Yesterday while working with AWS Config, I came across some cool managed AWS Config rules and decided to share.

Firstly, what is this AWS Config?

AWS Config is a service in AWS that assesses, audits and evaluates the configurations of your resources. It gives you access to resource configuration history.

This information provides you full visibility, right from details, such as, “Who made the change?” and “From what IP address?”, to the effect of this change on AWS resources and related resources.

5 Good to have Config Managed Rules

Here are the 5 managed rules you need to add to your list of rules you already have:

CLOUDTRAIL-ENABLED: CloudTrail should always be enabled. Cloudtrail is an AWS service that records the actions taken by users, roles, or another AWS service as events. You can also configure it to send the logs to S3.

IAM-USER-MFA-ENABLED: Checks whether the AWS Identity and Access Management users have multi-factor authentication (MFA) enabled.

EC2-EBS-ENCRYPTION-BY-DEFAULT: Check if Amazon Elastic Block Store (EBS) encryption is enabled by default.

IAM-ROOT-ACCESS-KEY-CHECK: This rule checks whether the root user access key is available. This rule makes sure that your root user does not have any access key associated with it.

RDS-INSTANCE-DELETION-PROTECTION-ENABLED: Checks if your RDS instance has deletion protection enabled.

Bonus:

CLOUD-TRAIL-LOG-FILE-VALIDATION: Checks if AWS CloudTrail creates a signed digest file with logs. The rule is NON_COMPLIANT if the validation is not enabled. You don’t want a user deleting or modifying your Cloudtrail logs. Btw this is one of my coolest rule

Long story short, if you are looking for ways to strengthen the security posture of your cloud infrastructure, Config should be one of the major services you have to enable on your cloud provider.