Config Rules

Components of an AWS Config Rule

AWS Config rules evaluate resource configurations in your AWS environment. There are two types of rules: AWS Config Managed Rules and AWS Config Custom Rules.

Types of AWS Config Rules:

1. AWS Config Managed Rules:

   • Predefined and customizable rules provided by AWS.

   • Example: Check if access keys have been rotated within a specific period.

2. AWS Config Custom Rules:

   • Created from scratch using:

     • AWS Lambda: Known as Custom Lambda Rules.

     • Guard (Policy-as-code language): Known as Custom Policy Rules.

   • Developers can use the Config Rules Development Kit (RDK) and RDKlib to build these rules.

Key Components of AWS Config Managed Rules:

• defaultName: The default name of the rule.

• description: A brief summary of the rule, including the non-compliant scenario.

• scope: Defines the targeted resource types.

• compulsoryInputParameterDetails: Required parameters for rule evaluation.

• optionalInputParameterDetails: Optional parameters for evaluation.

• supportedEvaluationModes: Specifies if resources are evaluated after deployment (DETECTIVE) or before deployment (PROACTIVE).

AWS Config Custom Rule Structure:

• evaluate_parameters: Validates the input parameters for the rule.

• evaluate_change: Evaluates configuration changes when triggered.

• evaluate_periodic: Runs evaluations at predefined intervals.

Evaluation Modes:

• DETECTIVE Mode: Evaluates already deployed resources.

• PROACTIVE Mode: Evaluates resources before deployment to check potential compliance issues.

Custom Rule Example (Python):

from rdklib import Evaluator, Evaluation, ConfigRule, ComplianceType

APPLICABLE_RESOURCES = ["AWS::Resource::Type"]

class CustomConfigRule(ConfigRule):
    def evaluate_parameters(self, rule_parameters):
        return rule_parameters

    def evaluate_change(self, event, client_factory, configuration_item, valid_rule_parameters):
        # Add custom logic here
        pass

    def evaluate_periodic(self, event, client_factory, valid_rule_parameters):
        # Add custom logic here
        pass

def lambda_handler(event, context):
    my_rule = CustomConfigRule()
    evaluator = Evaluator(my_rule, APPLICABLE_RESOURCES)
    return evaluator.handle(event, context)

Key Concepts in Rule Creation:

• APPLICABLE_RESOURCES: Defines the resource types targeted by the rule.

• evaluate_parameters: Validates input parameters for correctness.

• evaluate_change: Logic for evaluating changes triggered by events.

• evaluate_periodic: Logic for periodic evaluations.

Return Values for Evaluations:

• COMPLIANT: The resource passes the compliance check.

• NON_COMPLIANT: The resource fails the check.

• NOT_APPLICABLE: The rule does not apply to the evaluated resource.

Using Lambda with Config Rules:

• lambda_handler: Processes events passed to the Lambda function. It executes the custom rule logic and returns evaluation results.

Best Practices:

• Use annotations for non-compliant evaluations to provide clear explanations.

• Follow best practices for parameter validation to ensure accurate evaluations.

• Utilize both DETECTIVE and PROACTIVE modes for comprehensive compliance management.