Before proceeding, you must create a CloudFormation stack that includes the resources required for this lab. Click here to deploy this stack into your account:
The stack will create these resources for you:
Note: This link will take you to the us-east-1 AWS region. If you wish to use another region, you will need to adjust the region in the top right-hand corner of the console.
Note: Make sure to specify the same S3 bucket name in the Bucket parameter as is assigned to the CloudTrail trail from the Setup section.
In this step we will create a Config rule that will evaluate if EC2 instances have a working Systems Manager agent.
ec2-instance-managed-by-systems-manager
, click on the ec2-instance-managed-by-systems-manager rule.You can create config Rules to monitor a number of items within your infrastructure. Beside utilizing AWS managed Config rules you can also create custom rules using AWS Lambda functions. Located here in Github are same sample config rules you can create and implement in Lambda.
Next, let’s deploy and EC2 instance to test our Config rule. Note that we are not assigning an IAM role to the instance - that comes later!
There are two ways to do this:
t3.small
instance in the same region, with no keypair or IAM instance profile. The instance should use Amazon Linux 2 as the base image, and all default options should be sufficient for creating our lab instance.Or…
Or you can run the following command from the AWS CLI using this command:
aws ec2 run-instances --image-id $(aws ssm get-parameters --names /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2 --query 'Parameters[0].[Value]' --output text) --count 1 --instance-type t3.small --tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=configruletest}]'
The instance should be up and running in approximately one minute.
Now return to the Config rule you created, click into the rule, and click Re-evaluate after the instance is up and running. You will have wait a minute or two for the result, and then refresh the web page. After a few moments the instance we deployed should be flagged as non-compliant.
Will then look like this:
Next you will fix this non-compliant resource by adding a remediation action to the Config rule.
Go back to the Config console, and edit the ec2-instance-managed-by-systems-manager
rule. We will set a remediation action to attach a required IAM Role. Select Actions and then under Choose remediation action do the following:
Manual remediation
AWS-AttachIAMToInstance
EC2RoleName
. Enter this into the RoleName field.Click Save
For our next lab we will use an alternative approach to remediating a non-compliant resource. Click on Config rule with Lambda to explore a more customizable and extensible method of using Config.