Moving through the incident response domain, you have now come to the next critical service that you need to know about, one that helps to show you what has changed after an incident has occurred—AWS Config.
AWS Config and its configuration recorder can help you take a real-time inventory of most of the resources in a single account running in a single Region or can be configured to collate data across multiple Regions and even multiple accounts.
The service provides an even greater functionality when it comes to security. For organizations that need to maintain a compliance security standard, AWS Config can evaluate your resources instantly or on a fixed schedule and, with the help of Config rules, determine whether they are in or out of compliance. If they are found to be out of compliance, you can use a combination of Lambda and System Manager to automate remediations to either destroy items that do not meet the compliance standards or auto-remediate them to keep them compliant.
The following main topics will be covered in this chapter:
You will require access to the AWS Management Console with an active account along with AWS CLI access. It is also helpful to have an understanding of coding concepts when you go through the remediation code presented in this chapter.
Traditionally, security and compliance teams have spent a great deal of time manually managing systems compliance information and taking steps to improve compliance. As a security architect or engineering team member, a part of your responsibility is to prepare the working environment (in this case, the AWS cloud) so that, when an audit takes place, the necessary information is available. These tasks fall upon a small number of highly specialized individuals. This makes managing compliance manually a burdensome and time-consuming task that is much better automated with the use of specialized tools. After all, a manual process is not scalable in the cloud, especially as the number of accounts grows to tens or hundreds and the number of resources you need to keep track of scales exponentially with each account.
Preparing items for compliance and auditing is an annual event in a traditional IT account. This usually becomes the priority of an organization and takes resources away from other duties.
AWS Config introduces the concept of continuous compliance. By maintaining constant recordings of the state of resources, AWS Config ensures that any time a change occurs to one of the compatible resources on your system, it is captured along with which entity made the change. You no longer need to wonder whether your resources are meeting the compliance requirements. With continuous compliance, you can apply complete transparency to everything running in your AWS environments. You can also audit and report compliance levels at any time, on demand.