AWS Cloud Operations & Migrations Blog

View AWS Config rules across multiple accounts and Regions using AWS Systems Manager Explorer

AWS Systems Manager Explorer is a customizable operations dashboard that displays an aggregated view of operations data from across your AWS accounts and AWS Regions. Explorer provides context into how operational issues are distributed, trend over time, and vary by category. In this blog post, I explain how Explorer gathers the compliance status of AWS Config rules and resources in your AWS account. If you are using AWS Organizations, Explorer aggregates the status from across all Regions and accounts in your organization.

AWS Config is used to assess, audit, and evaluate the configuration of your AWS resources.  You can use a set of AWS Config managed rules for common compliance scenarios or you can create your own rules for custom scenarios. When an AWS resource is found to be noncompliant, you can specify a remediation action through an AWS Systems Manager Automation document and optionally send an alert through an Amazon Simple Notification Service (Amazon SNS) topic.

Prerequisites

To aggregate AWS Config rules and resource compliance into Explorer, use the AWS Config console, AWS CLI, or the AWS Config SDKs to set up the service.  The blog post AWS Config Rules – Dynamic Compliance Checking for Cloud Resources provides details on creating rules and Config.

Follow the steps in the Quick Setup section of the Manage instances using AWS Systems Manager Quick Setup across organizations in AWS Organizations blog post. When you use this method, Explorer uses default settings for AWS Identity and Access Management roles and AWS Systems Manager OpsData sources.

AWS Config rules

In the AWS Config console, you find rules that you defined for your current account and Region.

On the Rules page, there is one rule, approved-amis-by-id. Under the Compliance column, it shows three noncompliant resources.

Figure 1: List of AWS Config rules

 

AWS Config resource inventory

AWS Config provides an inventory of the resources it has recorded. As described in the AWS Config documentation on viewing AWS Resource configurations and history, the inventory allows you to understand the compliance status of your AWS resources based on type of resource, tag, or compliance status.  Figure 2 shows a list of noncompliant resources.

 

On the Resource Inventory page, there are three noncompliant EC2 instances.

Figure 2: Noncompliant resources

 

If you want to perform ad hoc queries against the current configuration state of your resources, see the query your resource configuration state using the advanced query feature of AWS Config blog post.

Viewing AWS Config compliance status

Before you can view AWS Config compliance status, you must enable the flow of information from AWS Config into Explorer by using the Explorer OpsData sources. OpsData sources are connectors built and maintained by AWS that gather data from AWS services, converts it into OpsData items, and displays them in Explorer widgets.

To enable the AWS Config data source, sign in to the AWS Systems Manager console, choose Dashboard actions, and then choose Configure dashboard.

The Explorer page shows dashboard actions that include Configure dashboard, Add all widgets, and Reset layout.

Figure 3: Explorer page of AWS Systems Manager console

 

When you choose an OpsData source, you see a list of its associated widgets, which you can add or remove from the Explorer dashboard. For information about customizing the display, see customizing the display and using filters in the AWS Systems Manager user guide.

On the Configure OpsData sources and widgets page, confirm that AWS Config Compliance is set to Enabled. Confirm that Added is displayed for the AWS Config Compliance Summary widget.

 

In the list of OpsData sources, AWS Config Compliance is selected and set to Enabled. The context menu for AWS Config Compliance Summary is set to Added.

Figure 4: Enable AWS Config data source and widgets

 

Because you have added the AWS Config widget, you can see a summary of AWS Config rules, resources, and conformance packs.  Figure 5 shows the summary of rules and resources in my AWS account.

The AWS Config compliance summary displays a donut graph that shows 95% of resources are compliant. Another donut graph shows that four AWS Config rules are compliant and two are noncompliant.

Figure 5: Explorer widget for AWS Config

 

Viewing OpsData for AWS Config rules

The widget allows you to drill down and explore the data from AWS Config. Choose the Rule name links to view the compliant and noncompliant details. Figure 6 shows the list of noncompliant AWS Config rules and their compliance status. If you are viewing Explorer for a single account, there is a link to the AWS Config console. As explained in the AWS documentation for exporting OpsData rom Systems Manager Explorer, you can use the Export Table button to send a CSV file to an SNS topic.

The OpsData is filtered to show noncompliant rules. The first rule, approved-amis-by-id, has three noncompliant resources. The second rule, restricted-ssh, has four noncompliant resources.

Figure 6: List of AWS Config rules

 

When you choose the rule name, the AWS Config console opens so you can view the compliance status of the monitored resources for the selected rule.

The approved-amis-by-id rule checks whether running instances are using specified AMIs. It is triggered upon configuration changes and has three noncompliant EC2 instances.

Figure 7: AWS Config rules

 

Viewing OpsData for AWS Config resources

On the Explorer widget, when you choose the links next to the AWS Config resources, you see a list of compliant and noncompliant resources. If you are viewing the resources from a single account, there is link to the AWS Config console where you can view details of the resource.

The OpsData filter shows eight noncompliant resources. There are three noncompliant EC2 instances and five noncompliant security groups.

Figure 8: List of AWS resources

 

You can use the Export Table button to export the list of AWS Config resources to an Amazon Simple Storage Service (Amazon S3) bucket and send a CSV file to an SNS topic.

Figure 9 shows the Export data as CSV page where you choose the S3 bucket where the CSV file will be stored, the SNS topic that receives the CSV file, and an optional message. After you choose Export, an AWS Systems Manager Automation task starts and, in a few minutes, subscribers to the SNS topic will receive a message. When you export the CSV file, an AWS Identity and Access Management (IAM) role with the permissions required to access the S3 bucket and SNS topic is created.

CSV data will be stored in a redacted S3 bucket name of aws-logs and sent through a redacted SNS topic ARN. The optional SNS topic message box is blank.

Figure 9: Export AWS Config resources as a CSV file

 

When you choose the link for a resource, the AWS Config console opens so you can view the resource configuration details.

Under Rules applied, the EC2 instance is noncompliant with the approved-amis-by-id AWS Config rule.

Figure 10: AWS Config resource

Conclusion

In this blog post, I showed how you can view aggregated AWS Config rule and resource compliance across multiple accounts and Regions in AWS Systems Manager Explorer dashboards. From the Explorer widget, you can view lists of AWS Config elements, export the details to CSV, and distribute them through an SNS topic.

For information about other Explorer OpsData sources, see the multi-account AWS Trusted Advisor summaries now available in AWS Systems Manager Explorer and use AWS Systems Manager Explorer to optimize your compute resources across your organizations in AWS Organizations blog posts.

 

 

About the author

Michael Heyd is a Solutions Architect with Amazon Web Services and is based in Vancouver, Canada.  Michael works with enterprise AWS customers to transform their business through innovative use of cloud technologies.  Outside work he enjoys board games and biking.