How to Deploy AWS Config Conformance Packs Using Terraform
AWS Config provides configuration, compliance, and auditing features required for governing your resources and providing security posture assessment at scale. This service lets you create managed rules, which are predefined, customizable rules that AWS Config uses to evaluate whether your AWS resources comply with common best practices.
An AWS Config conformance pack is a collection of AWS Config rules and remediation actions defined as YAML templates. Conformance Packs can be easily deployed as a single entity in an account and a Region or across an organization within AWS Organizations. AWS provides sample Conformance Pack templates for various compliance standards and industry benchmarks. You can download every conformance pack template from GitHub. This blog will work with the Conformance pack around Operational Best Practices for Amazon Simple Storage Service (S3). Note that you can utilize this mechanism for other sample conformance packs or for your own.
Terraform is a on open-source, infrastructure as code (IaC) software tool, similar to AWS CloudFormation, the AWS native IaC solution. Infrastructure as code (IaC) is the process of provisioning and managing your cloud resources by writing a template file that is both human readable and machine consumable. In February 2021, HashiCorp Terraform announced support for AWS Config Conformance pack as part of its AWS provider version 3.28.0. If you plan to use Terraform to manage your AWS environment, this post demonstrates how to deploy AWS Config and Conformance packs by using Terraform.
As shown in the following picture, you use a Terraform configuration to create a Conformance pack in your AWS account. This Conformance pack will deploy rules around operational best practices for Amazon S3:
Figure 1: Architecture shows interaction between User, Terraform, AWS Config and Conformance Pack
To complete the steps in this blog, you will need the following:
• An AWS account with permissions to AWS Config, Amazon S3, and CloudFormation. Make sure to check the prerequisites for using AWS Config.
• Download and set up Terraform. You can see these instructions to get started with Terraform on AWS.
• Make sure you have installed the AWS Command Line Interface (AWS CLI) and configured access to the AWS account you would like to deploy to. You can also utilize AWS CloudShell and deploy the solution.
In this blog, we highlight two different methods you can follow to set up Conformance Packs with Operational Best Practices for S3. The first method assumes you are using AWS Config for the first time and have not yet enabled it in your AWS account. In the Terraform script, you will enable Config and deploy the Conformance pack.
In the second method, we assume you have already enabled Config, and show you how to use Terraform to deploy the Conformance Pack. In both methods, follow the same instructions until it is time to update your Terraform script, or the main.tf file.
- Ensure that your AWS CLI is configured in your terminal. You will need to input your AWS Access Key ID and Secret Access Key.
$ aws configure
- Next, write your Terraform configuration. The configuration is a set of files that describe infrastructure in Terraform:
$ mkdir learn-terraform-conformance-packs
- Change into this directory:
$ cd learn-terraform-conformance-packs
- You will now create a file entitled “main.tf” to define your infrastructure:
$ touch main.tf
- Open main.tf in your text editor, paste in the following Terraform configuration file, and save the file.
Terraform Configuration to enable AWS Config and deploy a conformance pack
If you have already enabled Config, scroll to use “Terraform Configuration to just deploy the conformance pack” section.
Terraform Configuration to just deploy conformance pack (if AWS Config is already enabled)
In this conformance pack, you are creating six immutable Config rules that help optimize your S3 buckets. These rules include S3BucketPublicReadProhibited, S3BucketPublicWriteProhibited, S3BucketReplicationEnabled, S3BucketSSLRequestsOnly, ServerSideEncryptionEnabled, and S3BucketLoggingEnabled.
Note that you can leverage other sample conformance packs for operational best practices or for compliance purposes. This strategy is particularly useful if you need to quickly establish a common baseline for resource configuration policies and best practices across multiple accounts in your organization in a scalable and efficient way. AWS builders are also empowered to build their own conformance packs that meet specific business or industry needs.
- Now that you have added the script with your conformance pack, you can initialize the directory. Initializing a configuration directory downloads and installs the AWS provider, which is defined in the configuration:
$ terraform init
You should see a message that says
“Terraform has been successfully initialized!"
This command prints out the version of the provider that was installed.
- You must format and validate your configuration. The
terraform fmtcommand automatically updates configurations in the current directory for readability and consistency. You can also ensure your configuration is syntactically valid and consistent with the
$ terraform fmt
$ terraform validate
You should now see a success message, which confirms that your template configuration is valid.
- You will now apply the configuration to create the infrastructure:
$ terraform apply
Before applying any changes, Terraform prints out the execution plan to describe the actions Terraform will take to update your infrastructure. If you are using the template to simply deploy a conformance pack, enter the Region to deploy the conformance pack when prompted.
The region where AWS operations will take place. Examples
are us-east-1, us-west-2, etc.
Enter a value: us-east-1
- Once prompted, you will need to type “yes” in order to confirm that the plan can be run:
Enter a value: yes
After the successful deployment of the conformance pack, you will see Terraform output similar to the following messages:
Congratulations, you have now deployed the Conformance Pack using Terraform! To confirm that your conformance pack has been deployed, navigate to conformance packs from the AWS Config console. You should now see that the S3conformancepack has been successfully deployed:
Figure 2: Screenshot of AWS Config Console showing the Conformance Pack deployed
To undeploy the conformance pack and disable AWS Config run the following terraform command.
$ terraform destroy
Before destroying all your managed resources, Terraform prints out the execution plan to describe the actions Terraform will take to update your infrastructure.
Once prompted, you will need to type “yes” in order to confirm that the plan can be run:
Do you really want to destroy all resources?
Terraform will destroy all your managed infrastructure, as shown above.
There is no undo. Only 'yes' will be accepted to confirm.
Enter a value: yes
If you used the Terraform Configuration to enable AWS Config and deploy a conformance pack, you will see Terraform output similar to the following messages:
This post demonstrates how to easily deploy a sample AWS Config conformance pack with rules and remediation actions in your account by using Terraform scripts.
To learn more about AWS Config conformance packs, visit our AWS documentation.