Announcing AWS Config Compliance Scores for conformance pack

Back in November 2019, we announced AWS Config Conformance Packs, which is a collection of AWS Config rules and remediation actions that can be easily deployed as a single entity in an account and a region or across an organization in AWS Organizations.

Conformance Packs have helped AWS customers to manage and enforce compliance of their AWS resources configurations and non-AWS Resources at scale.

AWS accounts can have hundreds of resources and be subject to numerous AWS Config rule checks. It can be a challenge for our customers’ compliance teams to validate and quantify the AWS resources’ compliance posture. Furthermore, reporting on the progress of remediation efforts can be time consuming.

To address this challenge, we’re excited to announce AWS Config Compliance scores for Conformance Packs which helps you quantify your compliance posture as an Amazon CloudWatch metric. It’s a quantitative measure of compliance status. We also announced a price reduction of up to 58% for AWS Config conformance packs depending on your usage levels.

In this post, we’ll walk through the Compliance Scores for Conformance pack feature.

Compliance score calculation

A compliance score is calculated based on the number of rule-to-resource combinations that are compliant within the scope of a conformance pack. Here’s how it’s calculated:

where rule-resource combination is the total number of resources applicable for a particular rule.

Example:

Let’s consider the following scenario:

Resources:

Let’s assume that our account has 3 Amazon Simple Storage Service (Amazon S3) Buckets and 4 Amazon Elastic Compute Cloud (Amazon EC2) instances.

Conformance Pack:

Let’s assume that our sample conformance pack consists of three rules. It contains two rules that apply to EC2 Instances and one rule that applies to Amazon S3. (Rule 3)

Sample Conformance pack:

##################################################################################
#
# Conformance Pack:
#  Sample Conformance Pack
#
##################################################################################
Resources:
 EbsOptimizedInstance:
  Properties:
   ConfigRuleName: ebs-optimized-instance
   Scope:
    ComplianceResourceTypes:
    - AWS::EC2::Instance
   Source:
    Owner: AWS
    SourceIdentifier: EBS_OPTIMIZED_INSTANCE
  Type: AWS::Config::ConfigRule
 Ec2EbsEncryptionByDefault:
  Properties:
   ConfigRuleName: ec2-ebs-encryption-by-default
   Source:
    Owner: AWS
    SourceIdentifier: EC2_EBS_ENCRYPTION_BY_DEFAULT
  Type: AWS::Config::ConfigRule
 S3BucketAclProhibited:
  Properties:
   ConfigRuleName: s3-bucket-acl-prohibited
   Scope:
    ComplianceResourceTypes:
    - AWS::S3::Bucket
   Source:
    Owner: AWS
    SourceIdentifier: S3_BUCKET_ACL_PROHIBITED
  Type: AWS::Config::ConfigRule

Evaluation:

Let’s assume that in our evaluation, all S3 buckets are compliant with rule 3; two of the Amazon EC2 resources aren’t compliant with one Rule (Rule 2).

Compliant rule/resource evaluations

All rule/resource evaluations

Compliance score

9/11 * 100 = 81%

The Compliance Score for each Conformance pack is calculated periodically, and it’s emitted to Amazon CloudWatch as a metric.

The compliance score for AWS Config Conformance packs can also be retrieved via an AWS CLI Command called list-conformation-pack-compliance-scores, which returns a list of conformance pack compliance scores.

How to view Compliance Score for Conformance pack

1. If you don’t have AWS Config enabled, then follow the steps here to enable AWS Config.
2. If you don’t have an AWS Config Conformance pack deployed, then follow the steps here to deploy conformance pack.
3. If you have AWS Config already enabled and have a conformance pack deployed, then navigate to the AWS Config console and from the Dashboard page you can see the Compliance scores as shown.

Figure 1: Dashboard – Conformance Packs

Compliance scores for deployed conformance packs are also displayed as gauges on the AWS Config > Conformance packs page.

Figure 2: Conformance packs

4. Select the view button, it shows a detailed view of that particular compliance pack under AWS Config > Conformance packs > NISTPack page, such as general details, compliance score, and when compliance score was updated. It also shows the Compliance score timeline.

Figure 3: Compliance Score View

5. You can also add the Compliance Score timelines to Cloudwatch dashboard using the Add to dashboard button in the previous figure: Compliance score View. This action creates a widget for the Compliance Score under CloudWatch > Dashboard

Sample use cases

Here are sample use case for AWS Config Compliance scores

1. AWS Config Compliance Scores for conformance packs help you easily see the impact of change or deployment to your overall compliance posture. If your compliance Scores fluctuate with time with peaks and lows, then this is indicative of ephemeral resources which may be out of compliance.
2. Compliance scores can help you set up your overall compliance goals. Compliance scores are also provided as  Amazon CloudWatch metrics, which allows for tracking over time.
3. You can build Amazon CloudWatch dashboards based on the compliance score metric to compare the compliance scores for conformance packs across regions and other conformance packs.
4. Compliance scores are published to Amazon CloudWatch as metrics, and you can set up Amazon CloudWatch Alarms to notify the team when the Compliance score drops below a certain threshold for an extended time period.

Cleanup

1. Follow the steps here to delete your Conformance pack.

Conclusion

In this post, we discussed the new enhancement to AWS Config Conformance pack called AWS Config compliance score for Conformance packs, as well as the use cases that it can support.

AWS Config Compliance Scores are available for no extra charge today. Compliance scores are part of conformance packs and are available in all AWS Regions where AWS Config conformance packs are available.

About the authors: