The Config Role – Managing Your Environment with AWS Config – SCS-C02 Study Guide

The Config Role

During the setup of the configuration recorder, you will create and specify the IAM role that the recorder will need to gain read-only access to the resources to record the configuration items. The role also needs read and write permissions for the designated S3 bucket in order to publish the configuration snapshots. Permissions are also required for any KMS keys used to encrypt the snapshot along with publishing notifications to the SNS topics.

As you create the IAM role in the steps of the Basic Setup of Configuration Recorder example, you will see all the permissions in a policy file.

Configuration Streams

When a change against a resource occurs in your environment, the result is that a new configuration item is created. When that new configuration item is created, it is automatically added to a configuration stream, which is essentially an SNS topic. As you will see, when you set up your configuration recorder to capture the resources and changes in your AWS environment, you can specify the SNS topic for your stream.

When you declare the SNS topic for your configuration stream, especially for a topic you are actively monitoring, it helps you identify potential unexpected issues or security incidents.

Basic Setup of the Configuration Recorder

For a hands-on example of the Config service, you will now set up the service using the CLI:

Open your terminal and start by making a new S3 bucket to save your Config data and snapshots. You will need to use a unique name for your S3 bucket since no S3 bucket can be named the same across AWS:

aws s3 mb s3://packt-config –Region us-east-2

With your bucket created, make an SNS topic for the Config service. Do this with the following command line:

aws sns create-topic –name packt-config

If it was successful, you should get a response like the one that follows. You will need to save the ARN for when you later create your delivery channel:

————————————————————-

| CreateTopic |

+———-+————————————————-+

| TopicArn|

arn:aws:sns:us-east-1:1234567890:packt-config |

+———-+————————————————-+

Next, create an IAM role for the Config service. Customize the baseline policy below, enter the bucket values and SNS topic, and then craft your policy in a text editor. Open a text editor in the terminal, such as vim, or use Notepad or your IDE to create a file named iam_config.json. When you are done, it should look like the following file. Note that AWS:SourceAccount needs to be changed to your AWS account ID once again:

{

“Version”: “2012-10-17”,

“Statement”: [

{

“Sid”: “AssumeRole”,

“Effect”: “Allow”,

“Principal”: {

“Service”: “config.amazonaws.com”

“Action”: “sts:AssumeRole”,

“Condition”: {

“StringEquals”: {

“AWS:SourceAccount”: “1234567890”

}

]

}

After you have created the iam_config.json file, create the IAM role using the following command:

aws iam create-role –role-name Packt-Config –assume-role-policy-document file://iam_config.json

If this is successful, it should come back with role-arn as part of the output, as shown in the following. Save your ARN for when you start up your configuration recorder:

arn:aws:iam::1234567890:role/Packt-Config

Having created the role, you now need to create the policy that the role can use. Do this in the same manner by which you created the role, using a text editor:

{

“Version”: “2012-10-17”,

“Statement”: [

{

“Sid”: “ConfigS3PutPolicy”,

“Effect”: “Allow”,

“Action”:[

“s3:PutObject”,

“s3:PutObjectAcl”

“Resource”:[

“arn:aws:s3:::packt-config/*”

“Condition”:{

“StringLike”:{

“s3:x-amz-acl”:”bucket-owner-full-control”

}

{

“Sid”: “ConfigS3GetPolicy”,

“Effect”: “Allow”,

“Action”:[ “s3:GetBucketAcl” ],

“Resource”: “arn:aws:s3:::packt-config”

{

“Sid”: “ConfigSNSPolicy”,

“Effect”: “Allow”,

“Action”: “sns:Publish”,

“Resource”: “arn:aws:sns:us-east-1:182968331794:packt-config”

{

“Sid”: “DescribeResources”,

“Effect”: “Allow”,

“Action”:[

“ec2:Describe*”

“Resource”: “*”

}

]

}