Best practices for AWS Config conformance packs

AWS Config conformance packs help you manage configuration compliance of your AWS resources at scale. A conformance pack is a collection of AWS Config rules and remediation actions that can be easily deployed as a single entity in an account or across an organization in AWS Organizations. This is particularly useful if you need to quickly establish a common baseline for resource configuration policies and best practices across multiple accounts in your organization in a scalable and efficient way.

In this blog post, we share best practices to follow when you deploy AWS Config conformance packs across your enterprise.

Use custom rules in conformance packs

AWS Config provides predefined, customizable rules to evaluate whether your AWS resources comply with common best practices. You can also create your own custom rules backed by AWS Lambda functions, which contain the logic that evaluates whether your AWS resources comply with the rule. Because the logic is defined in the AWS Lambda function, you can implement any security control you like as long as you can put the logic into code. After you create your rule’s logic in an AWS Lambda function, you can create the custom rule in your conformance pack and deploy it across your organization. For an example, see the Manage custom AWS Config rules with remediations using conformance packs blog post.

Deploy custom rules in a central account

To deploy custom rules across member accounts in your organization created in AWS Organizations, it is a best practice to centralize the AWS Lambda functions into a centralized account, the account from which you deploy the conformance packs. After the Lambda functions are created in the administrator account, create cross account IAM roles in the member accounts so that the custom rules can be evaluated successfully. The Lambda functions must be configured to assume those roles. For information about setting up the cross account IAM roles and deploying the custom rule across member accounts, see the Manage custom AWS Config rules with remediations using conformance packs blog post.

Use remediation actions

AWS Config uses AWS Systems Manager Automation documents to apply remediation to noncompliant resources that are evaluated by AWS Config rules. These documents define the actions to be performed on noncompliant AWS resources. AWS Config provides a set of managed Automation documents with remediation actions. You can also create custom Automation documents for custom remediation and associate them with AWS Config rules. When you create your conformance pack, it is a best practice to set a remediation action for your rules. You can set up automatic remediation that will take place as soon as a resource becomes noncompliant or a manual remediation that will be performed by your security team. For information about setting up custom remediation and deploying it across accounts in your organization see the Manage custom AWS Config rules with remediations using conformance packs blog post.

Enable tracking of IAM resources in one region only

Because AWS Identity and Access Management (IAM) is a global service, IAM users and roles are global entities. They are not tied to one AWS Region. Deploying controls (rules) to evaluate IAM in one AWS Region is sufficient to get the compliance state of IAM resources. For this reason, there is no need to deploy IAM controls in all AWS Regions. Doing so results in unnecessary costs and performance issues.

Customize conformance packs for your compliance needs

AWS created sample conformance packs templates that can help you verify your cloud infrastructure’s compliance with frameworks for configuration best practices such as the CIS Benchmarks, NIST 800-53 rev 4, HIPAA, and others. A sample conformance pack template is a YAML template that contains a list of AWS Config managed or custom rules and remediation actions. Each sample conformance pack template provides a basis to help you create security, operational, or cost-optimization governance checks to meet your specific compliance requirements.

There are two types of sample conformance packs. Operations best practices sample conformance packs can in most cases be consumed as is. Compliance frameworks sample conformance packs can be customized by adding or removing rules, input parameters, and remediation actions. To customize the templates, you can view and download each sample conformance pack template in this GitHub repository and add or remove AWS Config rules and remediations to meet your unique governance requirements. For more information about how to customize and deploy a sample conformance pack, see the Automate FedRAMP controls in your AWS environment using AWS Config conformance packs blog post.

Use AWS Organizations features, including delegated admin

AWS Config supports a delegated admin for deploying conformance packs across your organization in AWS Organizations. This allows you to register a delegated admin account, which can be your non-management account, that will be used to deploy and manage AWS Config resources across all accounts in your organization. You can use this feature to delegate your security account as the administrator for AWS Config conformance packs, to allow your security team to deploy rules across all member accounts. For more information, see the Deploy AWS Config Rules and conformance packs using a delegated admin blog post.

