AWS Cloud Operations Blog

Create AWS Config rules efficiently with Generative AI

AWS Config enables businesses to assess, audit, and evaluate the configurations of their AWS resources by leveraging AWS Config rules that represent your ideal configuration settings.  For example a Security Group that allows ingress on port 22 should be marked as noncompliant. AWS Config provides predefined rules called managed rules to help you quickly get started in evaluating your resources and AWS Config can be further leveraged to automate compliance at scale by using custom rules.

You can create Config custom rules that use AWS Lambda functions written in Node.js or in Python.  However, writing AWS Config custom rules can be a challenge for those who are new to writing code and this is where Amazon CodeWhisperer can help. Trained on billions of lines code, Amazon CodeWhisperer is a general purpose, machine learning-powered code generator that provides you with code recommendations in real time. As you write code, CodeWhisperer automatically generates suggestions based on your existing code and comments. . Whether you have experience writing AWS Config custom rules or you are just getting started, CodeWhisperer can help you generate the code needed to start evaluating your resources with AWS Config custom rules.

The AWS Config Rules Development Kit (RDK) helps developers set up, author and test AWS Config custom rules. The RDK is designed to support a Compliance-as-Code workflow that is intuitive and productive. It abstracts the undifferentiated heavy lifting associated with deploying AWS Config rules backed by custom lambda functions, and provides a streamlined develop-deploy-monitor iterative process. By using the RDK and CodeWhisperer together, an experienced or novice developer can efficiently create AWS Config custom rules and easily deploy them into their AWS environment.

In this blog post, you will learn how you can get started with Amazon CodeWhisperer in your Integrated Development Environment (IDE) and use it with the RDK to create an AWS Config custom rule. The solution deploys an AWS Config custom rule that evaluates Amazon Elastic Block Store (Amazon EBS) volumes that are not gp3 volumes. Amazon EBS volumes of type gp3 can provide savings of up to 20% over gp2 volumes. We will be using CodeWhisperer to create an AWS Config custom rule which will identify EBS volumes as noncompliant that are not taking advantage of this cost savings opportunity.

Overview of solution

The solution starts with an AWS Cloud9 instance as the IDE where you will author the code and install the RDK. The AWS RDK will create the file and folder structure needed in order to start authoring AWS Config custom rule to evaluate EBS volumes. Amazon CodeWhisperer will help you generate the code needed to create the AWS Config custom rule and use the code suggestions for the custom rule function logic. Once the rule function is complete, you will then use the RDK to deploy the rule into your AWS environment which the RDK will automate by leveraging AWS CloudFormation in background. CloudFormation will then provision your AWS Config custom rule to allow you to evaluate the Amazon EBS volumes. If one of your EBS volumes is found to be non-compliant, you can then run an automation to update the volume type to gp3 by using AWS Systems Manager Automation. The diagram below highlights the data flow for this solution.

Diagram of solution using Amazon CodeWhisperer to author custom AWS Config rules more quickly.

Figure 1 – Solution overview of custom AWS Config rule written using Amazon CodeWhisperer

Walkthrough

At a high level, you will complete the following steps throughout this blog post:

  • Install the AWS Rules Development Kit (RDK)
  • Create an AWS Config custom rule with the RDK
  • Generate function logic for AWS Config custom rule
  • Deploy AWS Config custom rule using the RDK
  • Clean up environment
  • (Optional) Remediate noncompliant resource(s)

Prerequisites

For this walkthrough, you should have the following prerequisites:

Install the RDK

Lets get started by installing the RDK in your existing Cloud9 environment.

  1. Navigate to your Cloud9 environment.
  2. In the terminal run the command:

python3 -m venv env

  1. Activate the environment by running:

source env/bin/activate

  1. Install the RDK by running:

pip install rdk

  1. If properly installed, you will see information about RDK usage, positional arguments, and optional arguments. You will also see:
    “The RDK is a command-line utility for authoring, deploying, and testing custom AWS Config rules.”
  2. Verify that the RDK is properly installed by running:

rdk -h.

  1. Run the following command to set up your AWS Config environment:

rdk init

Create AWS Config custom rule

  1. When you create the rule, specify that the runtime is python3.9, the resource type is an EBS volume, and the proper input parameters. In this example, the desired type is gp3 volumes.
  2. Enter the following command:
    rdk create ebs-volume_desired_type --runtime python3.9 --resource-types AWS::EC2::Volume --input-parameters '{"desiredvolumeType":"gp3"}'
  3. Your local Rule files are now created. Navigate to the parameters.json file. Make sure you have the proper parameters set up.
  4. Ensure that the key:value pair on line 10 is “SourceEvents”: “AWS::EC2::Volume”

By default your parameters.json file may have “SourceEvents”:”AWS::EC2::Instance” See figure 2:

Parameters.json file contents showing the details of our custom rule and the source events.

Figure 2 – Parameters file created for you by the RDK

  1. Next, add the custom logic to mark any EBS volume as non-compliant if it is not the gp3 type.
  2. To do this, open the file named ebs-volume-desired-type.py.
  3. Navigate to line 50, where it says # Add your custom logic here. This is where you will add the function code that you generate with CodeWhisperer.

Generate function logic for AWS Config custom rule

  1. Make sure that the auto-suggestions are resumed
  2. Prompt CodeWhisperer with :
#check if AWS Config configuration item is for a desired volume type matching valid_rule_parameters for desiredvolumeType and return compliant else return non-compliant

The user actions to get the code recommendations on Cloud9 for Windows and MacOS are listed below.  As you start typing, CodeWhisperer will start suggesting. To accept a suggestion hit TAB key.

To manually fetch a code suggestion:
MacOS: Option + C
Windows: Alt + C

Promt Amazon Codewhipserer for a suggestion.

Figure 3 – Generate the function code by prompting CodeWhisperer.

  1. If you review the code suggestion provided. It will evaluate the configuration item property of volumeType equals rule parameter of desired_volume_type. But if you notice the rule parameter will need to be updated to match the desiredvolumeType rule parameter you defined when creating the rule. Below is what the code would look like:
if configuration_item["configuration"]["volumeType"] == valid_rule_parameters["desiredvolumeType"]:
    return "COMPLIANT"
else:
    return "NON_COMPLIANT"

Note: CodeWhisperer may provide a different code suggestion for you.  If CodeWhisperer suggests a different code snippet, manually start to enter the code above until CodeWhisper completes the code block and use the tab key to accept the suggestion.

You have now specified that the rule should be executed on EBS volumes. The resource(s) becomes marked as compliant if the proper volume type is passed into the parameters.

  1. Let’s save the rule by selecting file and save.
  2. Test your rule by running the command:

rdk test-local ebs-volume_desired_type

After testing the rule locally you will see an "ok" message and then we can proceed to deploying.

Figure 4 – Results from testing our RDK rule

Deploy custom AWS Config rule using the RDK

  1. After you see “OK”, deploy the rule by running the command:

rdk deploy ebs-volume_desired_type

In the background, when deploying an AWS Config custom rule with the RDK, you are provisioning an AWS CloudFormation stack that deploys a Lambda function with the custom rule.

  1. After you see “Config deploy complete” navigate to the AWS Config console.
  2. When you select Rules, you now see the ebs-volume_desired_type rule as shown in figure 5.
Our custom rule deployed in the AWS Config Console

Figure 5 – Custom AWS Config rule in deployed via the RDK

  1. Select the AWS Config custom rule to view the details.
AWS config rule details for our custom rule

Figure 6 – Rule details for the custom AWS Config rule deployed via the RDK

  1. Scroll to the bottom of the console and view the resources in scope. Once the rule evaluates, you will see any EBS volumes that are not of type gp3 marked as Noncompliant.

Note:  It may take a few minutes for the rule to successfully evaluate the first time.  Refresh the page if you do not see any non gp3 EBS volumes marked as Noncompliant.

Resources in scope for our custom rule. We should see any noncompliant resources here.

Figure 7 – Resources in scope of our custom AWS Config rule

Next steps

If you would like to take the solution further, you can add a remediation action to the rule which can automatically modify your EBS volumes to be of the desired type with the AWS Systems Manager AWSConfigRemediation-ModifyEBSVolumeType automation document.  See the following documentation to add a remediation action to the Config custom rule that you created:

Cleaning up

To avoid incurring future charges, delete the resources you will no longer use.

  1. Navigate to the CloudFormation console.
  2. Delete the stack created by the AWS Config RDK, the name should be similar to the rule that you created. For example, the stack is named ebs-volumedesiredtype.

Conclusion

In this blog post, you were able to create a AWS Config custom rule to evaluate the EBS volumes in your AWS account for your desired volume type.  Since gp3 volumes can be extremely cost effective, you want to make sure that you leverage these volume types wherever possible.  By leveraging CodeWhisperer, you were able to create an AWS Config custom rule with minimal knowledge of Python or the RDK.  CodeWhisperer can generate code recommendations that can help you efficiently develop code no matter your coding experience.

About the authors

Craig Edwards Author photo

Craig Edwards

Craig Edwards is a Cloud Operations Specialist Solutions Architect with the Cloud Foundations team at AWS based out of Boston Massachusetts. He specializes in AWS Config, AWS CloudTrail, AWS Audit Manager and AWS Systems Manager. Craig is a United States Air Force Veteran and when he is not building cloud solutions, he enjoys being a Father and electric vehicles.

Diwakar Balakrishnan author photo

Diwakar Balakrishnan

Diwakar Balakrishnan is a Solutions Architect and a member of the technical field community for Cloud Operations focusing on configuration, compliance and auditing. When he is way from his laptop, he enjoys cooking and driving muscle cars.

Sanket Lokhande author photo

Sanket Lokhande

Sanket Lokhande is a Associate Solutions Architect focused on building applications for Productivity Applications. He is passionate about building innovative solutions using AWS services to help customers achieve their business objectives. In his free time, you can find him reading biographies, hiking, working out at a fitness studio, and geeking out on his personal rig at home.