AllCode has established a mature process for policy as code, utilizing AWS Config to monitor and ensure the compliance status of AWS resources. We set up AWS Config rules for automatic remediation of violations, such as unencrypted S3 buckets or unrestricted remote access. Configuration snapshots are sent to a central log archive account for further analysis, allowing the account owner to review and address any configuration violations.
Additionally, we use Landing Zone/Control Tower to deploy AWS Config and CloudTrail across all accounts, employing Service Control Policies (SCPs) to prevent these settings from being altered or disabled.
If AWS Config is not used, below are our documented processes on how to conduct AWS resource inventory, maintain configuration history, and send configuration change notifications to ensure security and governance.
AWS Resource Inventory:
- Scripts and Automation Tools: We use custom scripts and automation tools like Ansible or Terraform to regularly inventory AWS resources. These tools can query AWS APIs to list resources and their configurations.
- Third-Party Tools: Tools such as CloudHealth or CloudCheckr can provide comprehensive resource inventory and management capabilities.
Configuration History:
- Version Control Systems: We use version control systems like Git to track changes in infrastructure as code (IaC) templates. This allows us to maintain a history of configuration changes.
- Logging Services: AWS CloudTrail can be configured to log API calls and changes to resources, providing a historical record of configuration changes.
Configuration Change Notifications:
- Event-Driven Automation: We use AWS Lambda functions triggered by CloudWatch Events to detect and respond to configuration changes. These functions can send notifications via Amazon SNS or other messaging services.
- Monitoring and Alerting Tools: Tools like Datadog or Splunk can be used to monitor configuration changes and send alerts based on predefined rules.
Security and Governance:
- Policy as Code: We implement policy as code using tools like Open Policy Agent (OPA) or HashiCorp Sentinel to enforce compliance and governance policies.
Automated Remediation: Scripts and automation tools are used to automatically remediate non-compliant configurations, ensuring continuous compliance.
Here are our best practices on setting up and using AWS Config with our clients.
Recent Comments