Understanding AWS-Config Rules and Confuguration Changes

374 views Asked by At

I am currently using the aws-cdk and my task is to create config rules for 15 or so rules that we want to watch and receive notifications on. Here is my code for reference:

 const vpcFlowLoggingBucket = new s3.Bucket(this,'vpcFlowLoggingBucket', {
              accessControl:s3.BucketAccessControl.LOG_DELIVERY_WRITE
      
            });
            const generalConfigRole = new iam.Role(this,  'generalConfigRole',{
              assumedBy: new iam.ServicePrincipal('config.amazonaws.com')
            });

            const cloudTrailEnabledRule = new ManagedRule(this, 'cloudTrailEnabledRule', {
              identifier: 'CLOUD_TRAIL_ENABLED'
            });
            const  iamPasswordPolicyRule = new ManagedRule(this, 'iamPasswordPolicyRule',{
              identifier: 'IAM_PASSWORD_POLICY'
            });
            const userGroupMembershipRule = new ManagedRule(this, 'userGroupMembershipRule',{
              identifier: 'IAM_USER_GROUP_MEMBERSHIP_CHECK'
            });

            const userPolicyRule = new ManagedRule(this,'userPolicyRule',{
              identifier: 'IAM_USER_NO_POLICIES_CHECK'
            });
            const rootAccountMfaEnabledRule = new ManagedRule(this, 'rootAccountMfaEnabledRule',{
              identifier: 'ROOT_ACCOUNT_MFA_ENABLED'
            });
            const accessKeysRotatedRule = new ManagedRule(this, 'accessKeysRotatedRule',{
              identifier:'ACCESS_KEYS_ROTATED',
              inputParameters: {
                maxAccessKeyAge: 100, //rule triggers off of config change and keys must be rotated within 100 days
                configurationChanges: true
              }

              //TODO reference your custom lambda for this
              //Parameters need to be specified here for the amount of days to rotate
            });
            const cloudTrailEncryptionRule = new ManagedRule(this, 'cloudTrailEncryptionRule' ,{
              identifier:'CLOUD_TRAIL_ENCRYPTION_ENABLED'
            });
            const defaultSecurityGroupEniRule = new ManagedRule(this, 'defaultSecurityGroupEniRule',{
              identifier:'EC2_SECURITY_GROUP_ATTACHED_TO_ENI'
            });

            const ebsVolumeEncryption = new ManagedRule(this, 'ebsVolumeEncryption',{
              identifier:'EC2_EBS_ENCRYPTION_BY_DEFAULT'
            });
            const rdsStorageEncryptionRule = new ManagedRule(this, 'rdsStorageEncryptionRule',{
              identifier: 'RDS_STORAGE_ENCRYPTED'
              //This may need the arn of the kms key used for encryption
            });

            const s3BucketLoggingEnabledRule = new ManagedRule(this, 's3BucketLoggingEnabledRule',{
              identifier: 'S3_BUCKET_LOGGING_ENABLED'
              //@aroesec may be able to use a custom rule here for this one and my lambda
            // TODO add custom lambda to this for future purposes
            });
            const s3BucketServerSideEncryptionRule = new ManagedRule(this, 's3BucketServerSideEncryptionRule',{
              identifier:'S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED'
              //@aroesec may be able to use a custom rule here for my lambda
            // TODO add custom lambda to this for future purposes
            });

            const vpcFlowLogsEnabledRule = new ManagedRule(this, 'vpcFlowLogsEnabledRule',{
              identifier:'VPC_FLOW_LOGS_ENABLED',
              inputParameters: {
                trafficType:'ALL', //vpcs must track all traffic (ALLOW and DENY) with this rule
                configurationChanges: true
              }
            });

            const vpcDefaultSecurityGroupRule = new ManagedRule(this, 'vpcDefaultSecurityGroupRule',{
              identifier:'VPC_DEFAULT_SECURITY_GROUP_CLOSED'
            });

            const mfaEnabledForConsoleAccessRule = new ManagedRule(this, 'mfaEnabledForConsoleAccessRule',{
              identifier: 'MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS'
            });

            const rdsMultiAvailZoneRule = new ManagedRule(this, 'rdsMultiAvailZoneRule',{
              identifier:'RDS_MULTI_AZ_SUPPORT'
            });
          }

        }

My issue is this, when I try to use the configurationChanges parameter and set it to True. I am looking for that config rule to scan that resource group when it notices a change there. The reason I want to do this and not use the "frequency" parameter is that our client does not want scans as frequent as 24 hours. They want them to be around 2 week scans for every rule. My question is, 1. can I make the config rules scan less frequently then 24 hours? for example, maybe weekly? 2. Can I make a lambda trigger the config rule to scan? For example have the lambda check for vpc flow logs and if they are not there trigger the config rule to return "incompliant". OR 3. Can I just set configurationChange to true for every config rule and let aws handle it from there? I ask this specific question because I have read something about config recorder but am not sure how to use it or if it's even necessary. Thank you all in advance!

1

There are 1 answers

0
Lee.Tan On BEST ANSWER
  1. The lowest frequency for config rule to scan is 24 hours, not slower than that if check the boto3 API.

  2. You would want the opposite, have config rule run periodically or when configuration changes.

  3. AWS doesn't know what to handle. If u go with configuration changes, you API or your code (through lambda) needs to know what to check for (ie. bucket is open to public), then when a public bucket is detected, lambda will catch it and report (PutEvaluationAP