AWS Cloud Operations Blog
Mapping Microsoft SCCM compliance checks to AWS Config
Microsoft SCCM (System Center Configuration Manager) enables the management, deployment, and security of devices and applications. Compliance settings in Configuration Manager lets you manage configuration and compliance in your organization. As customers migrate their traditional workloads, they’re also looking for an AWS native solution that provides the flexibility to manage compliance and configuration management on AWS, as well as on-premise or other cloud environments. The AWS cloud native solution AWS Config can be used as a compliance tool to perform similar capabilities as SCCM. This post provides an insight into the mapping of SCCM compliance checks to AWS Config.
How AWS Config works
As organizations migrate workloads to the cloud, they quickly reap the benefits of agility and experimentation. Customers want agility along with good governance, and in many cases they must also meet strict compliance requirements. The speed and scale at which cloud resources operate makes it impossible to use some of the traditional mechanisms to track resources. AWS Config lets you assess, audit, and evaluate the configurations of your AWS resources. It tracks configuration changes and maintains a history of up to seven years. Furthermore, it provides an aggregated view of resource configuration and compliance status across accounts and regions. The following figure depicts the workflow of AWS Config, and you can refer here to get started. We’ll look into the different features of AWS Config that correspond with SCCM to perform similar tasks.
Figure 1: Workflow of AWS Config
Resource inventory using AWS Config
Customers can search existing and deleted resources that are recorded by AWS Config. Search existing or deleted resources recorded by AWS Config, as shown in the following figure. Furthermore, you can search for on-premises resources, other cloud resources, and third-party resources.
Figure 2: Resources Tab on AWS Config showing Non-Compliant AWS Resources.
You can also view the resource details, configuration timeline, or compliance timeline for a resource. The resource configuration timeline lets you view all of the configuration items captured over time for a specific resource. The resource compliance timeline lets you view compliance status changes.
Advanced queries
To query your resource configurations, use the advanced SQL query editor with Advanced Queries. Advanced Queries comes with some sample queries that can help you get started. Moreover, you can export query results as JSON or CSV files, as shown in the following figure.
Figure 3: Advanced Queries
AWS Config rules
Compliance settings in SCCM let you manage the configuration and compliance of clients in your organization. Similarly, you can use AWS Config to manage the configuration and compliance of resources using AWS Config Rules. A Config Rule represents the desired configurations for a resource, and it’s evaluated against configuration changes on the relevant resources, as recorded by AWS Config. The results of evaluating a rule against a resource configuration are available on a dashboard. Using Config Rules, you can assess your overall compliance and risk status from a configuration perspective, view compliance trends over time, and pinpoint which configuration change caused a resource to drift out of compliance with a rule. Furthermore, AWS Config lets you remediate noncompliant resources that are evaluated by Config Rules. AWS Config applies remediation using AWS Systems Manager Automation documents.
There are two types of AWS Config Rules:
a. AWS Config managed rules
These are predefined, customizable rules that AWS Config uses to evaluate whether or not your AWS resources comply with common best practices. For example, you could use a managed rule to quickly assess whether your Amazon Elastic Block Store (Amazon EBS) volumes are encrypted or specific tags are applied to your resources. You can set up and activate these rules without writing the code.
You can develop custom rules and add them to AWS Config. You associate each custom rule with an AWS Lambda function that contains the logic that evaluates whether or not your AWS resources comply with the rule. You associate this function with your rule, and the rule invokes the function either in response to configuration changes or periodically. Then, the function evaluates whether or not your resources comply with your rule, and sends its evaluation results to AWS Config. There are some sample custom Config Rules available to use in the out github repository.
Conformance Packs
Configuration baseline in SCCM contains the configuration items that you want to evaluate, as well as the settings and rules that describe the compliance level you must have. Similarly, a Config Conformance pack is a collection of Config rules and remediation actions that can be easily deployed as a single entity within a region or across an organization in AWS Organizations.
AWS Audit Manager
AWS Config provides an additional benefit by integrating as a data source with AWS Audit Manager. This helps translate its compliance findings into evidence to produce auditor-friendly reports by mapping your AWS resources to the requirements of industry standards or regulations.
Conclusion
In this post, we’ve shown how resource inventory, advanced queries, Config Rules, and conformance packs provide a mapping of SCCM compliance checks to AWS Config in AWS.
Authors: