AWS Cloud Operations & Migrations Blog
AWS Config Rule Development Kit library: Build and operate rules at scale
AWS would like to introduce you to the RDKLib, an open source Python library you can use to build, develop, and deploy custom AWS Config rules at scale.
RDKLib works with the AWS Config Rule Development Kit. It is designed to work at the AWS Lambda layer, so you can use the library without needing to include it in your deployment package.
In this blog post, I show you how to use the RDK to build a custom AWS Config rule and then deploy it with the RDKLib.
Prerequisites
Before you follow along with the solution in this post:
- Follow the steps in Installing the AWS CLI.
- Follow the steps in Setting Up AWS Config with the Console. For information about the AWS Regions where AWS Config is supported, select your Region from the AWS Regional Services list.
- Install the RDK, using the recommended method with pip (
pip install rdk). - Install the RDKLib, using pip (
pip install rdklib). - To understand how to develop a custom AWS Config rule using RDK, see the RDK Workshop on GitHub.
Create a rule using the RDK
Use rdk create <rulename> –runtime <runtime> to create a local rule folder that contains your initial rule code, along with some helper code. To use RDKLib, the runtime of your RDK rule must be set to python3.6-lib.
- For a periodic trigger:
rdk create YOUR_RULE_NAME --runtime python3.6-lib --maximum-frequency TwentyFour_Hours- For a configuration change trigger (for example, an EC2 instance)
rdk create YOUR_RULE_NAME --runtime python3.6-lib --resource-types AWS::EC2::InstanceNote: When you build AWS RDK rules, the evaluation can report back on valid AWS resource types only (for example, AWS::EC2::Instance).
For examples and information about options available for each of the arguments, see the RDK GitHub repo.
Now, I show you how to create a rule to check whether AWS Security Hub is enabled for an AWS account. This is a periodic rule with a frequency of 24 hours. I have already created the code snippets you will need, you can download the files from this Github repository.
Download the Rule and Edit According to your environment
As shown below, the contents of the rule folder include parameters.json and SECURITYHUB_ENABLED.py
By default, the Lambda functions attempt to assume the AWSServiceRoleForConfig role, which is not allowed. If you are using the default service role with AWS Config, you must create a role with the AWS_ConfigRole managed policy. The role must have a trust relationship with AWS Config and all roles under the /rdk/ path to assume the role. (IAM roles for Lambda functions deployed through the RDK are created under this path.)
Here is the trust policy:
Now update the parameters.json file to add the input parameter for the execution role name and its value.
{
"Version": "1.0",
"Parameters": {
"RuleName": "SECURITYHUB_ENABLED",
"SourceRuntime": "python3.6-lib",
"CodeKey": "SECURITYHUB_ENABLED.zip",
"InputParameters": "{\"ExecutionRoleName\": \"YOUR_ROLE_NAME\"}",
"OptionalParameters": "{}",
"SourcePeriodic": "TwentyFour_Hours"
},
"Tags": "[]"
}
Install the RDKLib layer
You can use the console or the AWS CLI to install the RDKLib layer.
Install the RDKLib layer using the AWS Management Console.
- Open the AWS Lambda console.
- Select Create function.
3. On the Create function page, select Browse serverless app repository, and in the search field, enter rdklib.
- Review the function details and then deploy it.
- On the Layers page, copy the ARN of the Lambda layer. As shown in figure 6, you can see the Layer Name, Version, Version ARN and Runtimes on this page.
Install the RDKLib layer using the AWS CLI.
- Run the following command to create the changeset.
aws serverlessrepo create-cloud-formation-change-set --application-id arn:aws:serverlessrepo:ap-southeast-1:711761543063:applications/rdklib --stack-name RDKlib-LayerIt returns the following output:
2. Execute the changeset.
Copy/paste the full change-set ARN to customize the following command (ChangeSetId from the output generated in the previous step)
aws cloudformation execute-change-set --change-set-name NAME_OF_THE_CHANGE_SET- Run the following command to return all the associated resources that are part of the stack deployed in the previous step.
aws cloudformation describe-stack-resources --stack-name serverlessrepo-RDKlib-LayerIt returns the following output:
- Copy the ARN of the Lambda layer from the output generated in the previous step.
“PhysicalResourceId” key (that is, arn:aws:lambda:YOUR_REGION:YOUR_ACCOUNT:layer:rdklib-layer:1).
Deploy your rule with the RDKLib layer
Navigate to the directory where your rule folder is stored. It should look like this:
ls
SECURITYHUB_ENABLED
ls -ahR SECURITYHUB_ENABLED/
. .. SECURITYHUB_ENABLED.py parameters.json
Here is the command to deploy the rule with the RDKLib layer:
rdk deploy YOUR_RULE_NAME --rdklib-layer-arn YOUR_RDKLIB_LAYER_ARNNow run the command to deploy the SECURITYHUB_ENABLED rule. It returns the following output:
The rule is now deployed. You can use the AWS Config Console to verify that the rule is working as expected.
Conclusion
The RDKLib helps you to build and operate custom AWS Config rules at scale. It can be used to:
- Reduce the maintenance effort by moving boilerplate code to an AWS Lambda layer.
- Reduces the level of effort for developing and deploying Config rules by integrating with AWS Config Rule Development Kit (RDK) and using the AWS Serverless Application Repository.
- Keep the RDK common functions in the same version, preventing the existence of multiple versions due to manual changes made by developers.