☁️
CTHFM: AWS
  • Welcome
  • Getting Started
    • Account Setup
  • AWS CLI
    • AWS CLI Overview
    • Installation
  • AWS Fundamentals
    • AWS Documentation
    • AWS Shared Responsibility Model
    • Organizational Hierarchy
    • AWS Principals
    • IAM Fundamentals
      • IAM Policy Components
      • IAM Documentation References
    • AWS Security Services Overview
    • AWS Core Services
    • AWS Frameworks
    • Regions and Availability Zones
  • SQL
    • SQL Refresher for Threat Hunting
  • Logging Reference
    • Cloudtrail
      • What is Cloudtrail?
      • Setting Up Cloudtrail
      • Cloudtrail Events Structure
      • Filtering and Searching CloudTrail Logs
      • IAM ID Prefixes
      • Additional Resources
      • API References
    • VPCFlow Logs
    • GuardDuty
      • Multi-Account Setup
      • GuardDuty Concepts
      • GuardDuty Finding References
      • S3 Protection
      • Malware Protection
        • EC2 Malware Protection
          • EC2 Protection Resources
          • Monitoring Scans
          • EC2 Malware Protection Events: CloudWatch
        • S3 Malware Protection
          • Enabling S3 Malware Protection
          • After Enabling S3 Malware Protection
          • S3 Malware Resource Plan Status
          • S3 Malware Protection Quotas
      • RDS Protection Enablement
      • Lambda Protection Enablement
      • Trusted IP Lists and Threat Lists in Amazon GuardDuty
      • Remediation Recommendations
      • GuardDuty API Reference
      • GuardDuty Quotas
    • Access Analyzer
      • Setup
      • External Access and Unused Access Analyzer Findings
      • Review Findings
      • Access Analyzer Resources
      • Access Analyzer API Reference
    • AWS Network Firewall
      • Permissions
      • Firewall Log Contents
      • Logging Destinations
      • CloudWatch Firewall Metrics
    • AWS Config
      • Resource Management in AWS Config
      • AWS Config Integrations
      • AWS Config Resources
      • Configuration Item
      • Config Rules
        • Evaluation Modes
  • CloudWatch
    • Amazon CloudWatch
      • CloudWatch Concepts
      • CloudWatch Metrics
        • Filter Pattern Syntax
      • CloudWatch Alarms
        • Alarm Recommendations
      • Subscriptions
      • CloudWatch Agent
      • CloudWatch Insights
        • Supported Logs and Discovered Fields
        • CloudWatch Insights Query Syntax
      • Anomaly Detection
        • Create Anomaly Detector
        • Alarms for Anomaly Detections
      • CloudWatch Filter Syntax
      • CloudWatch Service Quota
  • Athena For Threat Hunting
    • Introduction to Athena
    • Setting Up Athena
    • SQL For Threat Hunters
    • Automated Response
    • Query Best Practices
  • AWS Security Research and Resources
    • AWS Security Blog
    • AWS Goat
    • Cloud Goat
    • Pacu
    • Prowler
    • Scout Suite
  • Threat Hunting in AWS
    • Threat Hunting in AWS
    • Threat Hunting Introduction
    • Threat Hunting Process
      • Hypothesis Generation
      • Investigation
      • Identification
      • Resolution & Follow Up
    • Pyramid of Pain
    • MITRE Att&ck
      • MITRE Att&ck Concepts
      • MITRE Att&CK Data Sources
      • MITRE Att&CK Mitigations
    • MITRE Att&ck: AWS
      • MITRE Att&CK Matrix
      • Amazon Web Services Security Control Mappings
    • AWS Threat Hunting Ideas
      • AWS Threat Hunting Ideas: EC2
      • AWS Threat Hunting Ideas: Lambda
      • AWS Threat Hunting Ideas: SQS
      • AWS Threat Hunting Ideas: SNS
      • AWS Threat Hunting Ideas: RDS
Powered by GitBook
On this page
  • Components of an AWS Config Rule
  • Types of AWS Config Rules:
  • Key Components of AWS Config Managed Rules:
  • AWS Config Custom Rule Structure:
  • Evaluation Modes:
  • Custom Rule Example (Python):
  • Key Concepts in Rule Creation:
  • Return Values for Evaluations:
  • Using Lambda with Config Rules:
  • Best Practices:
  1. Logging Reference
  2. AWS Config

Config Rules

Components of an AWS Config Rule

AWS Config rules evaluate resource configurations in your AWS environment. There are two types of rules: AWS Config Managed Rules and AWS Config Custom Rules.

Types of AWS Config Rules:

  1. AWS Config Managed Rules:

    • Predefined and customizable rules provided by AWS.

    • Example: Check if access keys have been rotated within a specific period.

  2. AWS Config Custom Rules:

    • Created from scratch using:

      • AWS Lambda: Known as Custom Lambda Rules.

      • Guard (Policy-as-code language): Known as Custom Policy Rules.

    • Developers can use the Config Rules Development Kit (RDK) and RDKlib to build these rules.

Key Components of AWS Config Managed Rules:

  • defaultName: The default name of the rule.

  • description: A brief summary of the rule, including the non-compliant scenario.

  • scope: Defines the targeted resource types.

  • compulsoryInputParameterDetails: Required parameters for rule evaluation.

  • optionalInputParameterDetails: Optional parameters for evaluation.

  • supportedEvaluationModes: Specifies if resources are evaluated after deployment (DETECTIVE) or before deployment (PROACTIVE).

AWS Config Custom Rule Structure:

  • evaluate_parameters: Validates the input parameters for the rule.

  • evaluate_change: Evaluates configuration changes when triggered.

  • evaluate_periodic: Runs evaluations at predefined intervals.

Evaluation Modes:

  • DETECTIVE Mode: Evaluates already deployed resources.

  • PROACTIVE Mode: Evaluates resources before deployment to check potential compliance issues.

Custom Rule Example (Python):

from rdklib import Evaluator, Evaluation, ConfigRule, ComplianceType

APPLICABLE_RESOURCES = ["AWS::Resource::Type"]

class CustomConfigRule(ConfigRule):
    def evaluate_parameters(self, rule_parameters):
        return rule_parameters

    def evaluate_change(self, event, client_factory, configuration_item, valid_rule_parameters):
        # Add custom logic here
        pass

    def evaluate_periodic(self, event, client_factory, valid_rule_parameters):
        # Add custom logic here
        pass

def lambda_handler(event, context):
    my_rule = CustomConfigRule()
    evaluator = Evaluator(my_rule, APPLICABLE_RESOURCES)
    return evaluator.handle(event, context)

Key Concepts in Rule Creation:

  • APPLICABLE_RESOURCES: Defines the resource types targeted by the rule.

  • evaluate_parameters: Validates input parameters for correctness.

  • evaluate_change: Logic for evaluating changes triggered by events.

  • evaluate_periodic: Logic for periodic evaluations.

Return Values for Evaluations:

  • COMPLIANT: The resource passes the compliance check.

  • NON_COMPLIANT: The resource fails the check.

  • NOT_APPLICABLE: The rule does not apply to the evaluated resource.

Using Lambda with Config Rules:

  • lambda_handler: Processes events passed to the Lambda function. It executes the custom rule logic and returns evaluation results.

Best Practices:

  • Use annotations for non-compliant evaluations to provide clear explanations.

  • Follow best practices for parameter validation to ensure accurate evaluations.

  • Utilize both DETECTIVE and PROACTIVE modes for comprehensive compliance management.

PreviousConfiguration ItemNextEvaluation Modes

Last updated 8 months ago