Deploy Managed Config Rules using CloudFormation and CodePipeline

“AWS Config provides AWS managed rules, which are predefined, customizable rules that AWS Config uses to evaluate whether your AWS resources comply with common best practices.” (Source)

There are over 100 Managed Config Rules that AWS provides for all types of checks including Analytics, Compute, Database, Machine Learning, Security, Identity & Compliance, and Storage – to name a few. These managed rules evaluate whether your AWS resources comply with common best practices. The rules are developed and maintained by AWS in AWS Lambda functions and they are orchestrated by the AWS Config service. While you can write custom Config Rules, it is a good idea to check whether a managed rule already exists to meet your compliance needs.

Deploy Managed Config Rules using CloudFormation

AWS also provides and maintains CloudFormation templates for each of these Managed Config Rules to provision the rule in your AWS account(s). With this CloudFormation template, you get all the benefits of defining your compliance as code.

AWS now provides a common location and naming convention that you can use to launch each of these rules. The format looks like this:

https://s3.amazonaws.com/aws-configservice-us-east-1/cloudformation-templates-for-managed-rules/THE_RULE_IDENTIFIER.template

All you need to do is replace THE_RULE_IDENTIFIER with the unique name that AWS has defined for the rule you would like to run. For example, let’s imagine you want to run all of the Managed Config Rules that check for encryption. You would go to the list of Managed Config Rules and find the rules for encryption. At the time of this writing, there are eight managed rules for encryption available. They are:

• api-gw-cache-enabled-and-encrypted
• cloud-trail-encryption-enabled
• cloudwatch-log-group-encrypted
• dynamodb-table-encryption-enabled
• efs-encrypted-check
• encrypted-volumes
• rds-storage-encrypted
• s3-bucket-server-side-encryption-enabled

If you click on each one of the managed rules, the rule identifier is listed but there is no need to do this. This is because all managed rules follow a similar naming pattern, which is upper case with an underscore between words instead of hyphens. As a result, the above managed rules identifiers convert to:

• API_GW_CACHE_ENABLED_AND_ENCRYPTED
• CLOUD_TRAIL_ENCRYPTION_ENABLED
• CLOUDWATCH_LOG_GROUP_ENCRYPTED
• DYNAMODB_TABLE_ENCRYPTION_ENABLED
• EFS_ENCRYPTED_CHECK
• ENCRYPTED_VOLUMES
• RDS_STORAGE_ENCRYPTED
• S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED

Therefore, if you want to run the cloud-trail-encryption-enabled Managed Config Rule, the command you would run from the command line would look like this:

aws cloudformation create-stack --stack-name cloud-trail-encryption-enabled --template-url https://s3.amazonaws.com/aws-configservice-us-east-1/cloudformation-templates-for-managed-rules/CLOUD_TRAIL_ENCRYPTION_ENABLED.template --capabilities CAPABILITY_NAMED_IAM --disable-rollback

Creating a Pipeline to Deploy Managed Config Rules

Now that you are able to deploy a managed config rule through a managed CloudFormation template, you might want to deploy changes without needing to manually type these commands for each Config Rule every time AWS changes a template or you want to make a change to the rule configuration. You can do this by configuring a deployment pipeline in AWS CodePipeline. CodePipeline is a managed continuous delivery service to orchestrate your build, test, deploy, and release processes.

In this example, you will see how you can create a CloudFormation template that automatically provisions CodePipeline,  a CodeCommit private Git repository, a CodeBuild project to get the latest CloudFormation templates, and a CloudFormation deploy provider for CodePipeline to create CloudFormation stacks.

This way you can deploy changes to your Config Rules in code without needing to manually provision a new CloudFormation stack every time.

Deployment Steps

There are four main steps in launching this solution: preparing an AWS account, create and store source files, launch the CloudFormation stack, and testing the deployment. Each is described in more detail in this section. Please note that you are responsible for any fees incurred while creating and launching your solution.

Step 1. Prerequisites

This example assumes you have access to an AWS account and have established the necessary permissions. In order to show specific directory names, it also assumes you are using AWS Cloud9 for your IDE. If you are not, you should be able to simply modify the directory names accordingly.

Step 2. Create and Store Source Files

Next, you will create a few source files that will be stored in S3 and then uploaded to AWS CodeCommit when launching the CloudFormation stack. The names are listed below.

From your AWS Cloud9 terminal, type the following to setup your directory structure:

cd ~/environment/
aws s3 mb s3://ccoa-mcr-$(aws sts get-caller-identity --output text --query 'Account')
mkdir mcr
cd ~/environment/mcr

Create and save three empty source files:

touch buildspec.yml
touch README.md
touch managed-config-rules-pipeline.yml

buildspec.yml

Copy the contents below into the buildspec.yml and save the file. AWS CodeBuild will use this buildspec to download the latest CloudFormation template for the Managed Config Rules that AWS manages.

version: 0.2
phases:
  build:
    commands:
      - >-
        wget
        https://s3.amazonaws.com/aws-configservice-us-east-1/cloudformation-templates-for-managed-rules/CLOUD_TRAIL_ENCRYPTION_ENABLED.template
  post_build:
    commands:
      - echo Build completed on `date`
artifacts:
  type: zip
  files:
    - CLOUD_TRAIL_ENCRYPTION_ENABLED.template

managed-config-rules-pipeline.yml

Copy the source contents from the managed-config-rules-pipeline.yml file and save it to your local file of the same name in your Cloud9 environment. The file is a 300-line CloudFormation template.

Sync the files with your S3 bucket

Here, you will zip and upload all of the source files to S3 so that they can be committed to the CodeCommit repository that is automatically provisioned by the stack generated by the managed-config-rules-pipeline.yml template.

From your AWS Cloud9 environment, type the following:

aws s3 mb s3://ccoa-mcr-$(aws sts get-caller-identity --output text --query 'Account')
cd ~/environment/mcr
zip ccoa-mcr-examples.zip *.*
aws s3 sync ~/environment/mcr s3://ccoa-mcr-$(aws sts get-caller-identity --output text --query 'Account')

Step 3. Launch the Stack

From your AWS Cloud9 environment, type the following:
aws cloudformation create-stack --stack-name managed-config-rules-pipeline --template-body file:///home/ec2-user/environment/aws-compliance-workshop/lesson0-setup/managed-config-rules/managed-config-rules-pipeline.yml --parameters ParameterKey=CodeCommitS3Bucket,ParameterValue=ccoa-mcr-$(aws sts get-caller-identity --output text --query 'Account') ParameterKey=CodeCommitS3Key,ParameterValue=ccoa-mcr-examples.zip --capabilities CAPABILITY_NAMED_IAM --disable-rollback

Step 4. Test the Deployment

Verify the CloudFormation template has launched by going to the CloudFormation dashboard.

Once the stack is CREATE_COMPLETE, select it and click on the Outputs tab. Then, click on the PipelineUrl Output. This will launch the pipeline you automatically provisioned in CodePipeline.

Once it has successfully run through all the stages in the pipeline, you will verify the Config Rule has been deployed to AWS Config by doing the following:

1. Go to the Config console.
2. Click on Rules.
3. Look for the cloud-trail-encryption-enabled rule.

What’s Next?

In this post, you learned how to automate the provisioning of a pipeline that gets the latest CloudFormation template for managed Config Rules. The pipeline deploys these rules through CodePipeline’s CloudFormation deploy provider to the AWS Config service.

You can expand on this and deploy hundreds of Config Rules in a consistent manner using this general architecture. While there are several ways of implementing this, this is an approach you can use so that you do not need to deploy a new CloudFormation stack every time you want to make a change to a CloudFormation template that provisions a Config Rule. This makes maintenance much simpler.

Let us know how you choose to implement this by reaching out to us @stelligent or @mphasis.

Stelligent Amazon Pollycast