AWS Cloud Operations Blog

Assess, Audit, and Evaluate AWS Resources Against AWS Sustainability Best Practices

At AWS, we are committed to running our business in the most environmentally friendly way possible. We also work to enable our customers to use the benefits of the cloud to better monitor and optimize their IT infrastructure. As reported in The Carbon Reduction Opportunity of Moving to Amazon Web Services, our infrastructure is 3.6 times more energy efficient than the median US enterprise data center, and moving to AWS can lower your workload’s carbon footprint by 88% for the same task.

Sustainability is a shared responsibility between AWS and our customers. AWS is responsible for optimizing the sustainability of the cloud – delivering efficient, shared infrastructure, water stewardship, and sourcing renewable power. While customers are responsible for sustainability in the cloud – optimizing workloads and resource utilization, and minimizing the total resources required to be deployed for your workloads.

To help customers achieve their sustainability goals, AWS offers a variety of tools including the AWS Customer Carbon Footprint Tool to track and measure the carbon emissions generated from your AWS usage. AWS created the Well-Architected Framework Sustainability Pillar, which provides design principles, operational guidance, and best-practices that can be used to achieve sustainability targets for your workloads. AWS also continues to launch services that enable sustainability improvements in architectures, such as AWS Graviton Instances, which are designed to deliver the best performance per watt of energy use in Amazon EC2. Amazon EC2 Spot Instances allow you to benefit from significant cost savings while helping AWS improve data center utilization.

In this blog, we will discuss how customers can use AWS Config to assess, audit, and evaluate AWS resources at scale against the Sustainability Pillar best practices from the AWS Well-Architected Framework.

AWS Config

AWS Config provides managed rules and the ability to create custom rules, both allowing customers to evaluate the configurations of cloud resources, before and after provisioning. Further, Config conformance packs allow customers to package a collection of Config rules along with their remediation actions into a single unit. Conformance packs are also integrated with AWS Organizations. This allows customers to deploy conformance packs across an entire organization, providing a scalable and efficient way to ensure resource compliance across AWS accounts and workloads.

Assessing Sustainability Best Practices

The Sustainability Pillar of the AWS Well-Architected Framework provides guidance on best practices for sustainability in the cloud. These best practices help customers optimize their workloads, both by increasing utilization of resources and reducing the total number resources required. By utilizing the Sustainability Pillar customers can identify targets for improvement and then implement recommended best practices to achieve their sustainability goals.

For this example, we selected a few of the Sustainability Pillar best practices and will demonstrate how AWS Config rules allow customers to ensure these best practices are implemented across the organization. We intentionally chose best practices that are common to many architectures; data lifecycle management, code optimization, and network performance. The approaches can help both reduce your resource consumption and provide opportunities for savings benefits. Example best practices include:

  1. SUS04-BP03: Use policies to manage the lifecycle of your datasets
  2. SUS03-BP03: Optimize areas of code that consume the most time or resources
  3. SUS04-BP07: Minimize data movement across networks

AWS Config Rules for Sustainability

SUS04-BP03: Use policies to manage the lifecycle of your datasets

This best practice recommends automatic deletion of unused data to minimize overall storage usage. Across organizations, data retention needs may vary to meet business requirements, and taking a manual approach to removing data can quickly become impractical. AWS services, such as Amazon S3, allow for Lifecycle configurations to automate the transition of S3 objects to lower-cost storage and ultimately object deletion.

Within AWS Config, a rule can be used to ensure lifecycle configurations are applied across Amazon S3 buckets.

