function all the things are done now we will proceed to the AWS Config Service.

➦ Configuring the AWS Cofig Service:

➜ First Navigate to the AWS Config Service.

➜ You will see this type of interface now click on the Get Started.

➜ Now in the Setting Section

• Recording Strategy >Specific Resource Type

• Resource Type > EC2 instance

• In the Frequency > Continuous

➜ Now to have to create the bucket for storing the data.

➜ Here we also configure the SNS for the Notification when anything happened like update create or delete.

➜ Now hit on the Next Button.

➜ Now click on the Rules and ADD rule

➜Now Select the Rule type as Custom Lambda Rule and hit to next.

➜ In the Details section you have to provide the name and arn of the Lambda function

➜ In the Scope of changes select the Ec2 Instance

➜ Now Hit to Next Button and Review and Save.

➜ Our Rule is created successfully.

➜ Now we will enable the Monitoring of the One Ec2 Instance.

➜ Now go the AWS Management Console and Navigate to your running two instance.

➜ Now in the Monitoring Section Click on Manage detailed monitoring and Enable it.

➜ Now one instance is in compliant and one in non-compliant.

➜ Now we go to the AWS Config that they provide.

➜ Here we can see that one is compliant and one is Not compliant

➜ Now we enable the monitoring of the Second Instance, they we see what result the AWS config Provides.

➜ Now both instances are in the compliant state.

➜ That is all from my side. If you have any confusion then let me know in the comment section.

✍️Conclusion:

Fantastic job, AWS Explorer! 🎉 You've unlocked the power of AWS Config Service and learned how to wield it to maintain control, compliance, and security within your AWS environment.

As we near the end of our 30 Days of AWS journey, remember that AWS Config is your ally in the quest for cloud excellence. Keep exploring its features, experiment with different rules, and tailor it to suit your organization's unique requirements.

With AWS Config Service in your arsenal, you're well-equipped to navigate the complexities of cloud management and drive success in your AWS endeavours.

Stay tuned for more AWS adventures as we continue our journey through the cloud cosmos. Until then, happy configuring, and may your AWS environment always be compliant and secure! ☁️🔍

Stay curious, stay cloud-savvy, and keep rocking those AWS skills! 💪🚀