AWS Cloud Operations Blog

Automating organizational policies with custom AWS Config Rules and evidence collection in AWS Audit Manager

AWS Config is a service that allows you to evaluate your AWS resources against a desired configuration state using AWS Config Rules. Two types of rules exist, managed rules which are meant to be used out-of-the-box and custom rules for which you define your desired configuration state via code.  AWS Audit Manager can help you continuously audit your AWS usage and simplify how you collect evidence of IT risk and compliance aligned with industry regulations and standards.  With AWS Config, and AWS Audit Manager you can reduce manual efforts to automate control implementation and evidence collection.

In this blog post we will show you how you can leverage AWS Config and AWS Audit Manager together in order to enhance your continuous compliance solution. We will walk through creating a custom Config rule that ensures your Amazon Simple Storage Service (Amazon S3) buckets have versioning turned on. Once our rule is in place we will then demonstrate how you can use the evaluations of this rule as a data source for collecting evidence in Audit Manager.  This will highlight the art of the possible and provide a guide for implementing these customization’s into your own compliance solution.

As a best practice organizations should automate much of the manual effort of  implementing compliance controls and collecting evidence.  In some cases, an organization may be maintaining a specific industry compliance framework such as the Health Insurance Portability and Accountability Act (HIPAA).  In other cases an organization may need to maintain a quality standard such as ISO 9001 or information security management system such as ISO 27001.  When maintaining an ISO or ISO/IEC (International Electrotechnical Commission) standard, policies can be highly specific to each organization.  This specificity can make it difficult when trying to automate the process of implementing these policies with out of the box solutions.  Once policies are implemented, automated evidence can be tricky as many organizations rely on screenshots and custom custom scripts.  By integrating AWS services you can achieve not only the automation of policies, but collecting of evidence to prove you are doing so.

Important: We strongly recommend that you never put sensitive identifying information into free-form fields such as Control details, Testing information, or Action plan.  If you create custom controls that contain sensitive information, you can’t share any of your custom frameworks that contain these controls.

Overview of solution

AWS Config has added the ability to create custom Config rules using the Guard domain-specific language (DSL).  Guard custom policy can make it easier to create custom rules as they are defined policy-as-code using Guard DSL.  This reduces the burden on you to write complex code in Python or Java to create custom Config rules.  We will be using this method to create our custom AWS Config rule to implement our custom policy to enforce versioning on our S3 buckets.  Once our policy is being enforced automatically we are going to use Audit Manager custom controls to automate the evidence collection process for our policy.  We will use the capability in Audit Manager to map a custom Config rule to our custom control as a data source which will collect the evidence of our S3 bucket evaluations.  As we create an S3 bucket or modify an S3 bucket, our Config rule will then evaluate the bucket versioning property and send the result of that evaluation to Audit Manager for evidence collection and auditing.

Architecture diagram showing AWS resources being evaluated by AWS Config and sending the result to AWS Audit Manager
Figure 1 – Example architecture of an AWS Config rule that evauluates resources and sends results to AWS Audit Manager as evidence

Walkthrough

We will now cover the steps needed in order to implement an organizational policy into our environment and then automate evidence collection for that policy.

  • Create AWS Config Custom Policy rule from the Config console.
  • Create AWS Audit Manager custom control.
  • Map our custom Config rule to our custom Audit Manager control as a data source.

Prerequisites

The following prerequisites need to be completed to deploy this solution:

Step 1: Create a Custom Rule using Guard Custom Policy

  1. Navigate to the AWS Config console to add a rule.
  2. In the Select rule type screen, select Create custom rule using Guard Custom Policy and choose Next.
  3. Select create custom rule using guard
    Figure 2 – Specifying rule type of custom rule using Guard from the Config console

  4. Enter a value for the field “Name” we will use s3-bucket-versioning as the name of our custom rule. Optionally if you would like to be able to debug this rule in troubleshooting scenarios you can check Enable debug logs to send logs to Amazon CloudWatch Logs log groups.
  5. Giving the custom rule a name and a description
    Figure 3 – Provide details for the custom rule

  6. In the Rule Content section, enter in the below Guard Custom policy.
  7. rule check_bucketversioning {
      supplementaryConfiguration.BucketVersioningConfiguration.status == "Enabled" <<
        result: NON_COMPLIANT
        message: S3 Bucket Versioning is NOT enabled.
      >>
    }
    
  8. In the Evaluation mode section, leave the default of detective evaluation mode. Detective evaluation mode will evaluate the resource after the resource is provisoned. See the docs to learn more about evaluation modes.
  9. Select Resources as the scope of change.
  10. Select Resource type and then choose AWS S3 Bucket.
  11. The rest of the parameters can be left as default and choose Next.
  12. Define what resource types will cause the Config rule to evaluate and in which mode.
    Figure 4 – Configure which resources will cause the Config rule to evaluate and how

  13. Under the Review and create section, choose Add rule.

Step 2: Map the custom rule to the custom control

Start by specifying the details of your custom control by following the steps below.

