AWS Cloud Operations & Migrations Blog

Using AWS Config for security analysis and resource administration

This blog post is a collaboration between Snehal Nahar, Technical Account Manager at AWS and Howard Zeemer, Manager of Operational Tools and Automation at LendingTree

In this post, we will discuss how Lending Tree is using AWS Config for resource administration and security analysis.

LendingTree empowers consumers to shop for financial services, comparing multiple offers from a nationwide network of over 500 partners in one simple search, and to choose the option that best fits their financial needs. Through the My LendingTree platform, consumers receive free credit scores, credit monitoring, and recommendations to improve credit health.

Lending Tree currently run several key workloads on AWS leveraging services like Elastic Compute Cloud (Amazon EC2), Relational Database Service (Amazon RDS), Simple Storage Service (Amazon S3),Amazon ElastiCache, Amazon CloudWatch, Elastic Load Balancing, etc.

Challenge

Lending Tree was facing two challenges:

Their first challenge was to track manual changes, typically introduced during troubleshooting in their development environments. For example, developers and operations teams sometimes need to adjust security groups while prototyping and troubleshooting infrastructure issues, and might occasionally forget to revert those changes. This could introduce security risks and system instability. Lending Tree wanted to detect these changes and reduce these human errors.

The second challenge was to relate resources to costing, applications, teams, and projects through proper use of tagging. A tag is a label that you or AWS assigns to an AWS resource. You can use tags to organize your resources, and cost allocation tags to track your AWS costs in detail. After you activate cost allocation tags, AWS uses the cost allocation tags to organize the resource costs on your cost allocation report, to make it easier for you to categorize and track your AWS costs. Though there was a tagging strategy in place, many resources were created without proper tagging, making it difficult to relate costs to applications, teams, and projects. LendingTree wanted to ensure that all provisioned resources were properly tagged, and needed a way to enforce that.

Solution

After evaluating various options, Lending Tree decided to use AWS Config for resource administration and security analysis. These are just a couple of the key use cases that AWS Config addresses. There are more scenarios where you could use AWS Config.

AWS Config is a service that enables our customers to assess, audit, and evaluate the configurations of their AWS resources. AWS Config continuously monitors and records AWS resource configurations and automates the evaluation of recorded configurations against desired configurations. Within AWS Config you can use Conformance Packs to simplify the process of organizing and collecting compliance data across regions and accounts.

AWS Config provides a number of rules natively to manage tags and security group restrictions. You can read complete list of all AWS Config Managed Rules.

When using AWS Config rules, AWS Config continuously evaluates your AWS resource configurations for desired settings. Depending on the rule, AWS Config will evaluate your resources either at set time intervals or in response to configuration changes. Each rule is associated with an AWS Lambda function, which contains the evaluation logic for the rule. When AWS Config evaluates your resources, it invokes the rule’s AWS Lambda function, which returns the compliance status of the evaluated resources. If a resource violates the conditions of a rule, AWS Config flags the resource and the rule as non-compliant. When the compliance status of a resource changes, you can optionally implement an automated remediation rule, or use an SNS notification for other types of automation, as shown here:

 

This diagram shows how AWS Config continuously tracks the state of resources in your account. When changes are detected, AWS Config tracks records those changes and maintains a history. Those changes and history are delivered to an s3 bucket and can be later accessed via the console or the API. If a rule is deployed to evaluate the resource, it can be triggered automatically. The evaluation results can be displayed on the console or accessed via the AWS Config API.

Figure 1: Workflow of AWS Config Managed Rule

 

Below is a list of the AWS Config Rules that helped Lending Tree solve their business problem related to security analysis:

  1. ec2-security-group-attached-to-eni: Checks that security groups are attached to Amazon Elastic Compute Cloud (Amazon EC2) instances or to an elastic network interface. The rule returns NON_COMPLIANT if the security group is not associated with an Amazon EC2 instance or an elastic network interface.
  2. restricted-common-ports: Checks whether the security groups in use do not allow unrestricted incoming TCP traffic to the specified ports. The rule is COMPLIANT when the IP addresses of the incoming SSH traffic in the security group are restricted to the specified ports.
  3. restricted-ssh: Checks whether the incoming SSH traffic for the security groups is accessible. The rule is COMPLIANT when IP addresses of the incoming SSH traffic in the security groups are restricted.
  4. vpc-default-security-group-closed: Checks that the default security group of any Amazon Virtual Private Cloud (VPC) does not allow inbound or outbound traffic. The rule returns NOT_APPLICABLE if the security group is not default. The rule is NON_COMPLIANT if the default security group has one or more inbound or outbound traffic rule.

By implementing these rules, LendingTree can quickly detect when any security groups deviate from their compliance state.

Here is the AWS Config rule that helped Lending Tree solve their resource administration problem:

  • required-tags: Checks whether your resources have the tags that you specify. For example, you can check whether your EC2 instances have the CostCenter tag. Multiple values can be applied. Lending Tree has defined tags for cost center, application, team, project, and environment. If the new resource is created without the required tags, an SNS notification will be sent.

This rule helps enforce the requirement of tags for all resources, ensuring that all the resources can be associated with a cost center for financial purposes.

Conclusion

This blog post shows how Lending Tree has used managed AWS Config rules to resolve their challenges related to security and resource administration. Implementing AWS Config rules around security groups and resource tagging has helped Lending Tree keep things more consistent as teams grow rapidly. Howard Zeemer, Manager Operational Tools and Automation, Lending Tree, Inc. said “The implementation of AWS Config rules has helped us to stay more consistent and limit human errors.”

About the Authors

Howard Zeemer is the Manager of Operational Tools and Automation at LendingTree. He has dedicated the last year to building and re-architecting LendingTree’s infrastructure management applications on AWS. Howard works closely with development and security teams to help them leverage the latest AWS technologies. He has built tools used to enforce automated governance and keep AWS accounts in good standing. Howard has worked hard helping teams migrate existing services to AWS solutions, such as Amazon DocumentDB and Amazon DynamoDB.

 

 

Snehal Nahar is a Technical Account Manager with AWS in Charlotte, North Carolina. She is passionate about building innovative solutions using AWS services to help customers achieve their business objectives. She enjoys spending time with family and friends, playing board games and watching TV.