Resource Governance
BACK

Resource Governance

Services used: Config, S3, EC2, KMS

Languages used: N/A

Objective: Use AWS Config rules to enforce standards and ensure architectural consistency. Configure an AWS Config managed rule for S3 KMS encryption. Configure an AWS Config managed rule for tagging resources. Add an additional rule to verify that the S3 buckets have versioning enabled.

Search for and open Config.

Click Get Started.

Select the check box to Include globally recorded resource types.

Scroll down and click Next.

Type s3-default-encryption-kms. Select the rule and click Next.

Review the S3 bucket and click Confirm.

Go to Rules and ensure that the rule was created.

Go to Dashboard. Under Compliance status, ensure there is 1 noncompliant rule and 2 noncompliant resources. Click the S3 KMS under Noncompliant rules.

Review the noncompliant bucket.

Search for and open S3.

Click the noncompliant bucket name.

Go to the Properties tab and scroll down to Default encryption. Click Edit.

Choose SSE-KMS and your AWS KMS keys. Select the S3 key. Scroll down and click Save changes.

Search for and open Config.

Click Dashboard and under Compliance status, click the Compliant resource.

Ensure that the config bucket is now compliant. Go to Rules.

Click Add rule.

Search for required-tags. Select the rule and click Next.

Review the details.

Scroll down and select Resources. Choose AWS Resources and select AWS EC2 instance.

Scroll down to Parameters. Add the following values in order: CostCenter, (leave blank), Environment, Prod,QA,Dev,Staging, AuditLevel, PII,Normal,PCI, Name, (leave blank), Owner. Scroll down and click Next.

Review the Parameters and click Save.

Go to Dashboard. Click the noncompliant Name required-tags.

Review the noncompliant instance.

Search for and open EC2.

Select Instances. Select the check box for the Web Server instance. Go to the Tags tab and click Manage tags.

Click Add new tag four times. Add the following keys: CostCenter, AuditLevel, Environment, Owner, and pair it with the following values: 1337, Normal, QA, Ryan. Click Save.

Return to the Config console and go to Rules and select the required-tags rule. Click Actions and Re-Evaluate.

Ensure that required-tags now shows as Compliant. Click Add rule.

Search for s3-bucket-versioning-enabled and select the rule. Click Next.

Review the details. Scroll down and click Next.

Click Save.

Go to Dashboard. Under Compliance status, click the Noncompliant rules.

Ensure that the rule we just created has 2 Noncompliant resources.

Return to the S3 console. Go to Buckets and click the config-bucket.

Go to the Properties tab and click Edit under Bucket Versioning.

Select Enable then click Save changes.

Return to the Config console and go to Rules. Ensure that we now only have 1 Noncompliant resource for the newly created bucket. Success!