- AWS Config
In this lab I will create a managed rule in AWS Config then a custom rule for AWS Config. The rule use a Lambda function that detects if a security group is allowing incoming TCP traffic over the default RDP port. I will practice investigating non-compliant resources and modifying configurations to bring about compliance.
- Setting up a configuration recorder
- Use AWS Managed Rule to bring compliance
- Create a Lambda function for a custom Config rule
- AWS account
- A Security Group allowing RDP traffic on port 3389 and without tags
- Set up AWS Config using the setup form. Create a new AWS Config role if you don’t have one. Create a bucket. Don’t add any rules at this time. Confirm creation of AWS Config.
- Add new rules. Choose required-tags from Managed Rules.
In the Configure rule form, keep the default values for Name, Description, and Scope of changes fields. As for resources choose only AWS EC2 SecurityGroup. In the Parameters section at the bottom of the form, enter: tag1Key: Deployment, tag1Value: Blue, Green.
- In lab environment there’s one security group that is noncompliant. Adding tags makes it compliant with the rule.
- Add another rule, but this time a custom rule. This one will check if the RDP traffic over tcp is allowed. Go to Lambda dashboard and create a rule. Choose Node.js as runtime. Lambda need a role that allows (ec2.describeSecurityGroups) and put evaluations into AWS Config (config.putEvaluations). Copy the code from index.js. Change Lambda’s timeout to 30 seconds. Copy Lambda’s function ARN and back in Config rule creator paste it
For trigger configuration use following:
- After some time AWS Config rule will evaluate and report that there is one noncompliant resource:
- Go to the noncompliant security group and choose Manage resource then Edit inbound rules by deleting it from SG. After some time the dissalow-rdp-ingress rule should report that all resources are compliant.
- lambda – Lambda function that describes Security Groups