# Rule-intent: Rule checks that lifecycle policies are configured for Amazon S3 bucket
#
# Expectations:
# a) COMPLIANT when S3 bucket lifecycle is configured
# b) NONCOMPLIANT when S3 bucket lifecycle is not configured
# c) NOTAPPLICABLE when there is no S3 bucket

rule checkBucketVersioningEnabled {
  supplementaryConfiguration.BucketLifecycleConfiguration exists
  <<Amazon S3 bucket lifecycle is not configured.>>
}
Plain text

SUS03-BP03: Optimize areas of code that consume the most time or resources

Use of efficient code minimizes resource usage and improves performance. Environments should be monitored to identify opportunities for improvement and to remove bugs and anti-patterns. For Amazon RDS, Performance Insights can be used to identify what is causing load on a database, so you can determine the impact of SQL queries and tune them for better performance. Performance Insights is offered with both free and paid tier options.

The AWS Config rule below checks that Performance Insights is enabled for RDS databases, so you can monitor your databases for continuous improvement.

# Rule-intent: Rule checks that performance insights are enabled
#
# Expectations:
# a) COMPLIANT when performance insights is enabled for RDS DBCluster or RDS DBInstance
# b) NONCOMPLIANT when performance insights is not enabled for RDS DBCluster or RDS DBInstance


##Check whether performance Insights is enabled.
rule rds_cluster_iam_authentication_enabled {
  configuration.performanceInsightsEnabled == true
  << Database cluster does not have performance insight enabled >>

}
Plain text

SUS04-BP07: Minimize data movement across networks

By optimizing data movement across your network, you can reduce the total networking resources required for your workloads and lower their environmental impact. One consideration for implementing this best practice is to enable compression for APIs. This reduces the data sent with each request and therefore data movement across your network. (Note that while data compression minimizes data movement, as a trade-off, more computing power may be required to decompress the data. It is advised that your company tests the best practice recommendations to determine the level of network usage compared to compute trade-offs and identify which approach is most sustainably beneficial.)

This example rule checks that compression is enabled for Amazon API Gateway Rest APIs.

# Rule-intent: Rule checks compression is enabled for a Rest API
#
# Expectations:
# a) COMPLIANT when compression is enabled
# b) NONCOMPLIANT when compression is not enabled 

rule rest_api_compression_exists {
    configuration.minimumCompressionSize exists
}
Plain text

Implementing Sustainability Rules at Scale

Customers can use conformance packs to deploy AWS Config rules, such as the examples above, across their organization to work towards sustainability goals. To help accelerate using Config rules, we have created an example conformance pack. This pack includes the following nine Config rules which support a number of Sustainability Pillar best practices and can be deployed through the AWS Config Console or AWS Command Line Interface.

Service Description of Config Rule Sustainability Pillar Best Practice
API Gateway Rule checks compression is enabled for a Rest API SUS04-BP07
CloudFront Rule checks that compression is enabled (Note this rule must be deployed in us-east-1) SUS04-BP07
EBS Rule checks that EBS delete on instance termination is enabled SUS02-BP03
EC2 Rule checks that EC2 security groups do not have port 22 open for ssh, so Session Manager is used instead SUS05-BP03
EFS Rule checks that EFS Lifecycle Management is enabled SUS04-BP03
Lambda Rule checks that Lambda functions are using AWS Graviton based processors SUS05-BP01
RDS Rule checks that RDS instances are using AWS Graviton based processors SUS05-BP02
RDS Rule check that performance insight is enabled SUS03-BP03
S3 Rule checks that lifecycle configuration exists for Amazon S3 buckets SUS04-BP03

* The Config rules above are included in a conformance pack that can be found here along with instructions to implement.

Customers can expand on this set of example rules to the evaluate their workloads against the additional sustainability best practices aligned with their improvement goals. Customers have the ability to adapt these rules and create custom Config rules for the resources within their environment. The conformance pack can then be use to apply the new rules across the organization.

Conclusion

This blog demonstrates how to implement AWS Config rules aligned with the AWS Well-Architected Pillar for Sustainability and includes a sample conformance pack to get you started. You can extend or adapt these rules in accordance with your company-specific sustainability policies and add more rules to help you achieve your sustainability goals. By implementing these rules via conformance pack, you can evaluate resources efficiently and at scale.