AWS Config sandbox
What is it?
AWS Config records and saves configuration of supported resources.
You can use these records to audit whether the resources align to best practices, or org specific patterns/rules. It can also highlight 2-way relationships between different resources. For ex - an instance is related to a vpc, a subnet, and a security group. This relation will show up in both the instance, and vpc records under relationships.
Resource Schema
https://github.com/awslabs/aws-config-resource-schema/tree/master
Advanced Query
Run a sql like query against the records in AWS Config. It does not support some query types.
If you run the query against an aggregator you can query for resources across multiple accounts, even your entire organization.
This only works for current state query - does not work for historical search.
Not supported
- advanced query limitations
- wildcard matches beginning with a wildcard character or having character sequences of less than length 3 are unsupported
- configuration.publicDnsName like “%11-12-13-14%” will not work
- configuration.publicDnsName like “11%” will not work
- configuration.publicDnsName like “ec2-11-12-13-14%” will work
- No way to kick off an on-demand evaluation of organization config rule without doing this for each account individually
- CloudFormation drift detection is not supported for config recorders and delivery channels
Examples
List all tags of instances in specific account
SELECT
resourceId,
awsRegion,
tags
WHERE
resourceType = 'AWS::EC2::Instance'
AND accountId = '12345678912'
List all instances with a specific private IP
note: configuration.networkInterfaces is an array, so all elements are searched. configuration.networkInterfaces.privateIpAddress will be an array of ip addresses as found
SELECT
resourceId,
resourceType,
configuration.instanceType,
configuration.placement.tenancy,
configuration.networkInterfaces.privateIpAddress,
configuration.imageId,
availabilityZone
WHERE
resourceType = 'AWS::EC2::Instance'
AND configuration.networkInterfaces.privateIpAddress = '1.1.1.1'
public ip
SELECT
resourceId,
resourceType,
configuration.instanceType,
configuration.placement.tenancy,
configuration.imageId,
availabilityZone
WHERE
configuration.ServerHostname = 'ec2-11-12-13-14.compute-1.amazonaws.com'
Search for instances with a specific tag
select
resourceId,
tags
where
resourceType = 'AWS::EC2::Instance'
and tags.key = 'Owner'
and tags.value = 'bruce.wayne'
Wildcard search for instances
select
resourceId,
tags.tag
where
resourceType = 'AWS::EC2::Instance'
and tags.tag like 'Owner=bruce%' # matches bruce.wayne, bruce.willis
Find all RDS instances not running with rds-ca-rsa2048-g1 CA
SELECT
configuration.cACertificateIdentifier,
resourceId,
resourceName,
accountId,
awsRegion,
tags.tag
WHERE
resourceType = 'AWS::RDS::DBInstance'
and configuration.cACertificateIdentifier != 'rds-ca-rsa2048-g1'
Aggregator
Aggregates resource records from different accounts and regions. A default set up is done by [[AWS Control Tower]], if you don’t want to set it up from scratch yourself.
Conformance Packs
Recorder
Delivery Channel
Rules
What is a rule?
Triggers
Custom rules
Implement custom rules in Lambda to validate the resource record.
Managed rules
Use AWS managed rules to validate the resource record. Full list of managed rules is here.
Record software changes on EC2
You can use AWS Config to record software inventory changes on Amazon EC2 instances and on-premises servers
- Turn on recording for the managed instance inventory resource type in AWS Config.
- Configure EC2 and on-premises servers as managed instances in AWS Systems Manager. A managed instance is a machine that has been configured for use with Systems Manager.
- Initiate collection of software inventory from your managed instances using the Systems Manager Inventory capability.