Important: this lab builds on the components deployed in Config rule with remediation. You will need to deploy the stack from that lab to continue below.
In this step we will create a Config rule using an AWS managed rule that will evaluate whether CloudTrail is enabled within your AWS account.
cloudtrail-enabled, and then click on the cloudTrail-enabled rule.
management-tools-weeklog group. The ARN will be on the top-left side of the console. Copy this, and paste it into the
When this rule evaluates it will mark your AWS account as compliant.
Now we will create the trigger for the Lambda function deployed by our CloudFormation template. This function will be executed as soon as we make our CloudTrail configuration non-compliant!
This is to demonstrate that while we certainly can use Config to perform remediatations, you can choose to use other tools to do so as well. In this case, a CloudWatch event will capture the change notification from Config and trigger a Lambda execution to perform the remediation for us.
Go to CloudWatch console, and under Events on the left side click on Rules
ConfigSSMLab-EnforceCloudTrailFunctionLambda function, which is the function deployed by our CloudFormation stack. Feel Free to take a look at the function code in Lambda.
Click Configure details
CloudTrailChange as the rule name, leave the state enabled and then click Create rule
Now that we have an event configured to force a remediation of a broken CloudTrail configuration, let’s force it to execute.
In CloudTrail, go to the trail we created in the first lab and remove the CloudWatch Logs Configuration by clicking on the trail, then click on Edit next to CloudWatch logs. Finally, deselect the Enabled box and save your changes.
Navigate to our Config rule for CloudTrail, and re-evaluate the rule. Refresh the screen after a minute and ensure it comes up as non-compliant.
Go Back to CloudTrail, Did the CloudWatch log configuration return? Did you get an e-mail?
In the next lab we will explore some of the data produced by Config by viewing compliance timelines, data in CloudWatch logs, as well as deploying the Systems Manager agent automatically. Click on Systems Manager and CloudWatch to proceed.