AWS Cloud Operations Blog
Category: AWS Config
AWS Control Tower Detective Guardrails as an AWS Config Conformance Pack
Many of the customers I work with would like to be able to apply AWS Control Tower’s detective guardrails to an existing AWS account before moving them to Control Tower governance. Now that you can launch AWS Control Tower in an existing AWS Organization, customers want to evaluate their existing accounts for compliance with AWS […]
Understanding the differences between configuration history and configuration snapshot files in AWS Config
September 8, 2021: Amazon Elasticsearch Service has been renamed to Amazon OpenSearch Service. See details. When you run your applications on AWS, you often use AWS resources, which you must create and manage collectively. As the demand for your application keeps growing, so does your need to keep track of your AWS resources. AWS Config tracks […]
Continuous permissions rightsizing to ensure least privileges in AWS using CloudKnox and AWS Config
This blog post was contributed by Kanishk Mahajan, AWS and Maya Neelakandhan, CloudKnox As you migrate your workloads to the cloud or operate your existing workloads in the cloud it would be ideal if every application was deployed with the exact permissions that it required. In practice, however, the effort required to determine the precise […]
Best practices for creating and managing sandbox accounts in AWS
Organizations use multiple environments, each with different security and compliance controls, as part of their deployment pipeline. Following the principle of least privilege, production environments have the most restrictive security and compliance controls. They tightly limit who can access the environment and which actions each user (or principal) can perform. Development and test environments also […]
Visualizing AWS Config data using Amazon Athena and Amazon QuickSight
In this guest post, Henrik André Olsen, Solutions Architect, discusses how he visualized AWS Config data in Amazon QuickSight dashboards with a high value for the Danish insurance company Topdanmark. If you are an AWS Config user, you are probably already familiar with how to use the AWS Config console to access data, but it’s […]
View AWS Config rules across multiple accounts and Regions using AWS Systems Manager Explorer
AWS Systems Manager Explorer is a customizable operations dashboard that displays an aggregated view of operations data from across your AWS accounts and AWS Regions. Explorer provides context into how operational issues are distributed, trend over time, and vary by category. In this blog post, I explain how Explorer gathers the compliance status of AWS […]
Viewing permission issues with service-linked roles
Each AWS service requires explicit access to resources, endpoints, and objects that reside in the domain of another service. This is referred to as the permission boundary. Services like AWS Config, Amazon Macie, and AWS GuardDuty require an AWS Identity and Access Management (IAM) role that grants access to resources outside of its control. Understanding […]
DevSecOps for auto healing PCI DSS 3.2.1 violations in AWS using custom AWS Config conformance packs, AWS Systems Manager and AWS CodePipeline
If you migrate your workloads to the cloud to modernize your applications or secure infrastructure and operations, you’ll find these migrations are increasingly performed with a DevOps methodology that incorporates continuous development, integration, and testing. It is always a best practice to incorporate security as code in your DevOps workflows to uncover security issues when […]
AWS Management and Governance at Re:Invent 2020
AWS re:Invent is always an exciting time of the year to engage with our customers to learn, and share information about our services and features. Due to the current pandemic, re:Invent is pivoting to a free and virtual format presented across 3 weeks from November 30 to December 18 this year. Yes, you read that […]
AWS Config Rule Development Kit library: Build and operate rules at scale
AWS would like to introduce you to the RDKLib, an open source Python library you can use to build, develop, and deploy custom AWS Config rules at scale. RDKLib works with the AWS Config Rule Development Kit. It is designed to work at the AWS Lambda layer, so you can use the library without needing […]