Set up continuous compliance on AWS with Config managed rules
It’s difficult to meet cloud compliance demands with manual practices. Establish a continuous compliance posture with AWS Config managed rules and best practices.
Manual compliance practices can’t keep up with the speed and scale of the cloud, which is why admins need a combination of automation and orchestration to solidify their compliance posture on AWS.
AWS Config enables users to implement a continuous compliance cloud environment with preconfigured rules that set and monitor desired configuration settings. With AWS Config best practices in place, every action falls within guardrails established by the business, and variations can be reported and remediated.
Let’s take a closer look at the move from manual processes to managed compliance and how users can implement AWS continuous compliance with predefined AWS Config managed rules.
Replace manual compliance with managed services
Manual compliance processes can be a time-consuming, error-prone endeavor. This has driven the need for rules-based automation and orchestration to overcome the most common disadvantages of manual compliance, such as documentation and auditing at scale. When organizations shift their infrastructure to the cloud, they need to rethink their compliance strategy as well.
Enterprises that use cloud providers such as AWS rely on managed services to establish and enforce rules for the orchestration of common cloud actions. This includes the deployment of resources, building and testing code, releasing and deploying of code, and so on. These services work as guardrails to ensure that every action — such as creating a new EC2 instance — follows the same rules. With rules set in place, an organization can demonstrate its business governance and compliance posture to auditors.
There are multiple ways to integrate continuous compliance on AWS. You can use AWS Partner Network offerings such as HPE Continuous Compliance. You can also use Chef InSpec with AWS Systems Manager. One of the best ways to get started with AWS continuous compliance — and our focus here — is to use Config and its managed rules.
AWS Config 101
AWS Config is the principal tool for establishing continuous compliance on AWS. The managed service offers a detailed view of the resources — compute, storage, security groups, Amazon Virtual Private Clouds and more — across an AWS account. It outlines how the resources are related to each other and how those configurations change over time. AWS Config can also notify administrators when a resource is created, changed or removed. In effect, it’s the monitoring, logging and reporting component of AWS.
AWS Config rules are the centerpiece of continuous compliance with AWS Config. A “rule” is a desired configuration setting. Organizations can apply a configuration setting to a particular AWS resource or across their entire AWS account. AWS Config constantly checks each resource against that rule. If a resource is created or changed in violation of a rule, it becomes non-compliant and AWS Config notifies an administrator through the Amazon Simple Notification Service. AWS Config can also check resources at regular intervals.
Set up AWS Config managed rules
AWS Config managed rules establish a comprehensive set of predefined rules, which admins can customize to meet specific needs. AWS Config also enables you to customize these predefined rules, but don’t confuse these customized rules with AWS Config custom rules.
Access redefined AWS Config managed rules through the AWS management console. Administrators can search for specific rules or browse all of the available predefined rules that govern compute, management and governance, network and content delivery, security, identity, compliance and storage categories. At the time of publication, there are more than 100 predefined rules that can be applied.
For example, you can select the desired-instance-type rule, which checks whether selected EC2 instances are the required instance type. Thus, if an instance is created that is not the required type, a violation will be reported. There are also managed rules for Amazon S3, Redshift, Identity and Access Management and more. These AWS Config managed rules will get you started with AWS continuous compliance.
In a following article, we’ll go over how to customize and create your own rules with AWS CloudFormation and AWS Lambda.