Amazon AWS Certified Advanced Networking Specialty – Security, Risk & Compliance Part 2

3. AWS Config

Hi everyone and welcome back to the Knowledge Fold video series. So today we are going to talk about AWS config. Now, before we go ahead and understand what AWS config is, let’s look into a scenario which will help us understand on why do we need a config in the first place. So one thing that is universal across most of the organizations is that infrastructure keeps on changing.

So if you have an enterprise, it might be possible that every week there can be a new application that might be coming. And for that new application you might have to create new EC, to instance, new RDS, new SQS queues, et cetera. So this is the same across most of the organization. So let’s look into a very simple example where you have a new enterprise, where this is a new AWS account. So in the week one you have couple of EC two instance where your website is running and sudden you find there are a lot of users or lot of heads that are coming on your website.

So in the week two you increase the amount of EC two instances. And what you did was you also added an elastic load balancer. So this is something that you did in week two. Now the traffic kept on increasing and so in the week three you added various things more. So you added many EC two instances, you had an elastic load balancer, you created a s three bucket for maybe content delivery and you also created a relational database or RDS within your Amazon account.

So every week if you see your infrastructure is changing a lot and what happens is let’s assume that your CFO or a CEO comes and he says show me how did the infrastructure look a week back? So you cannot show him the cloud trail logs or this is even important for auditor where if you want to really see on what exactly changed in week one to week two to week three and just by looking into logs and you have to manually draw the diagrams to look into what changed, it is not very much feasible. And this is one of the reasons why AWS came up with config service.

So what config service does is it keeps the track of the inventory as well as the inventory changes. So it will show you on this date this was an inventory and on the next day these were the changes that happened within your AWS account. So it becomes very much easy for you to track the changes. So let’s do one thing, let’s go to the AWS account and see on what config is. So let me open the AWS config. Okay, so let’s click on get started. It’s very simple to configure. So by default it is taking all the resources supported in this region. But we also want to include Im resources like global resources which includes Im. So I’ll specify this now it is saying me the bucket name. So let me just put it in a sample bucket name. Basically what bucket will do is that AWS config will keep the configuration snapshots within the AWS s three bucket. So let’s say after one year you want to see the backdated data. A few months back you can actually open the logs from the S three bucket. So next thing you have to configure is the SNS topic and this is the role I’ll click on. Next we’ll talk about the config rules in the upcoming lectures. But for the timing, let’s configure the AWS config.

So it is setting up the AWS config. Generally it might take some time for the AWS config to configure because once you configure it will take all the inventory from your AWS account. In my case, the AWS account is where I hardly have anything in this test account. So it loaded up pretty quickly. Now, one thing that is important to remember is that AWS Config does not support all the resources. It only supports specific resources related to Cloud Trail EC. Two elastic load balancer IAM RDS and few more. So not all the resources are supported within this AWS config. Second important thing to remember is that AWS Config is region wise, it is tied to a specific region and it is not global. So in my case, what I have is I have my infrastructure within the North Virginia region. So let me go to the North Virginia region so that we can actually see much more better way. So I’m in North Virginia region. Let’s do one thing. Let me select the security group over here and let me go ahead and click on Lookup.

Okay, so what it is showing, it is showing me all the security group which are present in this particular region. You can also specify, let’s say instance. And then you can go ahead and click on look up and it will show you all the data related to the EC To instances and the security groups. So these are the EC To instances and these are the security groups that are available. So let me open the EC two as well. Okay, let’s do one thing. Now I have one security group called as OpenVPN Access server. Let me click on the security group and let’s take the security group ID. I’ll take the security group ID and let me unselect the instance and let me look up for this particular security group ID. So if there is a column called as configuration timeline, let’s click here. So what this configuration timeline will do is it will show you any changes related which were made to this particular security group. Now, since we have enabled the config just few minutes back, it will not show you any configuration changes. But if you come down here, there are two very important fields to remember.

First is the relationships. So relationship means this security group is attached to which instances or to which resources does it have a relationship to. So if I click over here it says that this security group is connected to this network interface, it is attached to this EC to instance and it is part of this particular VPC. So very important thing to remember. Now second important field is changes. So within this it says configuration changes where if you modify some aspect of the security group it will show that what are the aspects that were changed. So let me show you practical example that will make things much clearer. So let me add few rules over here. Let me add say 91, 116, 75 00:16 and let me delete the port 22 and I’ll click on save. So we change some aspect of this security group. So this things will be reflected in the AWS Config console.

So let me do one more thing, let me attach that security group to another instance as well. I’ll change the security group so generally whenever you make changes it will not come instantaneously, it will take a few minutes before it is reflected to the AWS config. So let me add security group to one more instance over here. Okay, so what we did was we changed the security group which is OpenVPN access server and we also attach the security group to a different instance. So this changes should be reflected back to the AWS Config console. So again it might take some time, I would say a few minutes before it is reflected over here. So let’s pause this video and I’ll come back in a few minutes. Okay, so it has been around five minutes so let me just refresh this page and let’s see if the configuration has come up. Okay, so if you see over here it is showing me that there have been some changes that have been made to this particular security group.

So if you see there is a difference in the time. So let’s look into what has changed. So let’s go to the changes section over here and basically it is showing me what are the changes that had been made to this particular security group. So it shows me the exact details about what exactly has changed and what exactly got removed. Now along with that, if you remember we had also attached this particular security group to a new EC to instance. So this will come under the relationship data. So it shows that this particular security group has been attached to one more network interface. So if you remember that security group are attached to the network interface. So this has been shown in the relationship status. So this is the EC to network interface. Now we have two earlier they were only one and within the changes section you get the security group related changes as well as you can see to which network interface it got connected to. Now if you’re wondering from where is it getting the data from, then it is actually getting the data from our old friend which is cloud trail. So if you remember all the API related activity, anything that you do within your AWS account gets logged via cloud trail. So what config will do is config will pull the cloud trade related data and then it will interpret that data into an easier form for us to look into. So it also shows you the timing in which the events were changed for. So very important thing to remember and config is something which is very important as far as the enterprise or even a medium scale organizations are concerned.

So coming back to the PowerPoint presentation, so I hope you understood the basic on why AWS config is required. Let’s look into few of the use cases which might help you where AWS config is enabled. So one use case is let’s say your infrastructure cost has spiked suddenly and your chief financial CFO wants to see on what exactly has been changed since past three weeks. So instead of showing logs and all you can directly open up the config and you can show him on what are the details that has been changed and he might actually get impressed as well.

And second use case is that let’s say you are a DevOps at XYZ organization and last night everything was working fine, but suddenly in the morning user are reporting that they are not able to access the website. So you know, there was some change related to the EC to instance or the security group. So in this case you can use the config to see on what exactly had been changed from yesterday night to today morning. So these are few use cases in which you can use the AWS config for now there are a lot of more features which AWS config does provide which are really amazing and we’ll be talking into some of these features into next video.

4. AWS Config – Part 02

Hey everyone and welcome to the part two of AWS Config. Now in the previous lecture we looked up into the basic of AWS Config and we also looked into how AWS config can help us track the infrastructure changes. So today we look into more features of AWS Config and there is one very amazing feature called as compliance check with config provide. So let’s understand on what that means. So again, just infrastructure related changes. Monitoring is not enough. As a security specialist, we should be monitoring the security aspect as well. So there are various use case related to the best security practices. Like all the S three buckets should have versioning enabled, root MFA should be enabled. Now, security groups should not have on port 22 or maybe on other port like 3306, et cetera. Cloud trail must be enabled. Now, one more rule is no unused EIP should be present. So this can be part of the costing factor as well.

So these are the five points related to security as well as cost optimization which are important. Now, how do you actually monitor all of these things? Now this is just sample file. There can be hundreds of different points. There should be some kind of a centralized dashboard which can say that your account is compliant against all of these rules. And this is what AWS config allow us to do. So again, based on the use case that you configure, AWS Config can show you the compliance status. So this is the compliance status which you see now restrict SSH. You see it is compliant. So SSH is restricted. It’s not open to zero, zero, zero. All the EIP are attached. So that means there is no unused EIP. You have. Root MFA enabled. So usually it is compliant. However, there are certain resources which are non compliant over here.

