In the days preceding Amazon Web Services’ 2019 re:Invent conference, AWS announced AWS Conformance Packs. Conformance Packs are a collection of AWS Config Rules grouped onto a package to assist with managing resources at scale. If you work for a Managed Services Provider, as I do, or you manage multiple accounts, this announcement was sure to bring some rejoicing to the office. AWS Config allows you to bundle several config rules together to monitor your AWS assets from a compliance perspective. When violations occur, automated alerts will trigger for escalation to an operations team for remediation. Also, the ability to create your own rules using lambda provides greater flexibility for advanced users. Using Config without Compliance Packs, provisioning these rules individually and across multiple accounts can be difficult and time-consuming to deploy and lack consistency. Conformance Packs provides the perfect solution to that.
For the most part, configuring and deploying conformance packs is a straightforward affair, but there are some minor hurdles. The first of these consist of the pre-requisites:
- Since Conformance Packs are AWS Config rules at the core, you will need the Config recorder enabled.
- Conformance Packs rely on their own Service Linked Roles. These roles are separate from the one that AWS Config leverage. These can be created from the CLI using the following command:
aws iam create-service-linked-role --aws-service-name config-conforms.amazonaws.com --description “my service linked role for config-conforms”
- Next, we need an S3 bucket to store our configuration data. Create a new S3 bucket with appropriate permissions or add the policy to an existing bucket. This bucket could be a bucket local to the account, a cross-account bucket or an Organisation bucket. For simplicity, I’ve been using the same bucket as the Config rules.
Note: Replace AccountId with your account ID and delivery-bucket-name with your bucket name
For further pre-requisites documentation see the following link: https://docs.aws.amazon.com/config/latest/developerguide/cpack-prerequisites.html
Creating a Conformance Pack
Conformance Packs are a series of AWS Config rules specified in YAML format. AWS provides a set of sample templates that can be used as-is or can form the basis of custom conformance packs for your organisation.
A base template looks like:
The properties of a conformance pack consist of:
- ConfigRuleName – This represents the name of the rule that appears in the Config Rules list
- Description – The parameter describes the function of the config rule
- Scope – An optional parameter that can limit the targeted resources for review
- Source – The an AWS rule or a custom via the Owner attribute
- SourceIdentifier – represents the name of the config rule that gets deployed.
There are several documentation resources to leverage when writing config rules. My first recommendation would be to check out the sample templates provided by AWS. The sample above came directly from the “Operational Best Practice for Amazon S3” sample.
For further sample templates, see the following link: https://docs.aws.amazon.com/config/latest/developerguide/conformancepack-sample-templates.html
Another resource I recommend is the information from the AWS Config Managed Rules document. These are pre-defined Config Rules managed by AWS.
Checks that your Amazon S3 buckets do not allow public read access. The rule checks the Block Public Access settings, the bucket policy, and the bucket access control list (ACL).
The rule is compliant when both of the following are true:
- The Block Public Access setting restricts public policies or the bucket policy does not allow public read access.
- The Block Public Access setting restricts public ACLs or the bucket ACL does not allow public read access.
The rule is noncompliant when:
- If the Block Public Access setting does not restrict public policies, AWS Config evaluates whether the policy allows public read access. If the policy allows public read access, the rule is noncompliant.
- If the Block Public Access setting does not restrict public bucket ACLs, AWS Config evaluates whether the bucket ACL allows public read access. If the bucket ACL allows public read access, the rule is noncompliant.
Trigger type: Configuration changes
AWS Region: All supported AWS regions
Using this information, you can identify the Description and SourceIdentifier (name in hyphenated format), which is enough to create a rule for the Conformance Pack.
For a list of managed config rules, see the following link: https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html
You also have the option to configure the rule you want within AWS Config to find the details and parameters required to create the Conformance Pack.
You have the option of browsing from the rule repository in AWS Config console or using the search facility to with the rule name. Then select the rule to view the details:
Again, you can retrieve the Description and SourceIdentifier (name in hyphenated format), but this method provides more information about the triggers associated with the config rule.
Once you have the YAML file constructed, or if you are going to use a sample rule, deploying is relatively easy. Select Conformance packs from the AWS Config console:
Then select Deploy conformance pack
If you want to use a pre-defined sample template, select that from the dropdown:
Otherwise, if you want to use your own, choose Template is ready, then choose Upload a template file, click the Choose file button to choose your YAML file and then hit Next.
The next screen requires you to enter a name for you Conformance Pack and select the bucket where the output of the conformance pack will be delivered to.
If you choose an existing bucket, you don’t need to add the default Config logs prefix of AWSLogs/AccountId/Config/. If you have any input parameters, this is where they get entered.
Finally, you will be presented with the preview screen where the details of your YAML file name, region, pack name and bucket are displayed. If the review details are all correct, hit Deploy conformance pack and sit back. It does take a little while to deploy.
To modify a configure rule, simply update the YAML file and redeploy. This process differs from Cloudformation where stacks are “Updated”. When working with Conformance Packs you use “Edit” functionality with Conformance Packs.
All other aspects resemble the operation of CloudFormation stacks. You specify a name for the new template, and prepopulated options presented. Parameters remain blank despite being set previously specified unless they have been hardcoded within the config.
If you have issues with the deployment of your template and expect to find any meaningful logs in the Conformance Pack console or from the Conformance Pack APIs, you will be very disappointed. However, under the hood, Conformance Packs are deployed via CloudFormation. You can use the following command to find the stack ARN.
aws configservice describe-conformance-pack-status
The alternative is to navigate to the CloudFormation console.
Stacks relating to AWS Conformance Packs are prefixed “awsconfigconforms”. Stack Event from the failed stack will assist in troubleshooting and rectifying your deployment.
In short, Conformance Packs are a great way to gain consistency across multiple accounts that you might manage, or even if you manage only one. There are several other options for Conformance Packs that I haven’t covered here. You can use Conformance Packs across an Organisation, you can configure remediation rules within the Conformance Pack, and you can use custom Config Rules (functionality backed lambda).
For further information see the conformance pack official documentation. https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html
If conformance packs are an area of interest to you or your organisation., please check out my presentation on Conformance Packs at the Melbourne AWS User Group The recorded performance is available on YouTube at https://youtu.be/SVvnTDCImaM?t=4904.
Note: This was an impromptu presentation to cover a presenter that dropped out in the hours preceding the meetup so please forgive the lack of polish.