3.4 - PaulDuvall/aws-compliance-workshop GitHub Wiki

3.4 Run Managed Config Rules using CloudFormation

Review and ensure that you have setup your development environment before going through the steps below.

Create a new template

  1. From AWS Cloud9, create a new file.
cd ~/environment/ccoa
touch ccoa-3-config-rules-s3.yml
  1. Open the file and paste the template configuration below and save.
AWSTemplateFormatVersion: '2010-09-09'
Description: Deploy AWS Config Rules for S3
Resources:
  AWSConfigRuleForS3PublicRead:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: s3-bucket-public-read-prohibited
      Description: Checks that your S3 buckets do not allow public read access. If an S3 bucket policy or bucket ACL allows public read access, the bucket is noncompliant.
      Scope:
        ComplianceResourceTypes:
          - AWS::S3::Bucket
      Source:
        Owner: AWS
        SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED

Launch the CloudFormation stack from the CLI

aws cloudformation create-stack --stack-name ccoa-3-config-rules-s3 --capabilities CAPABILITY_NAMED_IAM --disable-rollback --template-body file:///home/ec2-user/environment/ccoa/ccoa-3-config-rules-s3.yml

Check the status

From your Cloud9 terminal, type the following:

aws cloudformation describe-stacks --stack-name ccoa-3-config-rules-s3

Or, go to the CloudFormation console.

View AWS Config Rules Dashboard

Go to AWS Config Rules Dashboard and view the results.

AWS Config Rules Dashboard

Running all AWS Managed Rules in CloudFormation

AWS provides CloudFormation templates for each of these Managed Config Rules to provision the rule in your AWS account(s). With this CloudFormation template, you get all the benefits of defining your compliance as code.

AWS now provides a common location and naming convention that you can use to launch each of these rules. The format looks like this:

https://s3.amazonaws.com/aws-configservice-us-east-1/cloudformation-templates-for-managed-rules/THE_RULE_IDENTIFIER.template

All you need to do is replace THE_RULE_IDENTIFIER with the unique name that AWS has defined for the rule you would like to run. For example, let's imagine you want to run all of the Managed Config Rules that check for encryption. You would go to the list of Managed Config Rules and find the rules for encryption. At the time of this writing, there nine rules listed. They are:

encrypted-volumes
dynamodb-table-encryption-enabled
rds-storage-encrypted
cloud-trail-encryption-enabled
cloudwatch-log-group-encrypted
api-gw-cache-enabled-and-encrypted
efs-encrypted-check
s3-bucket-server-side-encryption-enabled

If you click on each one of the managed rules, the rule identifier is listed but there is no need to do this because they all follow a similar naming pattern which is upper case and an underscore instead of a hyphen. Therefore, the above managed rules identifiers convert to:

ENCRYPTED_VOLUMES
DYNAMODB_TABLE_ENCRYPTION_ENABLED
RDS_STORAGE_ENCRYPTED
CLOUD_TRAIL_ENCRYPTION_ENABLED
CLOUDWATCH_LOG_GROUP_ENCRYPTED
API_GW_CACHE_ENABLED_AND_ENCRYPTED
EFS_ENCRYPTED_CHECK
S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED

So, if you want to run the elasticsearch-encrypted-at-rest Managed Config Rule, the command I would run from the command line would look like this:

aws cloudformation create-stack --stack-name elasticsearch-encrypted-at-rest --template-url https://s3.amazonaws.com/aws-configservice-us-east-1/cloudformation-templates-for-managed-rules/ELASTICSEARCH_ENCRYPTED_AT_REST.template --capabilities CAPABILITY_NAMED_IAM --disable-rollback

You can apply the same heuristic to all 100+ Managed Config Rules.

Additional Resources

Creating AWS Config Managed Rules With AWS CloudFormation Templates

Cleanup

Go to Cleanup to remove any resources you created in this sublesson.