Using AWS Config Rules to Manage Resource Tag Compliance

Amazon Web Services (AWS) introduced AWS Config in 2014 to help users of their services track changes to the configuration of EC2 instances and other AWS resources. This offering was further enhanced in following years with the introduction of AWS Config Rules. AWS Config Rules allow the user to configure and respond to configuration changes in an automated manner.

In this article, we’re going to take a quick look at both AWS Config and AWS Config Rules, and how to implement them. As a case study, we’re going to look at setting up a rule to manage compliance with required tagging standards. The ease with which an engineer can create, provision and update resources within the AWS environment is hugely beneficial, but can become a compliance management nightmare for those who are responsible for the AWS configuration management. Tagging standards compliance is just one example of how AWS Config Rules can be leveraged to support those responsible for governance.

[Learn More: AWS Config vs CloudTrail]

What is AWS Config and How Do I Enable It?

AWS Config is a service which provides the user with an inventory of AWS Resources in their account and a history of configuration changes to those resources. To enable AWS Config for your account, log in to your AWS Console and navigate to the Config Dashboard.

You configure the settings for AWS Config at the region level. The easiest way to set this up is to click on the Get started button. The initial configuration steps require you to select:

• The resources you would like to monitor
• An S3 bucket in which to store configuration history and snapshot files
• The checkbox if you would like to stream configuration changes to an SNS topic
• IAM Role to grant AWS Config read-only access to your resources.

I used the default settings for AWS Config in my account and then clicked Next to move on to the rules. Let’s look at what AWS Config Rules are and how they work before we look at configuring the rules.

How Do AWS Config Rules Work?

AWS Config Rules can be created or added to AWS Config to evaluate the configuration of your AWS resources. There are currently 25 rules which can be added to your AWS Config, ranging from validations that your ELB-enabled ASGs are using ELB health checks to validating whether you have activated Auto Scaling on your DynamoDB tables. We’ll be implementing a rule call required-tags. This rule allows the user to specify required tags for particular resource types. For our example, we’ll be looking for CostCenter, Team, and Application.

If the rule you would like to implement is not included in the collection of preconfigured rules, click on Skip to jump to the Review step. You can learn more about creating a custom AWS Config Rule in the AWS Documentation for Developing Custom Rules for AWS Config. The rule we’ll be implementing is required-tags, so type required-tags into the filter and hit Enter.

The required-tags rule allows you to specify:

• Which resources you would like to run the rule against
• Whether you want to execute the rule periodically, or each time a change is introduced.
• Rule parameters, which in this case are a list of required tags, and optional values.

I selected Configuration changes as my trigger, left the default list of Resources, and added Team and Application to the list of required tags. Click Save to add another rule, or to save the configuration and review your specifications before saving them.

Once you have reviewed your configuration and saved it, AWS will begin to index your resources. After a few minutes, your dashboard should look similar to the one shown below.

Responding to the Rule Violations and Staying Current On Changes

When you add a new AWS Config Rule and save the configuration, AWS automatically evaluates your environment based on the rule. From the list of Noncompliant rules, you can click on the rule and view a list of resources for which the rule failed. In our case, we’ll want to ensure that each of those resources has the required tags, and then click on Re-evaluate to recheck our environment.

Once you have everything compliant, you’ll want to ensure that resources remain in compliance. You may recall that we configured an SNS queue during the configuration of our Rules. Let’s set up an email subscription to the queue so we can be notified about configuration changes as they are introduced. Depending on the size of your environment, you may want to investigate different ways of consuming and responding to the queue so that you inundate your inbox with compliance-related emails.

Navigate to the SNS Dashboard in your account. If you click on the Topics section, you should see config-topic in the list of topics. Check the box next to config-topic and then click on the Actions drop-down and choose Subscribe to topic.

In the protocol input field, select Email and then enter your email address in the Endpoint field. You’ll receive an email to confirm the subscription, and then subsequent emails each time changes are introduced to the environment, and the rules are executed.

AWS Config Rules make it easier for you to manage compliance within your environment and stay up-to-date with configuration changes as they are introduced for AWS monitoring.

Click here to learn more about Sumo Logic's AWS Config Tools.