AWS Config - Developer Guide

[Pages:7893]AWS Config

Developer Guide

AWS Config Developer Guide

AWS Config: Developer Guide

Copyright ? 2023 Amazon Web Services, Inc. and/or its affiliates. All rights reserved. Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored by Amazon.

AWS Config Developer Guide

Table of Contents

What Is AWS Config? .......................................................................................................................... 1 Features .................................................................................................................................... 1 Ways to Use AWS Config ............................................................................................................ 2 Resource Administration ..................................................................................................... 2 Auditing and Compliance .................................................................................................... 2 Managing and Troubleshooting Configuration Changes ........................................................... 2 Security Analysis ................................................................................................................ 2 Region Support .......................................................................................................................... 2 Concepts ................................................................................................................................... 3 AWS Config ....................................................................................................................... 3 AWS Config Rules .............................................................................................................. 5 Conformance Packs ............................................................................................................ 6 Multi-Account Multi-Region Data Aggregation ....................................................................... 7 Managing AWS Config ........................................................................................................ 8 Control Access to AWS Config .............................................................................................. 8 Partner Solutions ............................................................................................................... 9 How AWS Config Works .............................................................................................................. 9 Deliver Configuration Items ............................................................................................... 10 Components of a Configuration Item .......................................................................................... 11 Region Support ........................................................................................................................ 12 Service Limits .......................................................................................................................... 15

Getting Started ................................................................................................................................ 18 Features .................................................................................................................................. 18 Signing up for AWS .................................................................................................................. 18 Sign up for an AWS account .............................................................................................. 19 Create an administrative user ............................................................................................ 19 Using AWS Config .................................................................................................................... 20 Setting Up AWS Config (Console) ............................................................................................... 20 Features .......................................................................................................................... 20 Setting up ....................................................................................................................... 21 1-click setup .................................................................................................................... 21 Manual setup ................................................................................................................... 23 Setting Up AWS Config (AWS CLI) .............................................................................................. 27 Features .......................................................................................................................... 27 Setting up ....................................................................................................................... 28 Prerequisites .................................................................................................................... 28 Starting AWS Config ......................................................................................................... 47 Verifying that AWS Config is Started .................................................................................. 52 Working with AWS SDKs ........................................................................................................... 53

Resource Management ...................................................................................................................... 55 AWS Config Dashboard ............................................................................................................. 55 Compliance and Resource Inventory ................................................................................... 56 AWS Config Usage and Success Metrics ............................................................................... 57 Supported Resource Types ......................................................................................................... 58 Amazon AppStream 2.0 .................................................................................................... 59 Amazon AppFlow ............................................................................................................. 59 ...................................................................................................................................... 59 Amazon API Gateway ........................................................................................................ 59 Amazon Athena ............................................................................................................... 59 Amazon CloudFront .......................................................................................................... 60 Amazon CloudWatch ......................................................................................................... 60 Amazon CodeGuru ............................................................................................................ 60 Amazon Connect .............................................................................................................. 61 Amazon Detective ............................................................................................................ 61

