AWS Cloud Operations Blog

Mapping Microsoft SCCM compliance checks to AWS Config

Microsoft SCCM (System Center Configuration Manager) enables the management, deployment, and security of devices and applications. Compliance settings in Configuration Manager lets you manage configuration and compliance in your organization. As customers migrate their traditional workloads, they’re also looking for an AWS native solution that provides the flexibility to manage compliance and configuration management on AWS, as well as on-premise or other cloud environments. The AWS cloud native solution AWS Config can be used as a compliance tool to perform similar capabilities as SCCM. This post provides an insight into the mapping of SCCM compliance checks to AWS Config.

How AWS Config works

As organizations migrate workloads to the cloud, they quickly reap the benefits of agility and experimentation. Customers want agility along with good governance, and in many cases they must also meet strict compliance requirements. The speed and scale at which cloud resources operate makes it impossible to use some of the traditional mechanisms to track resources. AWS Config lets you assess, audit, and evaluate the configurations of your AWS resources. It tracks configuration changes and maintains a history of up to seven years. Furthermore, it provides an aggregated view of resource configuration and compliance status across accounts and regions. The following figure depicts the workflow of AWS Config, and you can refer here to get started. We’ll look into the different features of AWS Config that correspond with SCCM to perform similar tasks.

Figure 1: Workflow of AWS Config
Figure 1: Workflow of AWS Config

Resource inventory using AWS Config

Customers can search existing and deleted resources that are recorded by AWS Config. Search existing or deleted resources recorded by AWS Config, as shown in the following figure. Furthermore, you can search for on-premises resources, other cloud resources, and third-party resources.

Figure 1: Resources Tab on AWS Config showing Non-Compliant AWS Resources
Figure 2: Resources Tab on AWS Config showing Non-Compliant AWS Resources.

You can also view the resource details, configuration timeline, or compliance timeline for a resource. The resource configuration timeline lets you view all of the configuration items captured over time for a specific resource. The resource compliance timeline lets you view compliance status changes.

Advanced queries

To query your resource configurations, use the advanced SQL query editor with Advanced Queries. Advanced Queries comes with some sample queries that can help you get started. Moreover, you can export query results as JSON or CSV files, as shown in the following figure.
Figure 1: Advanced Queries
Figure 3: Advanced Queries

AWS Config rules

Compliance settings in SCCM let you manage the configuration and compliance of clients in your organization. Similarly, you can use AWS Config to manage the configuration and compliance of resources using AWS Config Rules. A Config Rule represents the desired configurations for a resource, and it’s evaluated against configuration changes on the relevant resources, as recorded by AWS Config. The results of evaluating a rule against a resource configuration are available on a dashboard. Using Config Rules, you can assess your overall compliance and risk status from a configuration perspective, view compliance trends over time, and pinpoint which configuration change caused a resource to drift out of compliance with a rule. Furthermore, AWS Config lets you remediate noncompliant resources that are evaluated by Config Rules. AWS Config applies remediation using AWS Systems Manager Automation documents.

There are two types of AWS Config Rules:
a. AWS Config managed rules

These are predefined, customizable rules that AWS Config uses to evaluate whether or not your AWS resources comply with common best practices. For example, you could use a managed rule to quickly assess whether your Amazon Elastic Block Store (Amazon EBS) volumes are encrypted or specific tags are applied to your resources. You can set up and activate these rules without writing the code.

b. AWS Config Custom rules

You can develop custom rules and add them to AWS Config. You associate each custom rule with an AWS Lambda function that contains the logic that evaluates whether or not your AWS resources comply with the rule. You associate this function with your rule, and the rule invokes the function either in response to configuration changes or periodically. Then, the function evaluates whether or not your resources comply with your rule, and sends its evaluation results to AWS Config. There are some sample custom Config Rules available to use in the out github repository.

Conformance Packs

Configuration baseline in SCCM contains the configuration items that you want to evaluate, as well as the settings and rules that describe the compliance level you must have. Similarly, a Config Conformance pack is a collection of Config rules and remediation actions that can be easily deployed as a single entity within a region or across an organization in AWS Organizations.

AWS Audit Manager

AWS Config provides an additional benefit by integrating as a data source with AWS Audit Manager. This helps translate its compliance findings into evidence to produce auditor-friendly reports by mapping your AWS resources to the requirements of industry standards or regulations.

Conclusion

In this post, we’ve shown how resource inventory, advanced queries, Config Rules, and conformance packs provide a mapping of SCCM compliance checks to AWS Config in AWS.

Authors:

Snehal Nahar

Snehal Nahar is a Sr.Technical Account Manager with AWS in Charlotte, North Carolina. She is passionate about building innovative solutions usingAWS services to help customers achieve their business objectives. She enjoys spending time with family and friends, playing board games and watching TV.

Anjani Reddy

Anjani Reddy is a Technical Account Manager at AWS. She works with Enterprise customer and provides technical guidance to help them innovate and build a secure, scalable cloud on the AWS platform. Outside of work, she is an Indian classical & salsa dancer, loves to travel and volunteers for American Red Cross & Hands on Atlanta.