Amazon AWS Certified SysOps Administrator Associate – Monitoring, Auditing and Performance Part 8

16. [SAA] Config Overview

Okay, let’s have a look at AWS config. So Config is a service that allows you to get auditing and record compliance of your resources in AWS based on some rules that you’re going to set. You can also record configuration and their changes over time to quickly be able to roll back and to figure out what happened in your infrastructure if you need to.

So some questions that can be solved by Config are is there an and unrestricted SSH access to my security groups? Or do my buckets have any public apps sex? Or is there an ALB configuration that has changed over time? Then, based on these rules being compliant or not, you can receive alerts or SNS notifications for any changes. Config is a per region service. You need to configure it for all the regions if you need to, and you can aggregate the data across regions and accounts to centralize it into one place.

You can also store the configuration of all your resources into Amazon history to be later analyzed, for example, by serverless query engines such as Athena. So what types of rules go into config? Well, you can have AWS managed config rules, and there are over 75 rules that you can use. Or you can create your own config rules. In this case, you need to define that rule yourself. We’re using a lambda function. For example, you can evaluate if each EBS disk is going to be of type GP Two, or if each EC two instance in your development account is of type T two micro.

Some rules can be evaluated or triggered whenever a configuration is going to change. So whenever, for example, you have a new configuration of your EBS disk, please evaluate the type of your EBS disk. Or you can also have the rule to be evaluated at regular time intervals. For example, every 2 hours, please make sure that all my EBS disks have R of type GP two. Now, Config rules are just for compliance. They do not prevent actions from happening.

This is not a deny action on anything. It doesn’t replace security mechanisms such as im, okay? But what it does give you is an overview of your configuration and the compliance of your resources. Now, there’s no feature for config. It can be quite expensive. Very quickly, you’re going to pay 0. 3 cents per configuration item recorded per region and 0. 1 cents per configurable evaluation per region. Now, for the Config resource, you’re going to be able to view the compliance of a resource over time. For example, the security group has been non compliance. Then you can view the Config resource configuration over time, okay? You can see when they change and who changed and so on. And you can link it to Cloud Trail to view the API calls made for that resource.

So you can get a full picture of everything that’s happening. Now, although you cannot deny any action from happening from within the config. You can do remediations of your non compliant resources using an SSM automation document. So the idea is for example, you are monitoring whether or not your Im access keys have expired. For example, they are older than 90 days, in which case you want to mark them as non compliance. So this will not prevent them from not being compliant. But you can trigger, whenever a resource is not compliant, a remediation action. For example, there is an SSM document named revoke unused IAM user credentials.

Okay, maybe you want to use this one and then it’s going to be applied to whatever resource you have and in this instance it’s going to deactivate your Im access keys. So the idea is that either using a TOS managed documents or creating your own automation documents, you can have remediations of your non compliant resources and if you wanted to and go all the way through with the scripting, you could create a document that will invoke a lambda function and you’re free to do whatever you want. Then finally your remediation may have retry.

So in case the resource is still non compliant after an auto remediation, it may retry for example up to five times. So lastly, what about notifications? Well, we can use event bridge to trigger notifications whenever our resources are not compliant. So for example, we monitor our security group, it becomes not compliant. Then we can trigger an Event in Event bridge and then pass it on to whatever resource you want.

Or you can also pass on all the changes and all the compliance set notifications of your resources to SNS from config. So it’s one configuration item. And then if you wanted to just filter for only for some events, you could use an SNS filtering to have a filtered SNS topic and then you can send these notifications for example to an admin email or to a Slack channel and so on to get all these notifications in one place. So that’s it for come sake. I hope you liked it and I will see you in the next lecture for some hands on.

17. [SAA] Config Hands On

So let’s go into the conflict service and start to configure it. So we are in it and I’m going to click on Get Started to start recording some settings. So we’re going to record all the resources supported in this region. But if you wanted to, you can record only specific resource types in which case you can find resource categories and then resource types on the right hand side. But because I want to show you all all the resources I can record, I’m going to click on this and on top of it you can include global resources such as Im users, group roles and customer managed policies. Just be aware that again, config is not a part of the feed tier. So the more resources you record, the more money you’re going to pay. And so I’m doing this to show you everything to you.

