Real-Life Example of Using Automated Remediations – Managing Your Environment with AWS Config – SCS-C02 Study Guide

Real-Life Example of Using Automated Remediations

Suppose you are part of a company that has developed an organization-wide policy that no EBS volume can be created without encryption. This would be the perfect opportunity for automatic remediation. First, you would create a rule to check whether a volume was encrypted and would be triggered when the resource was created. If the resource failed to meet these standards, you could create a custom System Manager Automation runbook that would instantly destroy that EBS volume before it even had the chance to be attached to an instance and have any data placed on it.

If you didn’t want to delete the volume, you could choose the predefined automation rule of AWS EBS DetachVolume. Whenever someone tried to attach that volume, it would instantly be detached from the instance and thus become unavailable. In the latter case, the volume would still be an active resource and incur charges for the account.

Having reviewed how to remediate non-compliant resources in your account with AWS Config, you can now learn how to use Config across multiple Regions and multiple accounts.

Multi-Account and Multi-Region Data Aggregation with AWS Config

Many companies and organizations have moved past a single account structure and have multiple accounts and organizational units powered by AWS Organizations. You can collect all the compliance data and account configurations using an aggregator.

An aggregator in AWS Config is a type of resource that allows you to collect compliance data and configurations in any of the following scenarios:

  • If you have only a single account but need a multi-Region setup, then you need to use an aggregator to collect the data in all Regions and present a unified view.
  • If you have multiple accounts and multiple Regions and you want to present the findings in a unified view, then an aggregator can collect the information from all the accounts and store it in a single location.
  • If you are running your accounts via AWS Organizations and you want to assemble all the data, then using the aggregator makes finding trends across accounts a much more simplified task.

You can see from Figure 5.6 how the data would flow from either a separate Region or a separate account and then be presented in the aggregated view.

Figure 5.6: Flow of AWS Config data into the aggregator

Once the aggregator has collected the data, a dashboard on the Aggregators page displays all the configuration data, an overview of your rules, and your compliance packs, along with their compliance status.

The Aggregators dashboard also provides a combined count of all the resources and source accounts, which are then ranked by the highest number of resources.

Takeaways for the Certification Exam

As you have now reviewed all the functionality of the AWS Config service, having a vital understanding of the following concepts will be relevant when you take your AWS Certified Security Specialty exam:

  • AWS Config records WHAT changes have taken place and WHEN.
  • Once the configuration recorder has been turned on, it will discover all the supported resources in an account and then create a configuration file for each one in that Region, unless the aggregator has been used. This is essentially a service that provides a real-time running inventory for you or an auditor.
  • AWS Config keeps a running count of resources that are both in and out of compliance.
  • AWS Config can remediate items found to be out of compliance with the help of other services such as AWS Lambda and Systems Manager.