Cloud Governance is the process of defining and creating policies to control costs, minimize security risks, and improve efficiency. On AWS, cloud security often starts with preventive and detective guardrails. We will be discussing cloud security using AWS Config here, otherwise known as detective guardrails.
What is AWS Config?
AWS Config is a service that records configuration changes to your AWS resources. This includes recording how resources are connected to one another, such as an EBS volume attached to an EC2 instance. Because changes are recorded, you can see how resources were configured in the past. For a full list of supported AWS resource types, see the AWS documentation.
What is an AWS Config Rule?
An AWS Config Rule is a representation of the desired state for your infrastructure. Config rules can be triggered by configuration changes or periodically. Config rules come in two varieties, AWS managed and custom. AWS managed rules are predefined, maintained by AWS, and usually define common best practices. Custom rules are coded in Guard or Lambda.
What does AWS Config Do?
AWS config allows you to monitor your infrastructure for violations of security policies and take action to resolve the policy violations. AWS Systems Manager is used to automate the remediation non-compliant resources. Config provides you a dashboard showing all of your compliant and non-compliant resources so that you may manually remediate the resources if no automated remediation is available.
Cloud Security using AWS Config
AWS Config provides more than 290 AWS managed rules. Most of these rules address a specific security concern for an AWS resource. For example, one of the rules that is hard to encapsulate as a preventive guardrail using SCPs is checking that access keys have been rotated, but AWS provides a managed rule to do this. Other AWS managed rules target SSL, backups, logging, and IAM security. If you can’t find exactly what you need in the AWS managed rules, you can write your own rule. If you are the only one using an AWS account and know your security backwards and forwards, cloud security using AWS Config may be overkill, but for the average multi-user AWS account provides automated checks for common security deficiencies.
AWS Config integrates with AWS Organizations and AWS Control Tower to help automate cloud security across multiple AWS accounts. Your security team can manage cloud security using AWS Config because it can be centralized.
A conformance pack is a collection of AWS Config rules that can be deployed as a single unit. A conformance pack is a good way to encapsulate broader policies into a single entity. For example, your organization may mandate that all connections are encrypted in transit. You can build a conformance pack to check each service for encryption in transit using multiple config rules.