But if you don’t want to pay any money from this course, please do not follow on with this. Hands up. Okay, so we’re going to record all resources, we’re going to include global resources and then to record all the resource configuration we need to create a config service linked role. So we’re going to click on that. Then all this information is going to be delivered into an Amazon is for buckets. So we need to create a bucket and the bucket name is already entered for me so that’s perfect. And then we can have a prefix if we wanted to. And then finally this is where the data is going to be stored. And in terms of notification, we can stream all the configuration changes and notifications into an Amazon SNS topic if we wanted to. And again, remember, this is for everything into one topic. But I don’t want to do this so I will leave this unticked.

I click on Next and next we find some AWS managers. So we have a lot as you can see and I want to define them later. So I’m going to skip that part but you can have a look at them if you wanted to. So click on Next and we can review the configuration. So yes, we want to record all records, all resources, including global resources and we’re going to deliver this into an extra bucket. And currently we haven’t defined any rule so let’s click on Confirm.

Now the rule is being created, the bucket is created and then config is going to be started. Now it’s going to take a bit of time for config to have a look at everything within your account and look at the configuration. So I’m going to pause the video until this is done. Okay, so my resources are still being discovered but I can go on the left hand side to resources. And actually we will see that some resources have already been discovered in my accounts. As you can see, some root table, subnet, VPC and so on have been discovered.

So what I can do is that I can look at resource type and I can look for example for EC two security groups and find that yes, my security groups are here and currently they do not have a compliance status because we haven’t defined any kind of rule on top of them. So let’s have a look for example at one of these ECT security group and from within the group we can have a look at the rules applies to currently none and we can look at the configuration of the security group itself. Okay, we can also look at the resource timeline and the resource timeline will give you all the events related to that resource. So there is a configuration change which is the initial configuration right here there’s some Cloud Trail events also that were related to the security group.

For example, authorize security group ingress rules, create large configuration and create security group, this kind of thing and we can go to Cloud Trail to find these events. So what I want to do is to figure out whether or not my security groups are compliant or not. And so for this we’re going to go into Rules. And Rules is going to be able to give us the option to add a rule and we can either add an eight OS manage rule or create our own custom rule with a lambda function. So to keep it simple I’m going to add an aerospace rule and let’s have a look at rules that are accessible to us. So one that I like is for example approved AMI by ID. So this is to check whether running instances are in your account using the specified AMI. So if I click on it, for example and click on Next which is not related to security groups.

But I just want to show you one rule so this one will check whether or not your ECU running instances will be using the specified Amis. And so you can trigger this based on whenever a resource does change and then you can also specify all the EC two instances in here and we have to specify a parameter for that rule which is the list of all the AMI IDs that are approved within our accounts. And this is going to be used by the rules and inputs to figure out whether or not it’s easy to instance is compliant because we do not have many east wins yet, we’re not going to use that rule.

So instead we’re going to use a managed rule but this time for SSH and this is going to be applied to our security groups. So we want to make sure that we’re not allowing any incoming SSH traffic from anywhere. So we click on Next. This is called restricted SSH and the trigger is going to be on our resource whenever the configuration changes. Okay, but as we can see, if we define a different kind of role we could have it to be run periodically as well.

So whenever our security group resource will change, please evaluate that rule. This is applying only to alias EC Two security groups, and we have no parameters for that role. Click on Next and click on Add Rule. And now we have defined this first rule. So let’s have a look. So currently it’s not evaluated and we don’t have any remediation. So let’s wait a little bit until this is done. So I just refresh my page and as you can see, an evaluation was done automatically. And if you look at this rule, we have seven security groups, not six security groups right here, which are not compliance.

So if we go into our resources on the left hand side, and we’re going to filter again by EC Two security group and have a look at all our resources, as we can see, some of them are compliant and some of them are not compliant. So if we look at a compliance and a non compliant one, let’s see the difference. So this one is compliance, okay? And a rule was applied to it. As we can see, it says compliance. So if I go and manage a resource and look at the inbound rules right here, as we can see, we only have one inbound rule which doesn’t have a port. So there’s no port 22 in here.

So this is why this is working. But if I look at a non compliant resource, for example, this Launch Wizard Three, I believe, was not compliant, okay? And you click on Manage Resource, we are taking again straight into the console for security groups. And if we look at the Inbound rule, as we can see, port 22 on IPV Four from anywhere is being open. So this is a big problem. So what I can do instead is do delete this rule right here. And if I delete this rule, this will retrigger an evaluation of my resource, which should make it compliant again. So let’s delete it and save my rules. So now my security group has been modified. And so let me close this.

