In this lab, we show you how to build a fleet-wide enterprise compliance management and remediation system using AWS Config, AWS Systems Manager, and Amazon CloudWatch. In addition, we provide compliance stakeholders with visibility into the performance of the compliance system by using Amazon QuickSight and Amazon Athena for reporting.
We will also learn how to AWS Config Conformance Packs can help you build a configuration compliance solution.
In this section, we will use AWS Systems Manager Inventory and AWS Config to catalog all applications installed on an EC2 instance and then blacklist an application. This application has been deemed as being insecure. Note: The application used is only a common sample application, we are not making any statements regarding the security of the application.
We will then click on Advanced Details and enter the following in User data.
<powershell>
$url = "https://javadl.oracle.com/webapps/download/AutoDL?BundleId=238698_478a62b7d4e34b78b671c754eaaf38ab"
$output = "c:\Windows\Temp\JavaSetup8u211.exe"
$wc = New-Object System.Net.WebClient
$wc.DownloadFile($url, $output)
start-sleep 20
C:\Windows\Temp\JavaSetup8u211.exe /s
Write-Output "Java is installed"
</powershell>
Then, click on Next: Add Storage.
In the Add Storage page, we will go with the default settings and click Next: Add Tags.
In the Add Tags page, we will enter Name as the Key and Java in the Value sections.
Then click on Review and Launch.
On the Review Instance Launch page, click on Launch.
Then we will select Proceed without a key pair from the drop down and click Launch Instances.
AWS Systems Manager is the mechanism used to gather resource metadata, including custom metadata, such as the location of a server rack for an on-premises managed instance. The example used in this lab, is simply an example, the same concept can be used for any resource inventory data.
When configuring remediation actions within AWS Config, you must provide a service role for Automation to assume during the remedation workflow. To get started quickly, we will use the Automation role created by Quick Setup (AmazonSSMRoleForAutomationAssumeQuickSetup). We will add the AmazonSSMAutomationRole AWS managed IAM policy to ensure the role has the appropriate permissions to perform the required actions by the remedation action. For more information on creating an Automation service role, see Getting started with Automation.
AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.
Copy the exact name of the Java application (i.e. Java 8 Update 211
). We will use this when creating our Config Rules.
Note: If you do not see Java listed in the AWS:Application list, manually re-run the association. Navigate to the State Manager console, select the association for AWS-GatherSoftwareInventory
and select Apply association now.
Go back to the Add AWS managed rule page.
We will configure the Scope of changes to All changes.
We will then enter the appropriate Java 8 Update 211
version in the Rule parameters configuration. In the applicationNames key, enter the exact Java version copied from the Inventory page (i.e. Java 8 Update 211
).
In the platformType key, enter Windows
.
We will then set the Remediation action to AWS-StopEC2Instance.
Set the Auto remediation to Yes.
Set the Retries to 1 and Seconds to 25.
In the Resource ID parameter we will select InstanceID from the drop down.
Under Parameters, we will enter the ARN of the Automation Service Role created by the Quick Setup. Click here to get the ARN of the Role.
Then we will click on the Save button.
Once the rule is created, it will take some time for the evaluation to complete.
Once the evaluation is complete, we should see 1 noncompliant resource.
If we click on the rule name (ec2-managedinstance-applications-blacklisted) we will be able to see additional details, including the resource that is not compliant.
From the Rule details page, we will select the instance that needs remediation and click on the Remediate button.
At this point, we will see the remediation action being executed.
To ensure the action worked, we will go to the EC2 Console and check whether our instance is shut down or not.
Another important aspect of configuration compliance is having the ability to get notification of configuration changes. In this section, we will configure Amazon CloudWatch to send notication messages to Amazon Simple Notification Service (SNS).
In order to receive notifications, an SNS Topic must be created to be used with CloudWatch.
CloudWatch is required to be configured in order to identify and detect compliance changes, as well as get notifications of those changes.
The objective of this section is to show you how to identify any systems that are not following security compliance policies. By leveraging both desired state configuration and AWS Config and AWS Config Rules, we can setup a multi-layered approach to ensure our security policies are being followed. Although in this labe we used EC2 instances, because of their simplicity to manage and to also show the before and after, the capabilities highlighted can be used to interact with other services.
In order to use Athena and QuickSight, we need to complete some additional pre-requisite operations. This includes creating an S3 bucket and create a policy to allow Systems Manager to connect to the bucket.
Then we will apply the following S3 Bucket Policy to allow Systems Manager to access S3.
Important: Make sure you replace bucket-name
with the S3 bucket name and replace 012345678910
with your AWS account ID in the policy. To get your account ID, click on the Support Center link. It will be displayed on the left hand side of the screen.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SSMBucketPermissionsCheck",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::bucket-name"
},
{
"Sid": " SSMBucketDelivery",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket-name/*/accountid=012345678910/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
Once the policy has been applied to the bucket, we will configure the inventory data sync.
dsc-demo-012345678910-us-west-2
. Important: Your bucket name will include your account ID and region where the CloudFormation template was launched.In order to access the inventory data from S3, we must first create a schema using Athena. Once the schema is created, we will be able to use it to visualize the data using QuickSight.
We will then create a database for our compliance data.
CREATE DATABASE dsc
We will then create a table within the dsc
database by running the following query.
Important: Ensure you replace bucket-name
with the name of your S3 bucket before executing.
CREATE EXTERNAL TABLE IF NOT EXISTS dsc.status (
`Status` string,
`InstalledTime` string,
`ExecutionType` string,
`PatchSeverity` string,
`Title` string,
`Severity` string,
`ExecutionTime` string,
`ComplianceType` string,
`Classification` string,
`Id` string,
`DocumentVersion` string,
`PatchState` string,
`PatchBaselineId` string,
`DocumentName` string,
`PatchGroup` string,
`ExecutionId` string,
`resourceId` string,
`captureTime` string,
`schemaVersion` string
)
ROW FORMAT SERDE 'org.openx.data.jsonserde.JsonSerDe'
WITH SERDEPROPERTIES (
'serialization.format' = '1'
) LOCATION 's3://bucket-name/'
TBLPROPERTIES ('has_encrypted_data'='false');
When that is complete, we will run the following query:
SELECT
status,resourceid,compliancetype,executiontime
FROM
dsc.status
WHERE
status = 'COMPLIANT' AND compliancetype = 'Association'
Note: For complete details on Inventory Data Sync, visit the Systems Manage Documentation page: Walkthrough: Use Resource Data Sync to Aggregate Inventory Data.
End of Lab Exercises
Thank you for using this lab.