Managing Inventory, Change, and Compliance with AWS Config

BASIC INVENTORY MANAGEMENT

The Basics

By scmGalaxy.com

About Me

DevOps@RajeshKumar.XYZ

Is This You?

is this you for aws?
aws config

Basic Inventory Management

  • Problem overview
  • Tool landscape
  • AWS Config - the best answer
    • Main features
    • Setup
    • Pricing
  • Demo - basic usage

The Problem

The Problem for aws?

Compliance

Compliance for aws?

Tool Landscape

  • Enterprise-focused
    • Solarwinds
    • Spiceworks
    • Microsoft SCCM
  • DevO ps-focused
    • Puppet
    • Chef
    • Ansible
  • Fully-integrated (AWS Config)

Enterprise-focused Tools

  • All-in-one solution
  • Expensive
  • OS-specific
  • Large organizations
  • Small organizations

DevOps-focused Tools

  • OS-agnostic
  • Not all-in-one
    • Integrating can be difficult
  • Often open-source
  • Highly automatable
  • Benefits beyond inventory/compliance

Cloud-scale Issues

Cloud-scale Issues for aws?

Fully-integrated Tools

  • All-in-one solution
  • Small or large organizations
  • Highly automatable
  • Trusted vendor
  • Pay for what you use
  • Made for the cloud
aws config inventory change compliance

Main Features

  • Track state of all AWS resources
    • OS-level too
  • Change Notification
  • Validate against AWS Config Rules
    • Continuously!
  • Discover rogue resources
  • Troubleshoot configuration issues

Create an S3 bucket

Create an SNS topic Activate!

What’s This Going to Cost Me?

  • $0.003 USD / Configuration item recorded
    • IE. Resource state at given time
    • Limit resource types as needed
  • $2 USD / Config Rule
  • $0.10 / 1000 Rule evaluations
    • 20k/rule for free
  • Enable AWS Config
    • SNS/S3 setup
  • Resource view
    • Correcting compliance problems
  • History / Snapshotting

Globomantics

Globomantics for aws?

Summary

  • Inventory / Compliance Problem
  • Other Tools
  • AWS Config
    • Cheap
    • Integrated
    • Powerful
    • Awesome
  • Basic setup of AWS Config
  • Current / historical resource state

Continuous Assessment

Overview

  • Continuous Assessment?
  • AWS Config Rules
    • Built-in
    • Third-party
    • Custom
  • Demo: Continuous Assessment at
  • Globomantics
    • AWS Lambda + Python

Momentary Assessment

Momentary Assessment for aws?

Continuous Assessment

Continuous Assessment for aws?

Assessment Types

Momentary

  • Demand-driven
  • Long-running
  • Often outdated
  • Difficult to react to

Continuous

  • Event-driven / periodic
  • Quick-running
  • Most recent data
  • Easily reacted to

AWS Config - Event Driven

AWS Config - Event Driven

AWS Config - Periodic

AWS Config - Periodic

Sources of Rules

AWS for Sources of Rules

Shared Rule Properties

  • Event-driven / Periodic
  • Resource / Tag Scope
    • Or all!
  • Parameters

Built-in Rules

  • Managed by AWS
    • 100% working
  • Expanded frequently
  • Common needs
    • Instance types
    • Password policy
    • Attached EIPs
    • ...

Third-party Rules

  • Community-supported
    • https://github.com/awslabs/aws-config-rules
  • Multiple Languages
  • Good learning tool
  • Very useful roles
    • VPC flow logs
    • Inactive users
    • lAM MFA
    • ...

Custom Rules

  • Create a Lambda!
  • Infinitely expandable
  • Easy to implement
    • Many examples
  • Adding AWS Config Rules
  • CIS for Globomantics
  • Built-in
    • Restricted ports (event-driven)
  • Third-party
    • VPC flow logs (event-driven)
  • Custom
    • Inactive users (periodic)
  • Expect detailed code!

Summary

  • Continuous Assessment
  • AWS Config Rules
    • Built-in
    • Third-party
    • Custom
  • Implementation
    • CIS rules: https://goo.gI/h7jblh

Continuous Compliance

Overview

  • Continuous Compliance?
  • Which Rules Fit?
  • AWS Config Implementation
  • Demo: Continuous Compliance at
  • Globomantics
    • AWS Lambda + Python

Manual Compliance

Manual Compliance for AWS

Continuous Compliance

Continuous Compliance for AWS

Which Rules Fit?

  • Automatable response
    • AWS APIs / third party APIs
  • Low-impact
    • Low change scope = more trust
    • Unless you’re confident!
  • Failure Detectable
    • Tell something if problem can’t be fixed!

Example Rules

Optimal

  • VPC flow logs enabled
  • Ports open to the Internet
  • Rotate access keys every 90 days(partially)
  • Password policy enforced

Non-optimal

  • Environment tag on all resources
  • MFA enabled for all users
  • EC2 instances use specific tenancy
  • All attached volumes encrypted

How AWS Config Does it

How AWS Config Does

How to React?

  • Attempt to fix the issue (obviously!)
    • Retry!
  • Alternative fixes?
  • Inform of results
    • Failure more important than success
    • Integrate with third-parties
  • Trigger re-evaluation (periodic)
  • “Healer” lambda
    • Delete expired access/secret keys
    • Close open ports
  • Triggering external systems
    • SES
  • Simple implementation - semi-scalable
    • Easy to expand!
  • Expect detailed code!

Summary

  • Continuous Compliance
  • Rules that fit
    • Automatable
    • Low impact
    • Failure detectable
  • AWS Config Implementation
  • How to React
  • Demo - “healer” lambda

Questions?

docker-questions

Thanks for Watching!