Use a CI/CD pipeline to automate the deployment and management of your conformance packs

To create a conformance pack, you author a YAML template that contains the list of AWS Config rules. The template format is similar to the AWS CloudFormation template format. It’s essentially infrastructure as code. A best practice for managing infrastructure as code is to have an automated pipeline that includes continuous integration and continuous deployment (CI/CD). Using a CI/CD pipeline allows you to store your template in a source control platform, review code updates, and then validate, test, and deploy them automatically. You can also use this pipeline to peer review, validate, and deploy your updates. For information about implementing a CI/CD pipeline with conformance packs templates, see the Using AWS CodePipeline to deploy AWS Config conformance packs created with the Rule Development Kit, Automated CloudFormation testing pipeline with TaskCat and CodePipeline and  DevSecOps for auto healing PCI DSS 3.2.1 violations in AWS using custom AWS Config conformance packs, AWS Systems Manager and AWS CodePipeline blogs .

Use an aggregator to collect the compliance data produced by conformance packs

After you deploy a conformance pack across your AWS Organizations accounts, the accounts generate compliance data based on the AWS Config rules that were deployed in the conformance pack. It is a best practice to collect all the compliance data generated across the accounts into a centralized account. AWS Config supports multi-account, multi-region data aggregation using an aggregator. Multi-account, multi-region data aggregation is useful for central IT administrators because it offers them a view of resource compliance across the enterprise.

AWS Config recently announced support for a delegated administrator account for the AWS Config aggregator. You can now delegate an administrator account (for example, your security account) that will aggregate data from all the member accounts in an organization in AWS Organizations. For more information, see Setting Up an Aggregator Using the Console in the AWS Config Developer Guide.

Use Security Hub and conformance packs

Many customers use AWS Security Hub to oversee their compliance posture. AWS Config conformance packs can be used with Security Hub to provide more flexibility and customizability.

Security Hub provides controls for standards like PCI DSS and CIS, but if you require a security standard that is not currently included, you can customize the sample templates for conformance packs as appropriate for your compliance framework. When you use conformance packs, you can implement remediation actions using AWS Config and AWS Systems Manager.

Avoid duplication of rules

One sample conformance pack might contain the same rules as another sample conformance pack. For example, if you deploy the Operational Best Practices for AWS Well-Architected Framework Security Pillar, it will deploy an AWS Config rule named cloud-trail-cloud-watch-logs-enabled to detect if AWS CloudTrail is enabled. That same rule exists in many of the other sample conformance pack because it is a security baseline included in most frameworks. This is why is important to customize your conformance packs and remove any duplicate rules. This duplication can happen if you are using a security standard from Security Hub, too. For example, the PCI DSS Standard enables a rule to check that CloudTrail is enabled [PCI.CloudTrail.2]. That control is present in many of the sample conformance pack templates. If Security Hub is already evaluating that control, you should remove it from the conformance pack.

Include process check rules in your conformance pack template

AWS Config recently announced support for process check rules, a type of AWS Config rule that allows you to track your external and internal tasks that require verification as part of the conformance packs. Unlike other rules and remediation actions in AWS Config, which can be used to automatically evaluate the compliance of specific AWS resources, the compliance status of a process check rule is manually administered. You use the AWS Config console or the PutExternalEvaluation action to set the rule. You can further expand the conformance pack by adding new process checks that track processes and actions that require manual verification and tracking. For example, you can add a process check to track the PCI-DSS compliance requirement to store media backup at an offsite location. You manually evaluate the compliance of this according to PCI-DSS guidelines or according to your organization’s guidance. The conformance pack becomes the template that provides details about AWS configurations and manual processes for a compliance regime. You can find examples of process check rules in the CIS benchmarks Level 1 and Level 2 sample templates.

Conclusion

Now that you are familiar with the best practices, see Conformance Packs in the AWS Config Developer Guide to get started.

About the authors

Shaked Rotlevi is a Technical Program Manager on the AWS Config team. Shaked has worked with AWS Config in her previous role as a Solutions Architect and helped her customers adopt conformance packs as a tool for implementing governance and security controls across their enterprise. Shaked is based in San Diego, CA and in her spare time, she likes to travel and surf.

Andres Silva is a Principal Specialist Solutions Architect with the Cloud Management Services team at AWS. He focuses on helping AWS Customers with Configuration Compliance and Audit use cases. He works closely with customers to help them leverage services like AWS Config, AWS CloudTrail and AWS Systems Manager to simplify compliance at scale. When he is not building cloud automation, he enjoys skateboarding with his 2 kids and mountain biking in beautiful North Carolina.