Find the most evaluated AWS Config rules using AWS CloudTrail Lake

In this post, I’ll show you how to find most evaluated AWS Config rules to dive deep into AWS Config charges on your invoice by using AWS CloudTrail Lake. The solution uses the new AWS CloudTrail feature, CloudTrail Lake, to analyze CloudTrail events.

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. AWS Config continuously monitors and records your AWS resource configurations and lets you automate the evaluation of recorded configurations against desired configurations. AWS Config provides you with pre-built rules for evaluating the provisioning and configuring of your AWS resources, as well as software within managed instances, including Amazon Elastic Compute Cloud (Amazon EC2) instances and servers running on-premises. Using AWS Config, you can assess your resource configurations and resource changes for compliance against the built-in or custom rules.

CloudTrail monitors and records account activity across your AWS infrastructure, thereby giving you control over storage, analysis, and remediation actions. CloudTrail Lake is a feature of CloudTrail, which is a managed audit and security lake, allowing customers to aggregate, immutably store, and query their activity logs for auditing, security investigation, and operational troubleshooting.

The solution will query CloudTrail Lake to identify the most evaluated AWS Config rules. If you’re using CloudTrail Lake for the first time, then follow these steps to create event data store.

Let’s see how the solution will work to find the most evaluated AWS Config rules.

Step 1: Log in to your AWS account, access CloudTrail, and select Lake on the left navigation.

Figure 1: Log in to your AWS account and access CloudTrail.

Step 2: Make sure that you’re in the same region where CloudTrail Lake was created. If you have created a Lake datastore in a different region than where you’re logged in, then you won’t see the datastore.

Figure 2: Lake datastore is available in the connected region

Step 3: In the editor pane, paste the following query and enter Event Data Store ID as shown in your console. Execute your query after replacing <Event_Data_Store> with your data store ID.

SELECT
count(*) as TotalEvents, date(eventTime) as datestamp, awsRegion, recipientAccountId, element_at(additionalEventData, ‘configRuleName’) as configRuleName, element_at(additionalEventData, ‘configRuleArn’) as configRuleArnFROM <Event_Data_Store>
WHERE
eventName=’PutEvaluations’
and eventTime > ‘2022-04-01 00:00:00’
AND eventTime < ‘2022-06-30 00:00:00’
group
by date(eventTime), awsRegion, recipientAccountId, additionalEventData
order by date(eventTime) desc, TotalEvents desc, recipientAccountId

Figure 3: Paste query in the query editor section

Step 4: In the bottom section of the screen, under Command output section, check for the query status. This section will show some other useful information, such as how many records matched, the amount of data scanned, and at what throughput.

Fig 4: Query output showing the status of query execution and response details

Step 5: The Output  tab in the bottom pane shows the query output. Here we can see which AWS Config rules were evaluated most, and this information can be used by the Operations team.

Fig 5: Output result shows the count of AWS Config rules evaluated during the time window

Conclusion

In this post, I’ve described  how to find which AWS Config rules are evaluated the most, and this information can be used by your te Operations team to analyze and optimize their AWS environment. This post also shows how easy it is to use the CloudTrail Lake feature to query CloudTrail events from all of the accounts in your organization across multiple regions. I recommend exploring CloudTrail Lake, and querying CloudTrail events during troubleshooting to find who did what before an incident occurred, in addition to many other scenarios.

About the author: