AWS : Proactive compliance using AWS Config Rules

AWS Config in Action

Most of us use AWS Config to periodically audit and evaluate compliance of resources with respect to our organization policies. As shown in above diagram AWS Config till now was more of a “Detective” who used to keep a watch on what’s happening and highlight the outliers based on the configured rules.

Starting re:Invent 2022, AWS Config has now acquired new capability of being “Proactive” in being able to detect and highlight non-complaint configuration before provisioning . This would save a lot of time spent in fixing non-compliant resources post provisioning.

As most of us follow best practices of using Infrastructure-as-code creating re-usable templates for provisioning common resources efficiently, it would be now possible to validate the common template without the need of provisioning for compliance check.

Another good news is that proactive rule evaluations are available at no additional charge for customers who are already using AWS Config rules for monitoring resources post-provisioning.

Now the important part, how to use the feature :) Please refer steps below :

1. Go to AWS Config > Rules, and click on Add Rule

Add Config Rule

2. Select Rule Type : Proactive evaluation is available for eligible rules for all the 3 Rule types. For the simplicity of our example we will use AWS managed rule.

Select Config Rule Type

3. Select AWS Managed Rule : For the purpose of our story we will select commonly used config rule of rds-multi-az-support as shown in below image and click on Next

Select Config Rule

rds-multi-az-support rule has support for “Proactive” evaluation mode as shown above

4. Go to Evaluation Mode : Proactive evaluation is disabled by default

5. Turn on proactive evaluation

6. Select other parameters like scope of changes, resources, tags etc. Name and Description are pre-populated with default values based on selected rules but can changed as needed.

7. Click Next to navigate to Review and create screen

8. Review and click on Add rule

9. Now you can use the rule in 2 ways

a. Using start-resource-evaluation cli command with evaluation-mode as PROACTIVE:

aws configservice start-resource-evaluation --evaluation-mode PROACTIVE

b. Create custom hook to trigger AWS Config rules proactively as part of AWS CloudFormation deployments

Conclusion : AWS Config “proactive” evaluation can be of great help in ensuring first-time right provisioning of resources complaint with organization policies.