3.2.1. AWS Config for Network Configuration Compliance

AWS Config continuously monitors and records AWS network resource configurations and their changes, enabling network specialists to assess compliance, detect "configuration drift," and ensure adherence to network security policies.

Scenario: You need to ensure that no Security Groups in your production VPC allow inbound SSH access from 0.0.0.0/0, and you want to track all changes to your VPC route tables for auditing.

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. For network specialists, it's a powerful tool for ensuring network configurations (e.g., Security Groups, VPCs) adhere to security policies and compliance standards.

Key Features of AWS Config for Network Compliance:

• Continuous Monitoring: Tracks changes to network resource configurations over time (e.g., Security Group rules, VPC route tables, NACLs).
• Configuration History: Provides a timeline of configuration changes for each network resource, crucial for auditing and troubleshooting.
• Config Rules: Predefined or custom rules that continuously evaluate whether your AWS resource configurations comply with desired settings.
  • Managed Rules: Predefined by AWS for common best practices (e.g., restricted-ssh to prevent SSH access from 0.0.0.0/0).
  • Custom Rules: Defined using AWS Lambda functions for highly specific network compliance requirements.
• Compliance Assessment: Assesses network configurations against Config Rules, alerting you to non-compliant resources.
• Configuration Drift Detection: Identifies when actual resource configurations deviate from an expected (CloudFormation) state.
• Automated Remediation: Can trigger automated actions (e.g., via Systems Manager Automation documents) to correct non-compliant configurations.

Practical Implementation: Creating an AWS Config Rule for Restricted SSH

# 1. Create a Config Rule for restricted SSH
aws configservice put-config-rule \
  --config-rule-name restricted-ssh-security-group \
  --description "Checks if security groups allow unrestricted incoming SSH traffic." \
  --source '{"Owner":"AWS","SourceIdentifier":"RESTRICTED_SSH_ACCESS","SourceDetails":[{"EventSource":"aws.config","MessageType":"ConfigurationItemChangeNotification"}]}' \
  --input-parameters '{"allowedCidrIp":"10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"}' # Example: allow only private IPs

# 2. (Optional) Set up remediation action (e.g., using Systems Manager Automation)
# This involves creating an SSM Automation document and associating it with the Config Rule.
aws configservice put-remediation-configurations \
  --remediation-configurations '[{"ConfigRuleName":"restricted-ssh-security-group","TargetType":"SSM_AUTOMATION","TargetId":"AWS-DisablePublicAccessForSecurityGroup","Parameters":{"AutomationAssumeRole":{"StaticValues":["arn:aws:iam::123456789012:role/ConfigRemediationRole"]},"GroupId":{"ResourceValue":{"Value":"RESOURCE_ID"}},"IpProtocol":{"StaticValues":["tcp"]},"Port":{"StaticValues":["22"]}},"Automatic":true,"MaximumAutomaticAttempts":5,"RetryAttempts":1}]'

⚠️ Common Pitfall: Not enabling AWS Config for all relevant resource types or not creating custom rules for specific, unique compliance requirements. This can lead to blind spots in your compliance posture.

Key Trade-Offs:

• Automated Enforcement vs. Manual Review: Automated remediation is faster and more consistent but requires careful testing to avoid unintended consequences. Manual review provides more control but is slower and prone to human error.

Reflection Question: How does AWS Config, by continuously monitoring and recording AWS network resource configurations and evaluating them against Config Rules, fundamentally enable you to assess compliance, detect "configuration drift," and ensure adherence to network security policies?