Note – Managing Your Environment with AWS Config – SCS-C02 Study Guide

Note

Did you notice the StringLike and StringEquals operators in the policies contained in the condition statements? Knowing how to parse these out will be essential for deciphering the policies on the test. This will be covered in more detail in Chapter 14, Working with Access Policies.

Now create the IAM policy so you can attach it to the role. Name the policy cr-policy (where cr stands for configuration recorder):

aws iam create-policy –policy-name cr-policy –policy-document file://iam_config_policy.json

Now attach the policy to the role using the attach-role-policy command. You need the full ARN you used when you created the cr-policy policy to run this command:

aws iam attach-role-policy –role-name Packt-Config –policy-arn arn:aws:iam::182968331794:policy/cr-policy

Next, create a JSON file of the types of resources you want to capture. Only record the configurations of security groups and EBS volumes for this exercise. Open your text editor or IDE again to create a file named resources.json. It should look like the following file when you are done:

{

“allSupported”: false,

“includeGlobalResourceTypes”: false,

“resourceTypes”: [

“AWS::EC2::SecurityGroup”,

“AWS::EC2::Volume”

]

}

With the file of resources that you want, you can now create your configuration recorder. Use the following command to start the configuration recorder in your account. If you saved the resources.json file to a different path from where you currently are, be sure to provide the full path so the CLI can find the file. Use the IAM Config service role but be sure to switch out your account number in the part of the command that says {1234567890}:

aws configservice put-configuration-recorder –configuration-recorder name=packt,roleARN=arn:aws:iam::182968331794:role/Packt-Config –recording-group file://resources.json

Assuming the preceding command is successful, you can now create a delivery channel file. This is where you will tell Config about the S3 bucket and the SNS topic set earlier. Open your text editor again and create a new file called delivery.json. Ensure it matches the following file but make sure that you enter the values for your account. This includes changing the account number and the S3 bucket name, and checking the SNS topic:

{

“name”: “default”,

“s3BucketName”: “packt-config”,

“snsTopicARN”: “arn:aws:sns:us-east-1:1234567890:packt-config”,

“configSnapshotDeliveryProperties”: {

“deliveryFrequency”: “Twelve_Hours”

}

Once your delivery.json file has been created and saved, move on to creating the delivery channel with the following command:

aws configservice put-delivery-channel –delivery-channel file://delivery.json

Now, with the delivery channel up and running, you can start the recording by running the following command:

aws configservice start-configuration-recorder –configuration-recorder-name packt

It will take a few minutes to capture the configuration items; however, you are finished setting up the configuration recorder.

With the setup of the configuration recorder complete, give the AWS Config service a little time to discover the items in the two services that we stood up previously.

AWS Config Dashboard

After you have the configuration recorder up and running, you can go to the AWS Management Console to see the AWS Config dashboard. You can jump there directly using the following URL: https://packt.link/U0bU9.

When you open the dashboard, you will be able to see the number of configuration items recorded:

Figure 5.2: AWS Config dashboard after the initial recorder run