Trace Your Organization Compliance With AWS Config

Oguzhan
3 min readMar 15, 2023
Organization Compliance with AWS Config

AWS Config Conformance Packs

AWS Config is a tool that helps you keep track of the settings of your AWS resources. It allows you to monitor changes, review configurations, and keep a history of changes to your resources.

One useful feature of AWS Config is Conformance Packs. These are pre-made sets of rules that can help you ensure that your AWS resources are compliant with industry standards and best practices. You can apply these packs to multiple AWS accounts and regions at once, which can save you a lot of time.

Another feature of AWS Config is the ACM certificate expiration check. When you use SSL/TLS certificates to secure communications between your resources and the internet, these certificates have an expiration date. If they’re not renewed, it can create security issues. AWS Config can help you keep track of your SSL/TLS certificates and notify you if any are about to expire, so you can renew them before they become a problem.

Finally, AWS Config can also work with other AWS services, such as SNS and PagerDuty. This allows you to set up automatic notifications if any of your AWS resources are not compliant with your rules. For example, suppose you have ack that requires a specific security setting and one of your resources doesn’t meet that requirement. In that case, AWS Config can send a notification to SNS, which can then trigger an alert in PagerDuty, so you can take action to fix the issue.

Overall, AWS Config is a helpful tool for managing your AWS resources and ensuring they comply with your standards and requirements.

Troubleshoots

I tried to explain AWS Config and conformance packs in above. Now I want to talk about some missing covered things in AWS Config.

Here is the document explain about something but I think it is not enough. when I want to do something, something is not a big problem. I think it is a really basic problem. I just want to see my conformance packs in my aggregator but also if I want to try to compliance my accounts, I just allow my needed service for example ACM. But, it is not possible if you are allowed just AWS ACM services when you are allowed. You also need to allow AWS config conformance packs for all accounts when you need to see your aggregator page.

The second problem is the alert mechanism. Conformance means, how well something is for the organisation. It means when you enable the conformance pack for your organisation and also when you enable Eventbridge for any compliance check, it’s just working your triggered account it means your delegated account, not any account triggered. I fixed this problem via Eventbridge I enabled Eventbridge for different accounts triggering from all accounts.

Conclusion
AWS config is a good solution for a compliance check. But it is not ready for conformity status delivery.

--

--

Oguzhan

Solutions Architect, #AWS, food, chess, books and cheese lover. Philosophy 101.