So this is my non compliant security group, and I can go into resource timeline to have a look. And so within the resource timeline, as you can see, the configuration change happens. And then the rule was run and it was not compliant. Now, I did change yet again the configuration. So we’re going to have to wait a little bit of time for the configuration change to happen right here, which should trigger a rule compliance. And then hopefully now my resource will be compliant. So let me pause a little bit and get back to you.

So I have just refreshed my page, and as we can see in here, on July 12, we have after the rule compliance, a cloud trail event that happened because I did revoke a security group ingress row, because I deleted an ingress role. That’s true. Then it recorded as well a configuration change saying hey, this rule that had port 22 in it get deleted. So from and to is empty because it got deleted.

And then Config did run my rule again named restricted SSH and now my resource is compliant. And so that means that, yes, I have fixed the compliance of my resource. So I can go back into here and we can have a look at another security group, for example, this one. And under the rule here, you can do action and then manage remediation. So this is to remediate this for this role.

So if we look at this rule, we have managed remediation and we can have manual remediation or automatic remediation, in which case you can specify a number of retries and a number of seconds for the retries to happen. Okay? So we can select a manual remediation, for example, and then you need to choose a remediation action.

So these are SSM automation documents that we can select. So these are defined by AWS, but we can also create our own. And for example, well, we could delete a snapshot to delete an image if it’s not compliant to whatever we want it. So it’s really up to you to define the action you want. So for example, you could say, hey, attach EBS volume and here is the rate limits based on the noncompliant resources, the resource ID parameters if you need them to be given to the remediation and so on. Now this doesn’t make any sense, this remediation action, right?

We need to define a remediation action that makes sense for our rule. But as you can see, we can set up automatic or manual remediation and configure it and so on, and also pass in some parameters around the document itself. Okay, so that’s it for Config. I hope you liked it. And then Aggregators is to aggregate across multiple accounts. Okay? And then under Settings, you can have a look at the settings we defined from before, including, for example, sending all the data into an SNS topic. Or you can set up Amazon Cloud Watch event rules from the cloud Watch consoles or from the event bridge console to intercept only specific non compliance events for some specific rules. So that’s it for this lecture. I hope you liked it and I will see you in the next lecture.

18. [SAA] CloudWatch vs CloudTrail vs Config

So one very popular exam questions is to make the distinction between Cloud Watch, Cloud trial and Config. Now, thankfully, thanks to the hands-on, hopefully you know exactly what the differences are. It’s pretty obvious in my opinion, but it’s never too bad to go through an example and see them. So Cloud Watch is for performance metrics, metrics CPU network and to create dashboards. You can also get events and alerts. And finally we have a log aggregation and an analysis tool if you wanted to. So Cloud Watch, I think we’re all pretty familiar with it, is already.

Now, Cloud Trail could be new to you, but basically it’s to record API calls made within your account by everyone and everything, and you can define some trails for specific resources so you can get more information on EC two only and it’s a global service. Now finally, Config is to record configuration changes and to evaluate resources configuration against compliance rules. Finally, you’re going to get a timeline of changes in compliance with this nice UI.

So I think they’re a very distinctive service. I don’t think there’s any confusion, but let’s go through an elastic load balancer to see how each of these services can help you understand what is happening to your ELB. So Cloud Watch can monitor the number of incoming connections, can visualize the number of error codes as a percentage over time, and maybe we can have a dashboard to get an idea of the load balancer performance. Maybe we can even make it a global dashboard if you have multiple load balancers for a global application. Now, config. What would you use config on the ELB? Well, maybe you want to track the security group rules for the load balancer, making sure no one does anything fishy or changes anything.

Maybe you want to also track the configuration changes for the load balancer itself to see if anyone modifies the SSL certificates or et cetera, et cetera. We also maybe have a rule to say there always should be an SSL certificate assigned to the load balancer and maybe we should never allow nonencrypted traffic into the load balancer. That could be two different compliance rules that you put into Config.

Finally, Cloud Trail will be to track who made any changes to the load balancer with API calls. So in case some someone changes the security group rules or someone changes the SSL certificate or removes it or whatever, then Cloud Trail will be how we know who made these changes. So all these tools are pretty complementary when you think about it and when you understand that how they’re used for load balancer, which I think is a great example, then you are going to rock any questions asked for you at the exam. So I hope that makes sense and I will see you in the next.

• Category: Uncategorized