AWS Cloud Operations & Migrations Blog

Evaluate custom configurations using AWS Config Custom Policy rules and the open source sample repository

Does your organization have custom configuration requirements for your resources? Do you find it challenging to compare actual resource configuration settings against your configuration requirements? Today, you can leverage a new public repository of sample AWS Config custom rules using AWS CloudFormation Guard to help you address these challenges.

AWS Config allows you to evaluate actual configuration settings of your resources against your desired configuration. AWS Config continuously tracks the configuration changes which occur to your resources and, through the use of rules, it checks if these changes comply with the conditions specified in your rules. There are two different types of rules: managed rules and custom rules. AWS Config managed rules are predefined based on common best practices, some managed rules can be customized based on a list of parameters provided in the rule. AWS Config custom rules extend the use of rules to allow you to create rules from scratch based on criteria/settings which are more specific to your individual use case. There are two ways to create custom rules: with Lambda functions (AWS Config Custom Lambda Rules) or with Guard, a policy-as-code language (AWS Config Custom Policy Rules).

In this blog post, I will concentrate on getting started with AWS Config Custom Policy Rules by using the rules that are available in the sample repository.

The repository contains community-sourced sample rules vetted by AWS Subject Matter Experts (SMEs) that cover a wide range of use cases. It is designed to educate customers on how to implement custom policy rules in AWS Config and provide sample code to help get started. Of course, you can edit and customize the rules to further suit your individual needs. The rule samples vary in use case from checking if an Amazon CloudWatch alarm has actions defined to whether an Amazon VPC Endpoint is in use.

Below is a sample rule from the repository which checks if there are enough free IP addresses in specific Amazon VPC subnets and returns a non-compliant result when less than 5% of addresses are available in a subnet.

# Rule-intent : Rule checks if subnets are running out of ipaddresses - flag when approx 5% are left
#
# Expectations:
# a) COMPLIANT when there are enough free ips
# b) NONCOMPLIANT when number of free ips is < 5% of subnet size
# c) NOTAPPLICABLE when subnet mask does not match

rule checker16 when configuration.cidrBlock == /\/16/ {
configuration.availableIpAddressCount >= 3276
}
rule checker17 when configuration.cidrBlock == /\/17/ {
configuration.availableIpAddressCount >= 1638
}
rule checker18 when configuration.cidrBlock == /\/18/ {
configuration.availableIpAddressCount >= 818
}
rule checker19 when configuration.cidrBlock == /\/19/ {
configuration.availableIpAddressCount >= 409
}
rule checker20 when configuration.cidrBlock == /\/20/ {
configuration.availableIpAddressCount >= 204
}
rule checker21 when configuration.cidrBlock == /\/21/ {
configuration.availableIpAddressCount >= 102
}
rule checker22 when configuration.cidrBlock == /\/22/ {
configuration.availableIpAddressCount >= 51
}
rule checker23 when configuration.cidrBlock == /\/23/ {
configuration.availableIpAddressCount >= 26
}
rule checker24 when configuration.cidrBlock == /\/24/ {
configuration.availableIpAddressCount >= 13
}
rule checker25 when configuration.cidrBlock == /\/25/ {
configuration.availableIpAddressCount >= 6
}
rule checker26 when configuration.cidrBlock == /\/26/ {
configuration.availableIpAddressCount >= 3
}
rule checker27 when configuration.cidrBlock == /\/27/ {
configuration.availableIpAddressCount >= 2
}
rule checker28 when configuration.cidrBlock == /\/28/ {
configuration.availableIpAddressCount >= 1
}

To change the rule to return a non-compliant result based on a different % value, you can simply change the values of the configuration.availableIpAddressCount >= X to reflect this.

Conclusion

Previously, to create a custom policy rule, you would need to write one from scratch or leverage sample queries provided in AWS documentation. You can now also refer to the rule samples repository hosted on GitHub for additional help. We will continue to review and add new rules to this repository. To get started with AWS Config Custom Policy rules, refer to this documentation for guidance.

About the author:

Ania Develter

Ania Develter is a Senior Specialist Solutions Architect in the AWS Cloud Operations team. Ania works with customers from all industries and helps them with their observability, compliance and centralised operations management challenges. She loves talking about Observability, CloudOps and DevOps.