Kanji
・ Cloud engineer / freelance ・ Born in 1993 ・ Born in Ehime Prefecture / Lives in Shibuya-ku, Tokyo ・ AWS history 5 years Profile details
Table of Contents
AWS Config (hereafter referred to as Config) is a service that monitors the configuration and changes of AWS resources. Config can only obtain configuration information of AWS resources, and cannot obtain configuration information of OS, applications, databases, etc.
There are limitations on the AWS resources that can be recorded by Config, so caution is required. For example, resources such as Organizations, all resources of IAM Identity Center, Systems Manager Parameter Store, and documents cannot be recorded.
In addition to the configuration management function of AWS resources, Config can monitor the settings of AWS resources by setting AWS Config Rules (hereafter referred to as Config Rules).
In an on-premises environment, configuration management and change recording are often managed using documents such as Excel and Word. In systems where automation is advanced, configuration management of OS may be performed using Ansible.
Configuration information in AWS can be recorded by AWS Config, but as mentioned above, there are limitations on the resources that can be recorded. While major AWS resources can be recorded, it is necessary to consider the change recording method, including resources that cannot be recorded.
On the other hand, when using Config Rules, it is necessary to record changes in the target AWS resources with Config as a prerequisite.
Basically, it is recommended to enable Config for all AWS accounts, but if you “manage configuration and changes with another configuration management tool without using Config” and “check for configuration deficiencies with another security check tool without using Config Rules”, it is also an option not to introduce Config.
As a case of “managing configuration and changes with another configuration management tool without using Config”, using an IaC tool is one option, but making it mandatory to use an IaC tool for the entire system is difficult considering the skill level of developers/operators.
If another SaaS tool is introduced company-wide, it is better to use that tool.
As a case of “checking for configuration deficiencies with another security check tool without using Config Rules”, the following options are available:
Config Rules are a managed service provided by AWS, offering more flexibility and backward compatibility than other tools, and their use is generally recommended. The above methods can also check for configuration deficiencies, but it is better to choose according to the company’s policy.
When using Config Rules as a security tool, it is necessary to clarify the security rules that must be met by the company. Depending on the security rules, it may be better to check for configuration deficiencies with another security check tool instead of using Config Rules.
Since it is difficult to consider Config Rules from scratch, it is efficient to create Config Rules to meet security rules by using conformance packs or Security Hub standards based on security rules.
If there are no specific security rules, it is recommended to first introduce Config Rules recommended by the AWS Foundational Security Best Practices (FSBP) or AWS Well-Architected Framework conformance packs in Security Hub.
Both the AWS Foundational Security Best Practices (FSBP) and the AWS Well-Architected Framework are best practices provided by AWS, but the AWS Foundational Security Best Practices selects rules that are more security-focused.
There are cases where AWS resources recorded by Config are excluded from recording in the following patterns:
When setting Config Rules as guardrails, it is necessary to select AWS resources to be recorded by Config. However, as in cases 1 and 2, recording excessively can incur costs, so it is necessary to select resources to be recorded according to the characteristics of the resources built in the AWS account.
In case 3, if preventive control through security checks in the CI/CD pipeline is possible rather than detective control by Config, it is not necessary to record with Config. However, if there are cases where resources deployed during operation are manually changed, it is necessary to consider recording with Config.
Reference: Recording AWS Resources with AWS Config - AWS Config
When enabling Config using Control Tower, it is possible to automatically exclude resources to be recorded by Config when issuing AWS accounts by using the solution described in the following blog.
After roughly deciding on security rules and frameworks in ② What Security Rules Must Be Met by the Company? , it is necessary to set more detailed rules.
If you apply the conformance packs or Security Hub standards of Config Rules as they are, rules that are not so important will also be set, so only select the rules that really need to be addressed.
This rule selection is a labor-intensive task.
It is better to exclude rules that can be addressed by other controls, such as preventive control AWS services like SCP and ID access management, and other detective control AWS services like GuardDuty.
The selection process varies by company, and it is difficult to provide examples, so the explanation ends here.