AWS Config Managed Rules – Managing Your Environment with AWS Config – SCS-C02 Study Guide

AWS Config Managed Rules

AWS provides lists of AWS managed rules. These are predefined yet customizable rules that the Config service can use to evaluate your resources and determine whether they comply with the standard best practices that that rule set has laid out.

You do not need to write a corresponding Lambda function to perform a remediation action; the action would become a custom rule instead. At the time of writing, there were over 150 managed rules available for use that can be filtered according to the following four categories:

  • List of managed rules by evaluation mode
  • List of managed rules by trigger type
  • List of managed rules by Region available
  • Service-linked rules

Note

To see the complete list of rules, please visit the following URL: https://packt.link/HrWsk.

AWS Config Custom Rules

If you cannot find a rule that meets your needs, then you can create a custom rule in the AWS Config service. There are two methods of creation available to do this. The first is to use an AWS Lambda function, and the second is with Guard, which involves using the Guard policy as a code language.

Note

The ability to create a custom rule is not tested in the exam, nor is the syntax of Guard; hence, these topics will not be covered in detail. If you want to know more about Guard, visit its GitHub repository at https://packt.link/ic0RW.

The difference between an AWS Config custom rule and a managed rule is that you create a custom rule from scratch.

The following describes the process of setting up a managed rule for your AWS Config instance in the AWS Management Console. You must start the configuration recorder as in the previous exercise or manually via the AWS Management Console to successfully complete this exercise:

  1. Log in to the AWS Config service on the Management Console using the following URL: https://packt.link/s2AqI.

(Make sure that you are in the Region where your resources are being recorded.)

  • On the left-hand menu, click on the item named Rules.

Figure 5.4: Menu on the AWS Config service screen

  • In the main window, click the orange Add rule button.
  • Add an AWS managed rule. To do this, under the heading that says Select rule type, ensure that Add AWS Managed Rule is selected.
  • In the section labeled AWS Managed Rules, type restricted-ssh into the search box. Once the restricted-ssh rule appears, select it and click the orange Next button.

Figure 5.5: AWS Managed Rules screen

  • On the following page (labeled Configure Rule), scroll down to the bottom and click the orange Next button.
  • On the Review and create page, scroll down and click the orange Add rule button to create the rule in your AWS Config instance.

After completing all these steps, you should be back at the main Rules page with your new rule listed. Now that you have a rule in your account, you can look at the process of evaluating rules.