4.3 Setup Custom Config Rules using the Rules Development Kit (RDK)

Review and ensure that you have setup your development environment before going through the steps below.

AWS Rules Development Kit (RDK)

"The AWS Config Rules Development Kit helps developers set up, author and test custom Config rules. It contains scripts to enable AWS Config, create a Config rule and test it with sample ConfigurationItems." Source

Install the RDK

Use the following commands to clone the AWS Config RDK on AWS Cloud9:

cd ~/environment/ccoa
pip install rdk --user
rdk init

Create your first rule

In your working directory, use the create command to start creating a new custom rule. You must specify the runtime for the Lambda function that will back the custom config rule, and you can also specify a resource type (or comma-separated list of types) that the rule will evaluate or a maximum frequency for a periodic rule. This will add a new directory for the rule and populate it with several files, including a skeleton of your Lambda code.

cd ~/environment/ccoa
rdk create DesiredInstanceRule --runtime python3.7 --resource-types AWS::EC2::Instance --input-parameters '{"desiredInstanceType":"t2.micro"}'

Deploy Rule

cd ~/environment/ccoa
rdk deploy DesiredInstanceRule

You'll see something like the following display in the terminal:

Running deploy!
Found Custom Rule.
Zipping DesiredInstanceRule
Uploading DesiredInstanceRule
Upload complete.
Creating CloudFormation Stack for DesiredInstanceRule
Waiting for CloudFormation stack operation to complete...
...
CloudFormation stack operation complete.
Config deploy complete.

View Logs For Deployed Rule

Once the custom config rule has been deployed to AWS you can get view the CloudWatch logs for your Lambda function using the rdk logs command as shown below.

rdk logs DesiredInstanceRule -n 5

Go to the Config Rules Console

Go to AWS Config Rules dashboard and view the new rule you created.

View the Code for the Custom Rule

Go to the DesiredInstanceRule directory in your Cloud9 environment. You should see the following three files:

DesiredInstanceRule.py
DesiredInstanceRule.py	
parameters.json

You can make modifications to the Python code or the parameters to customize the rule behavior.

Additional RDK Features

1. If you want to see what the JSON structure of a Configuration Item (CI) looks like for creating your logic, here's an example:

rdk sample-ci AWS::EC2::Instance
rdk sample-ci AWS::S3::Bucket

2. If you want to run a local test of your rule, type:

rdk test-local DesiredInstanceRule

3. If you want to deploy a Managed Config Rule, here is an example:

rdk create rdk-s3-versioning-rule --source-identifier S3_BUCKET_VERSIONING_ENABLED -r AWS::S3::Bucket

4. Other Examples:

rdk create rdk-cloudtrail-file-rule --source-identifier CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED -r AWS::CloudTrail::Trail

rdk create rdk-vpc-flow-logs-rule --source-identifier VPC_FLOW_LOGS_ENABLED -r AWS::EC2::VPC --input-parameters '{"trafficType":"ALL"}'

rdk create rdk-s3-logging-rule --source-identifier S3_BUCKET_LOGGING_ENABLED -r AWS::S3::Bucket --input-parameters '{"targetBucket": "ccoa-n8hc"}'

Additional Resources

• The AWS Config Rules Development Kit
• RDK Full Documentation
• AWS Config Supported AWS Resource Types and Resource Relationships

Cleanup

Go to Cleanup to remove any resources you created in this sublesson.