5

I need to ensure policy compliance in AWS (e.g. Security Groups). I have done the same using AWS config service and lambda function. However - AWS config service is region specific so rule will need to be defined in all regions. This makes it tedious to maintain. Any alternatives on how to handle this ?

pyb
  • 4,813
  • 2
  • 27
  • 45
dip
  • 75
  • 1
  • 5
  • 1
    AWS Config is region specific. To stream the notifications directly from Config, you need an SNS topic in every region. If you are logging your CloudTrail logs to an S3 bucket, you can setup a notification when S3 logs are pushed and write Lambda scripts that will evaluate the logs and take actions on SG whose rules are not compliant. – krishna_mee2004 Jan 25 '18 at 12:16

3 Answers3

0

AWS Config is region specific and you have to replicate your rules in other regions/accounts. However, you can have an aggregated view of all the rules in various source accounts in a Central Account. But that's just for viewing.

Parag kale
  • 101
  • 1
  • 3
0

Take a look at our open source project - PacBot (Policy as Code Bot).

Policy as Code Bot (PacBot) is a platform for continuous compliance monitoring, compliance reporting and security automation for the cloud. In PacBot, security and compliance policies are implemented as code. All resources discovered by PacBot are evaluated against these policies to gauge policy conformance. PacBot auto-fix framework provides the ability to automatically respond to policy violations by taking predefined actions. PacBot packs in powerful visualization features, it gives a simplified view of compliance and makes it easy to analyze and remediate policy violations. PacBot is more than a tool to manage cloud misconfiguration, it is a generic platform that can be used to do continuous compliance monitoring and reporting for any domain.

https://www.youtube.com/embed/_WnuSU5tfcs

https://github.com/tmobile/pacbot

Nidhish Krishnan
  • 20,593
  • 6
  • 63
  • 76
  • PacBot seems pretty cool, but also quite heavyweight in its own resource needs/use. It makes for quite the commitment, just to give it a try. – roens Mar 06 '20 at 23:59
0

Setup AWS Organizations in a master account, add all the other accounts as child accounts. Then you can use the CLI to put-organization-config-rules.

Those rules cannot have a remediation and cannot be edited in the child accounts. Still an easier solution to deploy the same config rule to multiple accounts.

I'm not familiar with how it works across regions.

cloudnoob007
  • 19
  • 2