Managing Inventory, Change, and Compliance with AWS Config
BASIC INVENTORY MANAGEMENT
The Basics
About Me
DevOps@RajeshKumar.XYZ
Is This You?
Basic Inventory Management
- Problem overview
- Tool landscape
- AWS Config - the best answer
- Main features
- Setup
- Pricing
- Demo - basic usage
The Problem
Compliance
Tool Landscape
- Enterprise-focused
- Solarwinds
- Spiceworks
- Microsoft SCCM
- DevO ps-focused
- Puppet
- Chef
- Ansible
- Fully-integrated (AWS Config)
Enterprise-focused Tools
- All-in-one solution
- Expensive
- OS-specific
- Large organizations
- Small organizations
DevOps-focused Tools
- OS-agnostic
- Not all-in-one
- Integrating can be difficult
- Often open-source
- Highly automatable
- Benefits beyond inventory/compliance
Cloud-scale Issues
Fully-integrated Tools
- All-in-one solution
- Small or large organizations
- Highly automatable
- Trusted vendor
- Pay for what you use
- Made for the cloud
Main Features
- Track state of all AWS resources
- OS-level too
- Change Notification
- Validate against AWS Config Rules
- Continuously!
- Discover rogue resources
- Troubleshoot configuration issues
Create an S3 bucket
Create an SNS topic Activate!
What’s This Going to Cost Me?
- $0.003 USD / Configuration item recorded
- IE. Resource state at given time
- Limit resource types as needed
- $2 USD / Config Rule
- $0.10 / 1000 Rule evaluations
- 20k/rule for free
- Enable AWS Config
- SNS/S3 setup
- Resource view
- Correcting compliance problems
- History / Snapshotting
Globomantics
Summary
- Inventory / Compliance Problem
- Other Tools
- AWS Config
- Cheap
- Integrated
- Powerful
- Awesome
- Basic setup of AWS Config
- Current / historical resource state
Continuous Assessment
Overview
- Continuous Assessment?
- AWS Config Rules
- Built-in
- Third-party
- Custom
- Demo: Continuous Assessment at
- Globomantics
- AWS Lambda + Python
Momentary Assessment
Continuous Assessment
Assessment Types
|
Momentary
|
Continuous
|
AWS Config - Event Driven
AWS Config - Periodic
Sources of Rules
Shared Rule Properties
- Event-driven / Periodic
- Resource / Tag Scope
- Or all!
- Parameters
Built-in Rules
- Managed by AWS
- 100% working
- Expanded frequently
- Common needs
- Instance types
- Password policy
- Attached EIPs
- ...
Third-party Rules
- Community-supported
- https://github.com/awslabs/aws-config-rules
- Multiple Languages
- Good learning tool
- Very useful roles
- VPC flow logs
- Inactive users
- lAM MFA
- ...
Custom Rules
- Create a Lambda!
- Infinitely expandable
- Easy to implement
- Many examples
- Adding AWS Config Rules
- CIS for Globomantics
- Built-in
- Restricted ports (event-driven)
- Third-party
- VPC flow logs (event-driven)
- Custom
- Inactive users (periodic)
- Expect detailed code!
Summary
- Continuous Assessment
- AWS Config Rules
- Built-in
- Third-party
- Custom
- Implementation
- CIS rules: https://goo.gI/h7jblh
Continuous Compliance
Overview
- Continuous Compliance?
- Which Rules Fit?
- AWS Config Implementation
- Demo: Continuous Compliance at
- Globomantics
- AWS Lambda + Python
Manual Compliance
Continuous Compliance
Which Rules Fit?
- Automatable response
- AWS APIs / third party APIs
- Low-impact
- Low change scope = more trust
- Unless you’re confident!
- Failure Detectable
- Tell something if problem can’t be fixed!
Example Rules
|
Optimal
|
Non-optimal
|
How AWS Config Does it
How to React?
- Attempt to fix the issue (obviously!)
- Retry!
- Alternative fixes?
- Inform of results
- Failure more important than success
- Integrate with third-parties
- Trigger re-evaluation (periodic)
- “Healer” lambda
- Delete expired access/secret keys
- Close open ports
- Triggering external systems
- SES
- Simple implementation - semi-scalable
- Easy to expand!
- Expect detailed code!
Summary
- Continuous Compliance
- Rules that fit
- Automatable
- Low impact
- Failure detectable
- AWS Config Implementation
- How to React
- Demo - “healer” lambda
Questions?
