Wednesday, March 21, 2018

Using aws config to monitor Stacks with Screenshots

Aws config can be used to monitor the instances, security group and other resources within you AWS Account. This is specially useful to monitor the compliance of the instances and to raisae alarm if someone creates an instance without the proper procedure like missing tags, changes in the security group, non compliant instance type etc.

Aws config will mark them as non-compliant under the config dashboard and can send a notification using the SNS service.It can easily be deployed using the cloudformation and helps in managing the resource effectively. This is specially recommended in case you have many users in your organization with the dashboard access who have privilege to create the instances.

Follow the procedure descripbed below to configure the aws config in your environment for the ec2 instances where you can define the instances which are compliant in your aws account any instance apart from them would be marked as non-compliant and you configure an alert for the same.

Start by selecting the Config service from the aws dashboard

If you haven't configured the Aws config start by clicking "Get Started"

You need to creat a bucket that would be used the config service and grant a role to the config service which would only be used to access the s3 bucket specified and the sns service if you want to send the push notification such as email etc.
You can select the different types of rules from your config from here, however in our case we are going to use the cloudformation for the config so we are just going to proceed to next as this rules is already specified in the cloudformation template

Review the details of the changes that you have provided and click Confirm so that s3 bucket and sns can be created to be used with the config service.

On the next screen you would see the config setup starts and it will take some time to create the configurations i.e. your s3 bucket and the iam rules for the s3 access and sns access used by the config service
Once done you should see a config service dashboard
Next we are going to navigate to the prebuild aws template for the cloudformation to be used by the config service creation. Open the following link  and select the desired-instance-type
This will show you the details of the config were you can specify the alert on the specified instance type so that any instance created apart from the specified once are marked as non-compliant and you can take action on the same. Click on view to see the json template details which the cloudformation will run for you.

Following is the json template which the cloudformation will run for you
Go back and click on the "Launch Stack" to run the template directly inside the cloudformation service.

Once done click next to proceed
Input all the instance type that you want to run that would be marked as compliant while if any other instance type is created in your account it would be marked as non-compliant.
You can enter the key value pairs, iam role etc. At this point click next to proceed further.
Review all the changes and click create.
Than the cloudformation will start creating the config service for you and would take some time during which you would see in progress against the stack
Once its completed it  should mark it as complete
At this point go back to the ec2 instance and create some instance if not already done. Create some compliant and non-compliant instance to verify. In our case t2.micro is compliant while t2.small is non-compliant.

Next go to the config service.

You should see the Dashboard as follows
Select the Rules in the Left column and it should show the desired rules settings
Once you select the rule and click on it , it will show the config details


Post a Comment