iii

AWS Config Developer Guide

Amazon DynamoDB .......................................................................................................... 61 Amazon EC2 .................................................................................................................... 61 Amazon ECR .................................................................................................................... 64 Amazon ECR Public .......................................................................................................... 65 Amazon ECS .................................................................................................................... 65 Amazon EFS .................................................................................................................... 65 Amazon EKS .................................................................................................................... 65 Amazon EMR ................................................................................................................... 66 Amazon EventBridge ......................................................................................................... 66 Amazon Forecast .............................................................................................................. 66 Amazon Fraud Detector .................................................................................................... 66 Amazon GuardDuty .......................................................................................................... 67 Amazon Inspector ............................................................................................................ 67 Amazon IVS ..................................................................................................................... 67 Amazon Keyspaces ........................................................................................................... 67 Amazon OpenSearch Service ............................................................................................. 67 Amazon Personalize .......................................................................................................... 68 Amazon Pinpoint .............................................................................................................. 68 Amazon QLDB ................................................................................................................. 68 Amazon Kendra ................................................................................................................ 69 Amazon Kinesis ................................................................................................................ 69 Amazon Lex ..................................................................................................................... 69 Amazon Lightsail .............................................................................................................. 69 Amazon Lookout for Metrics .............................................................................................. 70 Amazon Lookout for Vision ............................................................................................... 70 Amazon Managed Service for Prometheus ........................................................................... 70 Amazon MQ .................................................................................................................... 70 Amazon MSK ................................................................................................................... 70 Amazon Redshift .............................................................................................................. 71 Amazon RDS .................................................................................................................... 71 Amazon Route 53 ............................................................................................................. 72 Amazon SageMaker .......................................................................................................... 73 Amazon SES .................................................................................................................... 73 Amazon SNS .................................................................................................................... 73 Amazon SQS .................................................................................................................... 73 Amazon S3 ...................................................................................................................... 74 Amazon WorkSpaces ......................................................................................................... 75 AWS Amplify ................................................................................................................... 75 AWS AppConfig ................................................................................................................ 75 AWS App Runner .............................................................................................................. 75 AWS App Mesh ................................................................................................................ 75 AWS AppSync .................................................................................................................. 76 AWS Audit Manager .......................................................................................................... 76 AWS Auto Scaling ............................................................................................................ 76 AWS Backup .................................................................................................................... 77 AWS Batch ...................................................................................................................... 77 AWS Budgets ................................................................................................................... 77 AWS Certificate Manager ................................................................................................... 77 AWS CloudFormation ........................................................................................................ 78 AWS CloudTrail ................................................................................................................ 78 AWS Cloud9 .................................................................................................................... 78 AWS Cloud Map ............................................................................................................... 78 AWS CodeArtifact ............................................................................................................. 78 AWS CodeBuild ................................................................................................................ 79 AWS CodeDeploy .............................................................................................................. 79 AWS CodePipeline ............................................................................................................ 79 AWS Config ..................................................................................................................... 79

iv

AWS Config Developer Guide

AWS DMS ........................................................................................................................ 80 AWS DataSync ................................................................................................................. 80 AWS Device Farm ............................................................................................................. 81 AWS Elastic Beanstalk ....................................................................................................... 81 AWS FIS .......................................................................................................................... 81 AWS Global Accelerator ..................................................................................................... 82 AWS Glue ........................................................................................................................ 82 AWS Ground Station ......................................................................................................... 82 AWS HealthLake ............................................................................................................... 82 AWS IAM ......................................................................................................................... 82 AWS IoT .......................................................................................................................... 83 AWS KMS ........................................................................................................................ 84 AWS Lambda ................................................................................................................... 84 AWS Network Firewall ...................................................................................................... 85 AWS Network Manager ..................................................................................................... 85 AWS Panorama ................................................................................................................ 85 AWS Private CA ................................................................................................................ 86 AWS Resilience Hub .......................................................................................................... 86 AWS Resource Explorer ..................................................................................................... 86 AWS RoboMaker ............................................................................................................... 86 AWS Signer ..................................................................................................................... 86 AWS Secrets Manager ....................................................................................................... 86 AWS Service Catalog ......................................................................................................... 87 AWS Shield ...................................................................................................................... 87 AWS Step Functions ......................................................................................................... 87 AWS Systems Manager ...................................................................................................... 87 AWS Transfer Family ......................................................................................................... 88 AWS WAF ........................................................................................................................ 88 AWS X-Ray ...................................................................................................................... 89 Elastic Load Balancing ...................................................................................................... 89 MediaConnect .................................................................................................................. 90 MediaPackage .................................................................................................................. 90 MediaTailor ...................................................................................................................... 90 Resource Coverage by Region Availability .................................................................................... 90 North and South America .................................................................................................. 90 Europe .......................................................................................................................... 106 Asia Pacific .................................................................................................................... 120 China ............................................................................................................................ 141 Africa and Middle East .................................................................................................... 150 GovCloud ....................................................................................................................... 161 Managing Recorded AWS Resources .......................................................................................... 171 Managing the Configuration Recorder ............................................................................... 171 Managing the Delivery Channel ........................................................................................ 173 Updating the IAM Role .................................................................................................... 176 Selecting Which Resources are Recorded ........................................................................... 177 Recording Software Configuration for Managed Instances .................................................... 187 Viewing Recorded AWS Resources ............................................................................................. 189 Looking Up Discovered Resources ..................................................................................... 189 Viewing Configuration Details .......................................................................................... 190 Viewing Configuration Compliance ................................................................................... 195 Viewing Compliance History ............................................................................................. 197 Delivering Configuration Snapshot .................................................................................... 199 Recording Third-Party Resources .............................................................................................. 204 Step 1: Setup Your Development Environment ................................................................... 204 Step 2: Model Your Resource ........................................................................................... 205 Step 3: Generate Artifacts ............................................................................................... 206 Step 4: Register Your Resource ......................................................................................... 206

v

AWS Config Developer Guide

Step 5: Publish Resource Configuration ............................................................................. 206 Record and Delete a Configuration State for Third-Party Resources Using AWS CLI .................. 207 Managing a Configuration State for Third-Party Resources Type Using APIs ............................ 209 Tagging Your Resources ........................................................................................................... 209 Restrictions Related to Tagging ........................................................................................ 209 Managing Tags with AWS Config API Actions ..................................................................... 210 Example Notifications ............................................................................................................. 210 Example Configuration Item Change Notifications .............................................................. 211 Example Configuration History Delivery Notification ........................................................... 221 Example Configuration Snapshot Delivery Started Notification ............................................. 221 Example Configuration Snapshot Delivery Notification ........................................................ 222 Example Compliance Change Notification .......................................................................... 222 Example Rules Evaluation Started Notification ................................................................... 225 Example Oversized Configuration Item Change Notification ................................................. 225 Example Delivery Failed Notification ................................................................................. 226 AWS Config Rules ........................................................................................................................... 228 Region Support ...................................................................................................................... 229 Components of a Rule ............................................................................................................ 232 Rule metadata ............................................................................................................... 233 Rule structure ................................................................................................................ 234 Evaluation Mode .................................................................................................................... 246 Trigger types .................................................................................................................. 246 Evaluation modes ........................................................................................................... 247 Rule evaluations ............................................................................................................. 249 Managed Rules ....................................................................................................................... 250 Trigger Types ................................................................................................................. 250 Evaluation modes ........................................................................................................... 251 List of Managed Rules ..................................................................................................... 251 List of Managed Rules by Evaluation Mode ........................................................................ 442 List of Managed Rules by Trigger Type .............................................................................. 451 List of Managed Rules by Region Availability ...................................................................... 461 Service-Linked Rules ....................................................................................................... 666 Creating Managed Rules With AWS CloudFormation Templates ............................................. 667 Custom Rules ......................................................................................................................... 668 Custom Policy Rules ........................................................................................................ 668 Custom Lambda Rules ..................................................................................................... 668 Trigger types .................................................................................................................. 668 Evaluation modes ........................................................................................................... 669 Managing deleted resources ............................................................................................. 669 Creating Custom Policy Rules ........................................................................................... 670 Creating Custom Lambda Rules ........................................................................................ 673 Adding, Updating, and Deleting Rules ....................................................................................... 693 Using the console ........................................................................................................... 693 Using the AWS CLI .......................................................................................................... 698 Using the API Reference .................................................................................................. 701 Using Security Hub ......................................................................................................... 702 Evaluating Resources with Rules ............................................................................................... 702 Deleting Evaluation Results ...................................................................................................... 705 Deleting Evaluation Results (Console) ................................................................................ 705 Deleting Evaluation Results (CLI) ...................................................................................... 706 Deleting Evaluation Results (API) ...................................................................................... 706 Managing Organizational Rules ................................................................................................ 706 Region Support .............................................................................................................. 707 Remediation ........................................................................................................................... 708 Prerequisite .................................................................................................................... 709 Setting Up Manual Remediation (Console) ......................................................................... 709 Setting Up Auto Remediation (Console) ............................................................................. 710

