AWS Cloud Operations Blog

Manage continuous compliance by using AWS Config Configuration Recorder resource type

AWS Config recently added support for configuration recorder as a resource type. The AWS::Config::ConfigurationRecorder resource is a configuration item (CI) for configuration recorder that tracks changes to the state of AWS Config configuration recorder (configuration recorder). You can use this CI to check if the state of the configuration recorder has changed (drifted), from its intended state allowing you to take immediate corrective action when AWS Config resource recording has been accidentally (or intentionally) turned off. In this post, I will show you how to use this resource type to detect any unintended changes to the state of the configuration recorder.

About AWS Config

AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.

Scenario

Let’s say you are a compliance engineer tasked with verifying that AWS Config is continuously monitoring and recording all “in scope” resources and their associated configurations to maintain continuous compliance. To do that, you need a way to monitor the state of all the AWS Config configuration recorders you have across your entire organization. In the next section, we will walk you through the steps to create and deploy an AWS Config custom CloudFormation Guard rule, that uses the AWS Config configuration recorder CI to help track and monitor the state of your AWS Config configuration recorders.

Setup

In this post we are using a multi-account setup with AWS Organizations as depicted (Figure 1) below. We have also deployed an AWS Config aggregator in the Audit account to aggregate AWS Config data from all other child accounts and regions. Please note that AWS::Config::ConfigurationRecorder is a system resource type of AWS Config, recording of this resource type is enabled by default and comes with no additional charge.

Note: If you are using AWS Control Tower you may already have an AWS Config aggregator setup in your Audit account.

Screen capture showing AWS Organizations view of the account structure and hierarchy of the accounts. The Root OU (Organization unit) has Governance and Production child OUs. Governance OU has two accounts and Audit account is part of this OU. The production OU has accounts labeled Workload-1, Workload-2 and Workload-3

Figure 1: Organization structure referenced in the post

Step 1: Identify Accounts and Regions with AWS Config Recorders

In this step, we will use an AWS Config advanced query to identify accounts and regions with AWS Config configuration recorders. We will run the query against the AWS Config aggregator for our organization. The result will include the current state of all AWS Config configuration recorders across our organization.

  1. Log into the AWS Management Console of the Audit account and switch to AWS Config service.
  2. Select Advanced Queries from the navigation pane.
  3. Select New Query and enter the SQL command shown below
    SELECT
      resourceId,
      resourceName,
      resourceType,
      accountId,
      awsRegion,
      configuration.Recording,
      tags
    WHERE
      resourceType = 'AWS::Config::ConfigurationRecorder'
    
  4. This query will return a list of AWS Config configuration recorders and their current recording state. You may choose to add additional conditions to the WHERE clause (e.g., account-Id with a list of accounts). For this post we will use the above query.
  5. Under Query Scope, select your AWS Config aggregator and then choose Save Query.
  6. Choose a name for this query and select Save.
  7. Select run query and inspect the results to ensure that your recorders are enabled in all expected accounts and regions.
Screen capture showing the results of an advanced query ran against the AWS Config aggregator to capture the state of configuration recorders across multiple accounts

Figure 2: Query results showing the configuration state of configuration recorders

Note: If you do not see a configuration recorder enabled in the region where you expected it, you can setup and/or enable it. See how to create an AWS Config configuration recorder. Please note that creating or enabling an AWS Config configuration recorder will result in additional charges depending on the AWS Config settings.

Step 2: Automate AWS Config Configuration Recorder Drift Detection

Now that you’ve identified what accounts and regions you should have AWS Config configuration recording enabled in, you need to monitor the recorders to detect any future drifts. To detect any drifts (e.g., disabling of recorder) in your environment, you will deploy an AWS Config custom Guard rule using AWS CloudFormation StackSets. The stack set deploys an AWS Config custom rule using Guard which checks if recording is enabled for AWS Config configuration recorder. If recording is disabled the rule will report the resource as noncompliant. You will need to deploy the stack set from the organization management account or a delegated administrator for CloudFormation.

Note: you can also deploy AWS Config rules in an AWS Organization using AWS Config Organizational Rules.

  1. From the management account, open AWS CloudFormation StackSets.
  2. Copy the below CloudFormation template and save it in a file (e.g. config-guard-rule.yaml)
AWSTemplateFormatVersion: 2010-09-09
Description: Stack to deploy Guard Config Rule to Detect Recorder Drift

Resources:
  ConfigRecorderDrift: 
    Type: AWS::Config::ConfigRule
    Properties: 
      ConfigRuleName: ConfigRecorderDrift
      Scope: 
        ComplianceResourceTypes: 
          - "AWS::Config::ConfigurationRecorder"
      Source: 
        Owner: "CUSTOM_POLICY"
        CustomPolicyDetails: 
          EnableDebugLogDelivery: false
          PolicyRuntime: guard-2.x.x
          PolicyText:
            |
            rule check_config_recorder_compliance {
                configuration.Recording == true
            }

        SourceDetails:
          - EventSource: aws.config
            MessageType: ConfigurationItemChangeNotification
          - EventSource: aws.config
            MessageType: OversizedConfigurationItemChangeNotification
  1. Select Create StackSet. Under Specify template section, select Upload a template file and select the template you saved in the previous step, then select Next.
  2. In the Specify StackSet details screen, give the stack name and select next. Leave StackSet options as default and select Next.
  3. In the Configure StackSet options screen, leave everything as default and select Next.
  4. In the Set deployment options screen, select the regions you’d like to deploy the stack set in. Leave everything else as default. Select Next and then Submit.
  5. Confirm that the status of the stack set operation is success.
A capture of CloudFormation/StackSets screen showing successful deployment of the StackSet that deployed the target Config rule across multiple accounts. The status column shows the word “SUCCEEDED”

Figure 3: Successful deployment of CloudFormation script confirming that the rule has been deployed

Step 3: Verify that the AWS Config custom rule has been deployed

Now that the stack set succeeded, we will verify the AWS Config rule exists in the AWS Config console in one of our workload accounts.

  1. Open the AWS Config console and navigate to Rules.
  2. In the Rules section, verify you see the rule you created (see figure 4)
Screen capture of AWS Config/Rules console screen. A newly created rule is listed among the other rules. Under the “Type” column, “Custom Policy” is indicating that this is a custom rule

Figure 4: AWS Config newly created rule

Step 4: Validate the AWS Config Custom Rule is Working

Now that the rule is deployed, you can to test it by disabling a recorder. To do this, you need to disable an AWS Config configuration recorder in one of the workload accounts. Once the AWS Config configuration recorder has been disabled, you’ll have to wait a few minutes before proceeding to the AWS Config console to confirm the rule shows as noncompliant.

  1. Open the AWS Config console in one of the workload accounts and select Settings.
  2. Select Edit and uncheck the enable recording checkbox. Save your change.
Screen capture showing the “Enable recording” checkbox is unselected under Edit Settings with AWS Config, Settings screen

Figure 5: AWS Config recording disabled

  1. (Optional) After disabling the recorder, you can go log back into the Audit account and re-run the advanced query to get the state of all recorders. This time instead of “true” in “Recording” column, you will see “false” corresponding to this account/region confirming that the recorder in this account/region has been disabled.
Screen capture showing results of Advanced Query, showing one of the configuration recorder as disabled i.e. configuration.Recording column is showing “false” instead of true for that configuration recorder

Figure 6: Advanced query with AWS Config configuration recorder disabled

  1. Return to the Audit account and navigate to the AWS Config console. From the navigation pane select Rules. Confirm the rule shows as noncompliant (this may take up to 2 minutes).

Note: if you have an SNS topic, a message will be delivered there as well.

Screen capture showing AWS Config rules screen. In this screen, the rule created in the previous section is reporting noncompliant status i.e., under detective compliance, column, the rule is listed as a Noncompliant resource

Figure 7: Configuration rule reporting noncompliant status

Clean-up

Just so that you don’t keep getting charged for it, you can now delete the AWS Config rule that we deployed in the previous step 2 by deleting the stack set.

Conclusion

In this post, we showed you how to use the AWS Config configuration recorder resource type and an AWS Config custom Guard rule to monitor the state of AWS Config configuration recorders across all of your accounts and regions. This AWS Config rule is triggered if there’s a change to the AWS Config configuration recorder and reports a noncompliant status if the AWS Config configuration recorder is disabled.

About the authors

Faraz Rehman

Faraz Rehman is senior Solutions Architect at AWS based in the San Francisco Bay Area. For the past few years he has been focused on helping ISV customers build and operate business critical, production scale workloads on AWS. His expertise includes cloud operations, management and governance.

Avi Harari

Avi is a Technical Account Manager at AWS supporting Enterprise customers with the adoption and use of AWS services. He is part of the AWS Cloud Operations technical community, focusing on Configuration, Compliance and Auditing on AWS. Outside of work, he enjoys spending time with his family and mixology.