I'm not sure when but AWS Config now supports using Guard rules to determine the compliance of resources. This is a pretty neat integration and one of the first I've seen from AWS on a side Open Source Project they have created.
Previously you would need to create and manage a Lambda to verify the compliance of resources which was a bit of a burden for operations teams.
I was alerted to this awesome addition via twitter, thanks, Ben! I'd recommend following him on Twitter.
How to
The following steps assume you have AWS Config all configured and up and running.
This is pretty easy via the UI, so just follow the prompted steps if you need to complete this first.
Once enabled your AWS Config Dasboard will look something like this.
Now we can create a custom rule backed by Guard. Select Rules in the AWS Config dashboard.
Then select Add Rule
You'll be prompted to select the rule type. Here you can see we have an additional option for Create custom rule using Guard.
After selecting this we give our rule a Name & Description. Pretty standard stuff.
Now we can add our Guard rule content. We are going to use the example code from the AWS Documentation to show the compliance status of point in time recovery (PITR) enabled on active Amazon DynamoDB tables
Here is the Guard Rule contents, its pretty simple to follow.
- Verify that
configuration.tableStatusisACTIVE - Verify that
supplementaryConfiguration.ContinuousBackupsDescription.pointInTimeRecoveryDescription.pointInTimeRecoveryStatusisENABLED
# This rule checks if point in time recovery (PITR) is enabled on active Amazon DynamoDB tables
let status = ['ACTIVE']
rule tableisactive when
resourceType == "AWS::DynamoDB::Table" {
configuration.tableStatus == %status
}
rule checkcompliance when
resourceType == "AWS::DynamoDB::Table"
tableisactive {
let pitr = supplementaryConfiguration.ContinuousBackupsDescription.pointInTimeRecoveryDescription.pointInTimeRecoveryStatus
%pitr == "ENABLED"
}
Next we make sure our rule is targetted to the resource type we are validating, here this is AWS::DynamoDB::Table
Select Resources and AWS DynamoDB Table for the Resource Type.
Click Next and Add Rule and we have our rule created.
Testing our Guard Rule
To test our new rule I've created a simple Dynamodb Table via the UI. This has no point in time recovery set to it should trigger our Guard Rule.
Very promptly we can see that our rule has been triggered
If we take a closer look at the JSON Configuration of our resource via AWS Config we can see how our compliance item has been flagged.
The attribute pointInTimeRecoveryStatus is DISABLED
"supplementaryConfiguration": {
"ContinuousBackupsDescription": {
"continuousBackupsStatus": "ENABLED",
"pointInTimeRecoveryDescription": {
"pointInTimeRecoveryStatus": "DISABLED"
}
},
"Tags": []
}
What about Cloudformation Support?
I was excited at first to see a reference in the documentation for use with Cloudformation..
However, having played with cloudformation I can't get this to work as the CustomPolicyDetails doesn't seem to have been extended in Cloudformation to support the PolicyText payload.
I'll get this logged out with AWS Support to see if this is available and report back here.
Without this support, creating rules via the UI or AWS Cli really isn't feasible for us at the moment but I hope this is supported soon!
There is all sorts of policy as code validation that can be done with Guard so make sure you go check out the GitHub repo!
Hope this helps someone else!
Cheers
For more articles on AWS Config click here!](https://sjramblings.io/tag/config)