AWS Cloud Operations Blog
Introducing the AWS Config Rule Development Kit (RDK)
Recently, AWS Config released a Rule Development Kit (RDK) that greatly simplifies your custom rule authoring experience. The RDK is an open-source tool that helps you set up AWS Config, author rules, and then test them using a variety of AWS resource types. This allows you to focus on the development of the rule itself. The AWS Config RDK is now available for download from the aws-config-rdk GitHub repo. We follow semantic versioning, and are dedicated to maintaining backwards compatibility for each major version.
About AWS Config
AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. AWS Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. Rules enable you to automatically check the configuration of AWS resources recorded by AWS Config. There are 37 managed AWS Config rules by default and 34 custom rules maintained by the community in the aws-config-rules GitHub repo.
Getting started
You can get started with AWS Config RDK and create a rule named “Hello World” in just a few minutes.
- Prerequisites
- Enable AWS Config
- Create your first rule
- Test your rule
Prerequisites
The AWS Config RDK requires the latest version of the AWS CLI. You must also log in to an AWS account. Use the following command to install the AWS CLI (requires pip to be installed already):
Use the following command to configure the AWS CLI. For more information, see Configuring the AWS CLI.
Use the following command to clone the AWS Config RDK on macOS, Linux, or Windows platforms:
Choose your platform (MacLinux or Windows).
Enable AWS Config
To begin, enable AWS Config in your AWS account for the region configured in the AWS CLI. For example, on macOS or Linux, use the following command to configure your profile:
You see the following results:
On Windows, use the following command to configure your profile:
You see the following results:
In this example, AWS Config in the us-east-1 region has been enabled by RDK setup.
Create your first rule
Now you can create your first rule. Use the following command to create the EBS_OPTIMIZED_INSTANCE managed rule, which checks whether Amazon EBS optimization is enabled for your EC2 instances that can be EBS-optimized. Create the rule under the folder /aws-config-rdk/MacLinux/rules on macOS or Linux:
You see the following results:
On Windows, use the following command:
You see the following results:
The following resources were created:
- The parameter “APPLICABLE_RESOURCE_TYPES” has the same value as “APPLICABLE_RESOURCES” already defined in the rule code
- The AWS Lambda function named “hello_world”
- An AWS Config rule named “hello_world”, which was also associated with the Lambda function
The rule has started to evaluate EC2 instances for compliance with EBS optimization.
Now you can replace the default values with your own code. Make sure that resource types are consistent between the rule_code.py and createRule.cmd script parameters. Otherwise, your rule returns NOT_APPLICABLE. The rules/ruleCode/rule_util.py script handles the boring parts of a rule, and should not need to be modified.
Test your rule
The AWS Config RDK supports testing your rule by invoking the Lambda function with configuration items (used as test cases) from the /rules/testUtil/compliantCIs and /rules/testUtil/noncompliantCIs directories. The RDK checks that the Lambda function returns the corresponding result.
On macOS or Linux, use the following command:
You see the following results:
On Windows, use the following command:
You see the following results:
Besides, we have provided Configuration Item examples in “rules/testUtil/exampleCIs” to help you to write test cases by the modification to make them represent compliant or non-compliant resources.
Summary
The AWS Config RDK helps you build rules easily, including the following:
- Preparing the initial rule development environment, by enabling AWS Config with a variety of automatically created AWS resources.
- Creating Lambda functions, rules, and the association between them so that you don’t have to.
- Supporting multiple platforms: macOS, Linux, and Windows.
- Testing rules just by the code, with no more manual setup in complicated test environments.
We would love to hear your feedback. Feel free to leave comments or suggestions on the aws-config-rdk GitHub page.
About the Author
Henry Huang is a DevOps Consultant for the Professional Services Team at Amazon Web Services in China.