What is it?

AWS Config records and saves configuration of supported resources.

You can use these records to audit whether the resources align to best practices, or org specific patterns/rules. It can also highlight 2-way relationships between different resources. For ex - an instance is related to a vpc, a subnet, and a security group. This relation will show up in both the instance, and vpc records under relationships.

Resource Schema

https://github.com/awslabs/aws-config-resource-schema/tree/master

Advanced Query

Run a sql like query against the records in AWS Config. It does not support some query types.

If you run the query against an aggregator you can query for resources across multiple accounts, even your entire organization.

This only works for current state query - does not work for historical search.

Not supported

• advanced query limitations
  • wildcard matches beginning with a wildcard character or having character sequences of less than length 3 are unsupported
  • configuration.publicDnsName like “%11-12-13-14%” will not work
  • configuration.publicDnsName like “11%” will not work
  • configuration.publicDnsName like “ec2-11-12-13-14%” will work
• No way to kick off an on-demand evaluation of organization config rule without doing this for each account individually
• CloudFormation drift detection is not supported for config recorders and delivery channels

Examples

List all tags of instances in specific account

SELECT
  resourceId,
  awsRegion,
  tags
WHERE
  resourceType = 'AWS::EC2::Instance'
  AND accountId = '12345678912'

List all instances with a specific private IP

note: configuration.networkInterfaces is an array, so all elements are searched. configuration.networkInterfaces.privateIpAddress will be an array of ip addresses as found

SELECT
  resourceId,
  resourceType,
  configuration.instanceType,
  configuration.placement.tenancy,
  configuration.networkInterfaces.privateIpAddress,
  configuration.imageId,
  availabilityZone
WHERE
  resourceType = 'AWS::EC2::Instance'
  AND configuration.networkInterfaces.privateIpAddress = '1.1.1.1'

public ip

SELECT
  resourceId,
  resourceType,
  configuration.instanceType,
  configuration.placement.tenancy,
  configuration.imageId,
  availabilityZone
WHERE
  configuration.ServerHostname = 'ec2-11-12-13-14.compute-1.amazonaws.com'

Search for instances with a specific tag

select
  resourceId,
  tags
where
  resourceType = 'AWS::EC2::Instance'
  and tags.key = 'Owner'
  and tags.value = 'bruce.wayne'

Wildcard search for instances

select
  resourceId,
  tags.tag
where
  resourceType = 'AWS::EC2::Instance'
  and tags.tag like 'Owner=bruce%' # matches bruce.wayne, bruce.willis

Find all RDS instances not running with rds-ca-rsa2048-g1 CA

SELECT
  configuration.cACertificateIdentifier,
  resourceId,
  resourceName,
  accountId,
  awsRegion,
  tags.tag
WHERE
  resourceType = 'AWS::RDS::DBInstance'
  and configuration.cACertificateIdentifier != 'rds-ca-rsa2048-g1'

Find all resources created in an account between specific dates

select
  resourceType,
  count(*)
where
  accountId = '123456789000'
  and configurationItemCaptureTime between '2024-01-01T00:00:000Z'
  and '2024-02-01T00:00:000Z'
GROUP BY
  resourceType

Find all buckets in 2 accounts

select
  resourceId
where
  accountId in ('123456789001', '123456789002')
  and resourceType = 'AWS::S3::Bucket'

Find all security groups which contain a particular cidr range

Note: CIDR notation is converted to IP ranges for search. This means that “=” and “BETWEEN” search for any range that includes the provided IP, instead of for an exact one. To search for an exact IP range, you need to add in additional conditions to exclude IPs outside of the range.

SELECT * WHERE resourceType = 'AWS::EC2::SecurityGroup'
  AND configuration.ipPermissions.ipRanges BETWEEN '10.0.0.0'
  AND '10.0.0.255'
  AND NOT configuration.ipPermissions.ipRanges < '10.0.0.0'
  AND NOT configuration.ipPermissions.ipRanges > '10.0.0.255'

Aggregator

Aggregates resource records from different accounts and regions. A default set up is done by [[AWS Control Tower]], if you don’t want to set it up from scratch yourself.

Conformance Packs

Recorder

Delivery Channel

Rules

What is a rule?

Triggers

Custom rules

Implement custom rules in Lambda to validate the resource record.

Managed rules

Use AWS managed rules to validate the resource record. Full list of managed rules is here.

Record software changes on EC2

You can use AWS Config to record software inventory changes on Amazon EC2 instances and on-premises servers

• Turn on recording for the managed instance inventory resource type in AWS Config.
• Configure EC2 and on-premises servers as managed instances in AWS Systems Manager. A managed instance is a machine that has been configured for use with Systems Manager.
• Initiate collection of software inventory from your managed instances using the Systems Manager Inventory capability.

References

• https://docs.aws.amazon.com/config/latest/developerguide/aggregate-data.html
• https://docs.aws.amazon.com/config/latest/developerguide/querying-AWS-resources.html