In this lab I will create a managed rule in AWS Config then a custom rule for AWS Config. The rule use a Lambda function that detects compliances breaches.

Services Covered

  • Config AWS Config
  • lambda Lambda

Lab description

In this lab I will create a managed rule in AWS Config then a custom rule for AWS Config. The rule use a Lambda function that detects if a security group is allowing incoming TCP traffic over the default RDP port. I will practice investigating non-compliant resources and modifying configurations to bring about compliance.

Learning Objectives

  • Setting up a configuration recorder
  • Use AWS Managed Rule to bring compliance
  • Create a Lambda function for a custom Config rule

Lab date

17-11-2021

Prerequisites

  • AWS account
  • A Security Group allowing RDP traffic on port 3389 and without tags

Lab steps

  1. Set up AWS Config using the setup form. Create a new AWS Config role if you don’t have one. Create a bucket. Don’t add any rules at this time. Confirm creation of AWS Config.
  2. Add new rules. Choose required-tags from Managed Rules.
    lab44_config_rules
    In the Configure rule form, keep the default values for Name, Description, and Scope of changes fields. As for resources choose only AWS EC2 SecurityGroup. In the Parameters section at the bottom of the form, enter: tag1Key: Deployment, tag1Value: Blue, Green.
    lab44_config_keys
    Add rule.
  3. In lab environment there’s one security group that is noncompliant. Adding tags makes it compliant with the rule.
  4. Add another rule, but this time a custom rule. This one will check if the RDP traffic over tcp is allowed. Go to Lambda dashboard and create a rule. Choose Node.js as runtime. Lambda need a role that allows (ec2.describeSecurityGroups) and put evaluations into AWS Config (config.putEvaluations). Copy the code from index.js. Change Lambda’s timeout to 30 seconds. Copy Lambda’s function ARN and back in Config rule creator paste itlab44_config_custom_rule

    For trigger configuration use following:
    lab44_config_custom_rule_trigger

  5. After some time AWS Config rule will evaluate and report that there is one noncompliant resource:
    lab44_noncompliantrule
  6. Go to the noncompliant security group and choose Manage resource then Edit inbound rules by deleting it from SG. After some time the dissalow-rdp-ingress rule should report that all resources are compliant.
    lab44_compliantrule

Lab files

  • lambda – Lambda function that describes Security Groups

Acknowledgements

By : LU Tags: