Throughout my career as DevOps engineer, I have had the opportunity to work with a variety of large, medium and small enterprises. These are companies with amazing missions, ambitious goals and inevitable challenges. Despite their differences, there is one particular topic that unites the companies I’ve built cloud architectures for.
- How may we standardize our environments and enforce compliance of all of our existing or new cloud resources?
- And which security methods would be the best choice to meet our needs?
Regardless of the size of your organization, AWS has several offerings to meet the needs of your compliant cloud and hybrid infrastructure. Recently, we were asked by a Federal Bank client to come up with an automated solution for performing standardized audits. They wanted to create other custom rules that meet their specific regulatory compliance needs. As we know, It is critical for the business to validate the adoption of specific policies, and guarantee they are being enforced across their cloud infrastructure.
Often, customers lack the tooling to automate the auditing of their resources and generate findings based upon these audits. With a combination of AWS services and custom scripting, we were able to provide a solution to meet their needs.
AWS Config with AWS Lambda offered us a “best of both worlds” solution where we could design and implement a custom auditing process. Just like AWS Security Hub and Audit Manager, AWS Config offers pre-defined frameworks, or Conformance Packs (we’ll break those down shortly), to perform scans on your resources. AWS offers a lot of options for prebuilt frameworks for you to consume, but it’s completely understandable that available frameworks may not cover the needs of your business and custom processes may be required. This was the exact scenario we encountered working with this client.
So… what exactly is a Conformance Pack? In order to have a better grasp, we need to understand the components of AWS Config Rules. Rules are either predefined AWS policies (aka Managed Rules) or customer-managed policies (aka Custom Rules) that are used to evaluate your desired resources. There are a lot of components to each AWS Config Rule, but for the sake of simplicity, we’re only going to focus on the backbone of an AWS Config Rule.
Each Rule contains:
- Scope, which defines the Resource Types the Rule will target for compliance scans.
- Input Parameters, which are a set of Key/Value pairs that work with the code within the Evaluation Logic.
- Evaluation Logic, an AWS-managed or customer-managed AWS Lambda function with defined code that sends compliance results back to AWS Config.
- Trigger, a detected configuration change of a Resource that matches the defined Scope, or invoked via a cron-based schedule.
Circling back to Conformance Packs, this collection of Rules is called a Conformance Pack, and it becomes a single deployable entity within your single AWS Account or AWS Organization.
We designed a custom solution that delivered a combination of AWS-managed Conformance Packs and custom Config Rules, all of which were deployed via custom pipelines that were already native to the client. Leveraging Terraform, we were able to automate the configuration and deployment of the CIS AWS Foundation v1.4, Operational Best Practices, and Security Best Practices Conformance Packs, as well as deliver a custom AWS Config Rule and associated AWS Lambda function for performing custom audit requirements. The AWS Config Custom Rule solution contained the following highlights:
After allowing the service time to scan resources and aggregate findings, we were able to view various metrics around the compliance of the scanned resources. Some of these metrics included compliance status by Rules or by resource, the inventory of the scanned resources, and more. We can also execute predefined or custom queries across these scanned resources to help generate JSON or YAML reports on demand. For example, if I wanted to view a count of compliant and noncompliant Rules within a Conformance Pack, we can use a predefined AWS Config query to aggregate those findings.
This is just scratching the surface of possibilities of this service. By using this layout, we can continue to build and deliver custom solutions to clients that meet their business requirements in a fast and efficient manner. Auditing existing resources is already a tedious task, and having tools in place to ease the burden of operational overhead adds significant value to your day-to-day security audits and compliance checks. Lastly, considering this tooling is designed as infrastructure-as-code, any updates to policy requirements will be as easy as modifying the Input Parameter that is used with the custom AWS Lambda.
Taking into account the vast possibilities that these services offer, it is completely expected to be overwhelmed. Our team of engineers at Foghorn Consulting are experts with helping to automate and streamline your security and auditing processes. Through our deep experience with building compliant clouds, we can tap into unique methods with common tools to achieve success. If you have any additional questions around deploying Conformance Packs within your AWS Organizations, or would like to set up a time to discuss additional methods with our team, please shoot us a message.