tiero - Fotolia

Maintain compliance with AWS Config Rules

We use AWS Config to track resources, but we also need to meet compliance regulations. What configuration management tools should we use?

Compliance and security are concerns for many enterprises, especially those in highly regulated industries. Add...

to that the difficulty of tracking configuration changes among various public cloud workloads, and AWS admins have their work cut out for them. Two native AWS configuration management tools can simplify these tasks.

Administrators can use the AWS Config service to apply rules against resource configurations across an AWS account. It's also a valuable tool for users with various business units, enabling them to continuously inspect and track multiple resources. And businesses can use the service to enforce known resource configurations, ensure proper security postures, adhere to industry or regulatory compliance requirements and foster AWS cost awareness and management.

AWS Config Rules enables administrators to define the desired state or configuration for an AWS resource. AWS Config monitors a resource's configuration, and it compares what's detected against the desired rules assigned to it. If the current resource configuration violates any rules, AWS reports the resource as noncompliant through a dashboard, and pushes messages via Amazon Simple Notification Service. Noncompliance occurs if the resource is initially configured outside of the rules, or if future changes violate existing rules.

AWS Config Rules matches public cloud resource use with the enterprise's best practices and security policies. Quick alerts enable admins to respond quickly to ensure that resource use remains within approved business rules.

Admins can choose a predefined rule in AWS Config or customize their own. Rules assist businesses to meet regulatory compliance verification, such as the Payment Card Industry Data Security Standard or the Health Insurance Portability and Accountability Act, or other corporate governance concerns. Admins can apply up to 50 rules per AWS account.

Who does what in cloud data compliance?

In cloud environments, laws and regulations can increase the scrutiny around information security and data compliance issues, including where data is stored and processed by a cloud computing service. In this video, Mike Chapple, University of Notre Dame's senior IT director for service delivery, addresses four areas to consider to maintain cloud data compliance when you migrate workloads and assets to the cloud.

Beyond resources, rules are also applied against software configurations to ensure that software configurations and changes within AWS instances, as well as on-premises VMs, remain compliant with set business goals. For example, IT teams implement rules through AWS Config Rules that install specific applications or software components on certain instance types. If the instance does not receive those extra components, it is noncompliant, and an admin is notified.

Remember: Using AWS Config Rules does not prevent noncompliance. It evaluates rules after a resource configuration item has been created or updated within the AWS Config service -- not before. AWS Config cannot prevent an AWS user from creating or reconfiguring a resource in a noncompliant manner, nor can it revert or adjust resource configurations back into compliance. However, combining it with other AWS tools, such as AWS Identity and Access Management and AWS Service Catalog, can limit the resources and configurations that each user provisions.

Next Steps

Track app changes with AWS Config

Automate tag creation with AWS Config Rules

Keep a close eye on your AWS resources

Dig Deeper on AWS compliance, governance, privacy and regulations