  1. Open the AWS Audit Manager console.
  2. In the navigation pane, choose Control library, and choose Create custom control.
  3. AWS Audit Manager Control Library
    Figure 5 – Create a custom control from the Control library menu

  4. Under Control details, enter the name S3 Versioning Turned On and for description add a description of your control like the image below.
  5. Details for our custom control
    Figure 6 – Provide details for the custom control from the Control details screen

    • In the Control details section you will see Testing information – Optional, you can leave this blank. In a real world scenario enter the recommended testing information. This should include the steps that you’d follow to test this control.
    • Further down in the Control details section you will also see tags, which you can leave blank as well. If we wanted to optimize for automation for example we would choose Add new tag to associate a tag with the control. You can specify a key for each tag that best describes the compliance framework that this control supports or define your organizations common control descriptions. The tag key is mandatory and can be used as a search criteria when you search for this control in the control library.
  6. Choose Next.
  7. Under Data source name, enter the name Custom Guard Rule.
  8. Choose Automated for the Evidence collection method.
  9. Select AWS Config as the data source type. This tells Audit Manager that we will be collecting evidence from one of our deployed Config rules.
  10. Select the custom rule S3-bucket-versioning that we created earlier.
  11. Select the custom rule as your data source
    Figure 7 – Mapping our custom rule to the custom control for evidence collection

    Expand the Additional details section to reveal further options. We will leave all defaults for purposes of this blog post, but you can add the following in a real world scenario for your organization:

    • Data source description is where you can provide a detailed description for this data source mapping.
    • The troubleshooting description is where you can add the suggested actions to take if no evidence is collected from the data source.
  12. When you’re finished, choose Next
  13. Next, specify the actions to take if this control needs to be remediated.

  14. In the title box enter a descriptive title for the action plan. We will use Enable Versioning.
  15. We will now define the action plan instructions.

  16. Add the following description: Ensure that the remediation action has run to automatically enable versioning on our S3 bucket. We can investigate this via the Config console by looking at the resource timeline history or we can look at the automations that have run recently in the Systems Manager console.
  17. Choose Next.
  18. Provide a title and instructions for the action plan
    Figure 8 – Action plan to privide instructions when compliance issues are identified
    Review the information for the control. To change the information for a step, choose Edit.

  19. When you’re finished, choose Create custom control.
  20. Select the Data Sources tab and you should see that your custom control is using your S3-bucket—versioning custom rule as a data source. Our policy to ensure S3 buckets have versioning turned on, which will help avoid data loss, is now automatically evaluating and sending evidence to our custom control for auditing or reporting.

Control summary showing that our custom rule is mapped to our custom control
Figure 9 – Custom rule mapped to custom control as a data source

Clean-up:

Conclusion:

In conclusion, using a custom AWS Config rule as a data source for a custom AWS Audit Manager control allows you to implement organizational compliance policies. This approach empowers businesses to define their own compliance rules and automatically capture evidence, enhancing their ability to monitor, manage, and rectify any compliance issues that arise in with their AWS resources.

Throughout this blog post, we have walked you through the step-by-step process to achieve this, from creating and configuring the AWS Config rule to mapping it to an Audit Manager control. The practicality of this approach enables businesses to take full advantage of the flexibility and customizability provided by AWS, addressing specific compliance needs.

Overall, the integration of custom AWS Config rules with AWS Audit Manager controls not only simplifies compliance management but also promotes an automated compliance culture within organizations. This, in turn, can significantly reduce the risk of non-compliance, leading to increased operational efficiency, improved security, and ultimately, a greater peace of mind.

About the authors

Craig Edwards author photo

Craig Edwards

Craig Edwards is a Cloud Operations Specialist Solutions Architect with the Cloud Foundations team at AWS based out of Boston Massachusetts. He specializes in AWS Config, AWS CloudTrail, AWS Audit Manager and AWS Systems Manager. Craig is a United States Air Force Veteran and when he is not building cloud solutions, he enjoys being a Father and electric vehicles.

David Colon author photo

David Colon

David Colon is a 9 year USCG Veteran, and has been with AWS for 5 Years. He began on the Networking Infrastructure Team in the Data Center, and has now been a Solutions Architect for 2.5 years. He has 2 kids, ages 4 and 2. David is based out of HQ2, if your around feel free to stop in.

Sitry Jordan author photo

Sitry Jordan

Sitry Jordan is a Digital Native Business Solutions Architect with AWS, where he helps customers to successfully implement cloud technologies into their business infrastructure. Sitry is a United States Air Force Veteran and is based out of Florida.