Config Rule with Lambda

This lab builds on the components deployed in the previous step. You will need to deploy the stack from that lab to continue below.

Create a Config rule to ensure CloudTrail is enabled

In this step we will create a Config rule using an AWS managed rule that will evaluate whether CloudTrail is enabled within your AWS account.

  1. Go to the Config console, and once there click on Rules on the left side of the console.
  2. Click on Add rule
  3. In the Add Rule screen, in the Filter section, type cloudtrail-enabled, and then click on the cloudTrail-enabled rule.
  4. Under the Trigger section, notice the trigger type is Periodic.
    • Change the frequency to 1 hour
  5. We will need to lookup the Amazon Resource Name (ARN) for the CloudWatch log group that our trail is delivering to. In the CloudWatch console, click on Log groups, and then click on the management-tools-week log group. The ARN will be on the top-left side of the console. Copy this, and paste it into the cloudWatchLogsLogGroupArn field. CloudWatch Logs Group ARN
  6. Click Save.

When this rule evaluates it will mark your AWS account as compliant.

Set triggers for Lambda functions

Now we will create the trigger for the Lambda function deployed by our CloudFormation template. This function will be executed as soon as we make our CloudTrail configuration non-compliant!

This is to demonstrate that while we certainly can use Config to perform a remediation, you can choose to use other tools to do so as well. In this case, a CloudWatch event will capture the change notification from Config and trigger a Lambda execution to perform the remediation for us.

  1. Go to CloudWatch console, and under Events on the left side click on Rules
    • Click Create rule
    • Under Event Source
      • Select the radio button next to Event Pattern
      • Service Name: Config
      • Event Type: Config Rules Compliance Change
      • Select the radio button next to Specific message type
        • From the Drop Down Select ComplianceChangeNotification
      • Select radio button next to Specific rule name
        • Type cloudtrail-enabled
    • Click Add target
    • Select the ConfigSSMLab-EnforceCloudTrailFunction Lambda function, which is the function deployed by our CloudFormation stack. Feel Free to take a look at the function code in Lambda. CloudWatch Event Lambda Trigger
  2. Click Configure details
  3. Enter CloudTrailChange as the rule name, leave the state enabled and then click Create rule

Testing the new CloudTrail remediation Lambda

Now that we have an event configured to force a remediation of a broken CloudTrail configuration, let’s force it to execute.

  1. In CloudTrail, go to the trail we created in the first lab and remove the CloudWatch Logs Configuration by clicking on the trail, then click on Edit next to CloudWatch logs. Finally, deselect the Enabled box and save your changes.
  2. Navigate to our Config rule for CloudTrail, and re-evaluate the rule. Refresh the screen after a minute and ensure it comes up as non-compliant.
  3. Go Back to CloudTrail, Did the CloudWatch log configuration return? Did you get an e-mail?

What did we learn?

  • How to use CloudWatch events to automatically trigger Lambda functions and automatically remediate non-compliant resources
  • Multiple ways to automate and remediate resources that drift within AWS

In the next lab we will explore some of the data produced by Config by viewing compliance timelines, data in CloudWatch logs, as well as deploying the Systems Manager agent automatically.