AWS Config Rules

configrules.md

AWS Managed Config Rules

AWS Config provides AWS managed rules, which are predefined, customizable rules that AWS Config uses to evaluate whether your AWS resources comply with common best practices.

You can enable and customize these rules in the AWS Config console according to these instructions. See To set up and activate an AWS managed rule (Console).

...but of course we prefer to automate.

All config rules have a SourceIdentifier key/attribute. For AWS Managed config rules, the value is one of the identifiers from any of the supplied managed rules found in the table here. In the non-managed case, the SourceIdentifier value is set to the AWS Lambda function ARN where the rule's logic lives. Don't confuse this with ConfigRuleArn, which you do not need to supply when creating a rule (managed or not). This value is generated by AWS Config for new rules.

Example manage rule identifiers:

• CLOUD_TRAIL_ENABLED
• EIP_ATTACHED
• ENCRYPTED_VOLUMES
• INCOMING_SSH_DISABLED
• INSTANCES_IN_VPC
• REQUIRED_TAGS
• RESTRICTED_INCOMING_TRAFFIC

We'll use the PutConfigRule call to create the rules. The ConfigRuleName attribute will be required (managed or not). If you are updating a rule that you have added previously, specify the rule's ConfigRuleName , ConfigRuleId , or ConfigRuleArn in the ConfigRule data type that you use in this request.

Objective

Automatically configure and enable all managed rules for all applicable regions where AWS Config is available.

Parameters

Source Details

Provides the source and type of the event that causes AWS Config to evaluate your AWS resources

Scope

Defines which resources can trigger an evaluation for the rule. The scope can include one or more resource types, a combination of one resource type and one resource ID, or a combination of a tag key and value. Specify a scope to constrain the resources that can trigger an evaluation for the rule. If you do not specify a scope, evaluations are triggered when any resource in the recording group changes.

Notes

As of 04/07/2016, the maximum number of rules that AWS Config supports is 25 per account.

Links

AWS Config Supported Regions
AWS Config Common Parameters
PutConfigRule

configrules.py

#! /usr/bin/env python

"""Puts managed config rules.

"SourceDetails": [
    {
        "EventSource": "aws.config",
        "MessageType": "ConfigurationItemChangeNotification"
    }
]

"""

from __future__ import print_function

import boto3
import slugify


# https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_use-managed-rules.html


def cloud_trail_enabled(s3BucketName=None, snsTopicArn=None,
                        cloudWatchLogsLogGroupArn=None):
    """Return a json string of input parameters for CLOUD_TRAIL_ENABLED."""
    input_parameters = {
        's3BucketName': s3BucketName,
        'snsTopicArn': snsTopicArn,
        'cloudWatchLogsLogGroupArn': cloudWatchLogsLogGroupArn,
    }
    return json.dumps(input_parameters)


MANAGED_IDENTIFIERS = {
    'CLOUD_TRAIL_ENABLED': cloud_trail_enabled,
    'EIP_ATTACHED': None,
    'ENCRYPTED_VOLUMES': None,
    'INCOMING_SSH_DISABLED': None,
    'INSTANCES_IN_VPC': None,
#    'REQUIRED_TAGS': None,
    'RESTRICTED_INCOMING_TRAFFIC': None,
}


def main(args):

    client = boto3.client('config')


    # Scope is not required

    for identifier, param_func in MANAGED_IDENTIFIERS.items():

        rule = {
            'ConfigRuleName': slugify.slugify(identifier.lower()),
            'Source': {
                'Owner': 'AWS',
                'SourceIdentifier': identifier,
            }
        }
        response = client.put_config_rule(ConfigRule=rule)
        print('Created (or updated) aws managed config rule: {}'.format(identifier))


if __name__ == '__main__':
    import argparse

    parser = argparse.ArgumentParser(prog='AWS Managed Config Rules Manager')
    args = parser.parse_args()
    main(args)