AWScloud~30 mins

AWS Config for compliance - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

AWS Config for compliance

📖 Scenario: You are working as a cloud engineer for a company that needs to ensure its AWS resources comply with internal security policies. You will create an AWS Config setup to track compliance of EC2 instances and S3 buckets.

🎯 Goal: Build an AWS Config setup that records configuration changes for EC2 instances and S3 buckets, and creates a compliance rule to check if S3 buckets have versioning enabled.

📋 What You'll Learn

Create an AWS Config recorder that records EC2 instances and S3 buckets

Create an S3 bucket to store AWS Config logs

Create an AWS Config delivery channel to deliver configuration snapshots and notifications

Create an AWS Config managed rule to check S3 bucket versioning compliance

💡 Why This Matters

🌍 Real World

AWS Config helps organizations continuously monitor and record their AWS resource configurations to ensure compliance with security and operational policies.

💼 Career

Cloud engineers and security professionals use AWS Config to automate compliance auditing and improve cloud governance.

Progress0 / 4 steps

Create the AWS Config recorder

Create an AWS Config recorder named configRecorder that records the resource types AWS::EC2::Instance and AWS::S3::Bucket.

AWS

# Create AWS Config recorder named configRecorder
# Your code here

Need a hint?

Remember to create an IAM role with a trust policy for AWS Config service and attach the AWS managed policy AWSConfigRole.

Create the S3 bucket for AWS Config logs

Create an S3 bucket named config-logs-bucket to store AWS Config logs. Enable versioning on this bucket.

AWS

resource "aws_config_configuration_recorder" "configRecorder" {
  name     = "configRecorder"
  role_arn = aws_iam_role.config_role.arn

  recording_group {
    all_supported = false
    resource_types = ["AWS::EC2::Instance", "AWS::S3::Bucket"]
  }
}

resource "aws_iam_role" "config_role" {
  name = "config_role"

  assume_role_policy = jsonencode({
    Version = "2012-10-17",
    Statement = [{
      Action = "sts:AssumeRole",
      Effect = "Allow",
      Principal = {
        Service = "config.amazonaws.com"
      }
    }]
  })
}

resource "aws_iam_role_policy_attachment" "config_role_attach" {
  role       = aws_iam_role.config_role.name
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSConfigRole"
}

# Create S3 bucket named config-logs-bucket with versioning enabled
# Your code here

Need a hint?

Enable versioning on the S3 bucket to keep track of changes to the logs.

Create the AWS Config delivery channel

Create an AWS Config delivery channel named configDeliveryChannel that delivers configuration snapshots and notifications to the S3 bucket config-logs-bucket.

AWS

resource "aws_config_configuration_recorder" "configRecorder" {
  name     = "configRecorder"
  role_arn = aws_iam_role.config_role.arn

  recording_group {
    all_supported = false
    resource_types = ["AWS::EC2::Instance", "AWS::S3::Bucket"]
  }
}

resource "aws_iam_role" "config_role" {
  name = "config_role"

  assume_role_policy = jsonencode({
    Version = "2012-10-17",
    Statement = [{
      Action = "sts:AssumeRole",
      Effect = "Allow",
      Principal = {
        Service = "config.amazonaws.com"
      }
    }]
  })
}

resource "aws_iam_role_policy_attachment" "config_role_attach" {
  role       = aws_iam_role.config_role.name
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSConfigRole"
}

resource "aws_s3_bucket" "config_logs_bucket" {
  bucket = "config-logs-bucket"

  versioning {
    enabled = true
  }
}

# Create AWS Config delivery channel named configDeliveryChannel
# Your code here

Need a hint?

The delivery channel sends configuration snapshots to the S3 bucket you created.

Create AWS Config rule for S3 bucket versioning compliance

Create an AWS Config managed rule named s3-bucket-versioning-enabled that checks if S3 buckets have versioning enabled.

AWS

resource "aws_config_configuration_recorder" "configRecorder" {
  name     = "configRecorder"
  role_arn = aws_iam_role.config_role.arn

  recording_group {
    all_supported = false
    resource_types = ["AWS::EC2::Instance", "AWS::S3::Bucket"]
  }
}

resource "aws_iam_role" "config_role" {
  name = "config_role"

  assume_role_policy = jsonencode({
    Version = "2012-10-17",
    Statement = [{
      Action = "sts:AssumeRole",
      Effect = "Allow",
      Principal = {
        Service = "config.amazonaws.com"
      }
    }]
  })
}

resource "aws_iam_role_policy_attachment" "config_role_attach" {
  role       = aws_iam_role.config_role.name
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSConfigRole"
}

resource "aws_s3_bucket" "config_logs_bucket" {
  bucket = "config-logs-bucket"

  versioning {
    enabled = true
  }
}

resource "aws_config_delivery_channel" "configDeliveryChannel" {
  name           = "configDeliveryChannel"
  s3_bucket_name = aws_s3_bucket.config_logs_bucket.bucket
}

# Create AWS Config managed rule s3-bucket-versioning-enabled
# Your code here

Need a hint?

Use the AWS managed rule identifier S3_BUCKET_VERSIONING_ENABLED to check bucket versioning compliance.