vi

AWS Config Developer Guide

Delete Remediation Action (Console) ................................................................................. 710 Managing Remediation (API) ............................................................................................ 711 Region Support .............................................................................................................. 711 Conformance Packs ......................................................................................................................... 714 Prerequisites .......................................................................................................................... 714 Start AWS Config Recording ............................................................................................ 714 Prerequisites for Using a Conformance Pack With Remediation ............................................. 714 Prerequisites for Using a Conformance Pack With One or More AWS Config Rules .................... 715 Prerequisites for Organization Conformance Packs .............................................................. 717 Region Support ...................................................................................................................... 718 Process Checks ....................................................................................................................... 720 Sample Conformance Pack Template for Creating Process Checks ......................................... 721 Include Process Checks Within a Conformance Pack ............................................................ 721 Change Compliance Status of a Process Check ................................................................... 722 View and Edit the Process Check (Console) ........................................................................ 723 Conformance Pack Sample Templates ....................................................................................... 723 AWS Control Tower Detective Guardrails Conformance Pack ................................................. 725 Operational Best Practices for ABS CCIG 2.0 Material Workloads .......................................... 726 Operational Best Practices for ABS CCIG 2.0 Standard Workloads ......................................... 835 Operational Best Practices for ACSC Essential 8 ................................................................. 916 Operational Best Practices for ACSC ISM .......................................................................... 930 Operational Best Practices for AI and ML ........................................................................... 997 Operational Best Practices for Amazon API Gateway ........................................................... 997 Operational Best Practices for Amazon CloudWatch ............................................................ 997 Operational Best Practices for Amazon DynamoDB ............................................................. 997 Operational Best Practices for Amazon S3 ......................................................................... 998 Operational Best Practices for APRA CPG 234 ................................................................... 998 Operational Best Practices for Asset Management ............................................................. 1113 Operational Best Practices for AWS Backup ...................................................................... 1113 Operational Best Practices for AWS Identity And Access Management .................................. 1113 Operational Best Practices for AWS Well-Architected Framework Reliability Pillar .................. 1114 Operational Best Practices for AWS Well-Architected Framework Security Pillar .................... 1145 Operational Best Practices for BCP and DR ...................................................................... 1240 Operational Best Practices for BNM RMiT ........................................................................ 1240 Operational Best Practices for Canadian Centre for Cyber Security (CCCS) Medium Cloud Control Profile .............................................................................................................. 1400 Operational Best Practices for CIS AWS Foundations Benchmark v1.4 Level 1 ....................... 2109 Operational Best Practices for CIS AWS Foundations Benchmark v1.4 Level 2 ....................... 2129 Operational Best Practices for CIS Critical Security Controls v8 IG1 ..................................... 2154 Operational Best Practices for CIS Critical Security Controls v8 IG2 ..................................... 2199 Operational Best Practices for CIS Critical Security Controls v8 IG3 ..................................... 2276 Operational Best Practices for CIS Top 20 ....................................................................... 2359 Operational Best Practices for CISA Cyber Essentials ......................................................... 2398 Operational Best Practices for Criminal Justice Information Services (CJIS) ........................... 2490 Operational Best Practices for CMMC Level 1 ................................................................... 2552 Operational Best Practices for CMMC Level 2 ................................................................... 2610 Operational Best Practices for CMMC Level 3 .................................................................. 2751 Operational Best Practices for CMMC Level 4 .................................................................. 2960 Operational Best Practices for CMMC Level 5 .................................................................. 3185 Operational Best Practices for CMMC 2.0 Level 1 ............................................................. 3441 Operational Best Practices for CMMC 2.0 Level 2 ............................................................. 3499 Operational Best Practices for Compute Services ............................................................. 3693 Operational Best Practices for Data Resiliency .................................................................. 3693 Operational Best Practices for Databases Services ............................................................ 3693 Operational Best Practices for Data Lakes and Analytics Services ......................................... 3694 Operational Best Practices for DevOps ............................................................................ 3694 Operational Best Practices for EC2 .................................................................................. 3694

vii

AWS Config Developer Guide

Operational Best Practices for Encryption and Key Management ......................................... 3694 Operational Best Practices for ENISA Cybersecurity guide for SMEs ..................................... 3694 Operational Best Practices for Esquema Nacional de Seguridad (ENS) Low ........................... 3766 Operational Best Practices for Esquema Nacional de Seguridad (ENS) Medium ...................... 3819 Operational Best Practices for Esquema Nacional de Seguridad (ENS) High .......................... 3878 Operational Best Practices for FDA Title 21 CFR Part 11 .................................................... 3944 Operational Best Practices for FedRAMP(Low) ................................................................. 4152 Operational Best Practices for FedRAMP(Moderate) ........................................................... 4277 Operational Best Practices for FFIEC ............................................................................... 4560 Operational Best Practices for Germany Cloud Computing Compliance Criteria Catalog (C5) .... 4662 Operational Best Practices for Gramm Leach Bliley Act (GLBA) ........................................... 4707 Operational Best Practices for GxP EU Annex 11 .............................................................. 4733 Operational Best Practices for HIPAA Security .................................................................. 4806 Operational Best Practices for IRS 1075 .......................................................................... 5044 Operational Best Practices for K-ISMS ............................................................................ 5148 Operational Best Practices for Load Balancing .................................................................. 5189 Operational Best Practices for Logging ............................................................................ 5189 Operational Best Practices for Management and Governance Services ................................. 5190 Operational Best Practices for MAS Notice 655 ................................................................ 5190 Operational Best Practices for MAS TRMG ....................................................................... 5211 Operational Best Practices for Monitoring ........................................................................ 5321 Operational Best Practices for NBC TRMG ........................................................................ 5321 Operational Best Practices for NERC CIP BCSI .................................................................. 5634 Operational Best Practices for NCSC Cloud Security Principles ........................................... 5664 Operational Best Practices for NCSC Cyber Assesment Framework ...................................... 5715 Operational Best Practices for Networking and Content Delivery Services ............................ 5801 Operational Best Practices for NIST 800-53 rev 4 ............................................................. 5801 Operational Best Practices for NIST 800-53 rev 5 ............................................................. 5964 Operational Best Practices for NIST 800 171 .................................................................... 6328 Operational Best Practices for NIST 800 172 .................................................................... 6491 Operational Best Practices for NIST 800 181 ................................................................... 6525 Operational Best Practices for NIST 1800 25 ................................................................... 6771 Operational Best Practices for NIST CSF .......................................................................... 6850 Operational Best Practices for NIST Privacy Framework v1.0 ............................................... 7022 Operational Best Practices for NYDFS 23 ......................................................................... 7137 Operational Best Practices for NZISM .............................................................................. 7229 Operational Best Practices for PCI DSS 3.2.1 .................................................................... 7270 Operational Best Practices for Publicly Accessible Resources ............................................... 7472 Operational Best Practices for RBI Cyber Security Framework for UCBs ................................. 7473 Operational Best Practices for RBI MD-ITF ....................................................................... 7497 Operational Best Practices for Security, Identity, and Compliance Services ........................... 7568 Operational Best Practices for Serverless ......................................................................... 7568 Operational Best Practices for Storage Services ............................................................... 7569 Operational Best Practices for SWIFT CSP ........................................................................ 7569 Security Best Practices for Amazon Elastic Container Service (Amazon ECS) .......................... 7585 Security Best Practices for Amazon Elastic File System (Amazon EFS) ................................... 7586 Security Best Practices for Amazon Elastic Kubernetes Service (Amazon EKS) ........................ 7586 Security Best Practices for Amazon CloudFront ................................................................. 7586 Security Best Practices for Amazon OpenSearch Service ..................................................... 7586 Security Best Practices for Amazon Redshift ..................................................................... 7586 Security Best Practices for Amazon Relational Database Service (Amazon RDS) ...................... 7587 Security Best Practices for AWS Auto Scaling ................................................................... 7587 Security Best Practices for AWS CloudTrail ....................................................................... 7587 Security Best Practices for AWS CodeBuild ....................................................................... 7587 Security Best Practices for Amazon ECR ........................................................................... 7587 Security Best Practices for AWS Lambda .......................................................................... 7588 Security Best Practices for AWS Network Firewall .............................................................. 7588

viii

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download

To fulfill the demand for quickly locating and searching documents.

It is intelligent file search solution for home and business.

Literature Lottery

Related download
Related searches

©2024 5y1.org, Inc. All rights reserved.