So directly by looking into the config rules, you can actually see whether your infrastructure is compliant or not. And generally if the auditor comes, you can directly show the auditor this page, provided you have all the greens over here. So this is what AWS Config allows us to do. So let’s look into how we can configure these rules. So, going back, so let’s go to the AWS Config. Now these are the resources inventory. If you look into the first tab over here, it says rules. And by default Amazon gives us a lot of rules that we can use within our infrastructure.

So for the timing, there are 32 rules which comes by default in your config related data. So these rules basically checks various things like IAM, EC two instance as well as root MFA, s three bucket, et cetera. So let’s do one thing, let’s enable certain rules out here. Let me enable the EC two detailed monitoring. Okay, let me enable this particular rule so it is evaluating. Let’s add a few more rules over here. Let’s see, let’s go to the next part. Okay, s three bucket logging enabled. S three bucket versioning enabled. So we want that all the S three buckets should have versioning enabled. So I’ll click on save. I’ll add this particular rule as well. I’ll click on add rule. Let’s add few more rules. Let’s see. Cloud Trail enabled. This is again a very important rule that should be there. So I’ll add this rule. Let me add few more rules so that our dashboard looks pretty nice. Let me go to the next step. EIP attached. Again, this is very important because specifically for free tire that if you don’t have an EIP that is attached to the EC two instance, you will be charged for that EIP.

So, very important thing to remember, this should be present within your at least aidless free tire usage. Lot of people, they get charged because they don’t have EIP attached to any EC two instances. So just remember that you should have an EIP attached. I’ll click on save. So we have around four rules here and you see, it is showing me the compliance as well as non compliant status. So easy to instance detailed monitoring, it is saying that it is not compliant error and there are three resources which are not compliant. S three bucket versioning enabled. Again, there are two non compliant resources. Cloud trail enabled. Yes, we have cloud trail enabled. So it is showing me compliant and it will also report me about the EIP attached or not.

So this is one of the ways in which you can configure the rules of AWS config. Now, again, as we discussed that there are around 32 default rules that comes. Now, what happens if you want to add more rules? Well, definitely you can add more rules. You can put those rules in lambda and you can connect those rules with a config service. So here you see there is one EIP which is not attached. Okay, this is dangerous because I will be charged for this particular unused EIP. So I should be removing the EIP and you should be also removing if you have EIP which is not retired. So there is one non compliant resource that you see I have four EIPS, among which there is one EIP which is non compliant. So let me go to this particular EIP. Okay? So this is the EIP.

Let me actually go to the EC two and elastic IPS and paste the EIP and you see this EIP is not attached to any of the instances. So why to keep it, just release it. You will save the cost also and I’ll release this particular EIP. So this is the basic about the AWS config. Now, there is one more important thing that you should remember. We already discussed about the CIS benchmark and there is a very nice GitHub repository which contains a lot of AWS config rules which you should be having within your AWS account. Specifically, if you’re running the production servers and security is something which is important for you. So if you go to the rules MD file over here, this file basically tells on what are the rules which are present within this particular GitHub repository.

So you see there are a lot of rules which are present related to IAM password, policy, key rotation, whether the IAM user has MFA enabled or not, whether VPC flow log is enabled and so many other things. So there are around 34 rules which are present over here and there are around 32 rules which are present by default within the AWS Config repository.

So AWS keeps on updating this rule set, so as long as they keep on updating, you can add the rules or till the time being it does not update. You can write your own rules within the lambda function. So this is the basic about the Config service. I hope this has been useful for you and again I will really encourage you to practice this once. And if you are managing the AWS infrastructure of an organization, I will really recommend that you have some kind of a dashboard where it shows you hopefully compliant for all the resources. So this is it. I hope this has been useful for you and I’d like to thank you for viewing.

• Category: Uncategorized