In this blog post, we will show you how to manage your compliance controls with AWS Config custom rules (custom rules) written in AWS CloudFormation Guard (cfn-guard) domain-specific language (DSL) with use of conformance packs. AWS CloudFormation Guard, the language used to write custom policy rules is an open-source domain-specific language (DSL) and command line interface (CLI) that helps enterprises keep their AWS infrastructure and application resources in compliance.

AWS Config is used by many customers to continuously audit and assess the overall compliance of resources in their AWS environments against their desired configurations. To get started, AWS Config provides AWS managed rules, which are predefined, customizable rules that AWS Config uses to evaluate whether your AWS resources comply with common best practices. However, sometimes customers have specific requirements, in which case they leverage custom rules. There are two types of custom rules, ones which are referred to as Custom Lambda rules and ones written using Guard DSL (domain-specific language) which are referred to as custom policy rules.

Both types of custom rules can be used to define custom policies, and preference is based on customer use case. Custom Lambda rules allow you to develop your own AWS Lambda function, typically written in languages such as Python or Java, that includes logic which evaluates whether your resources comply with the rule. Custom policy rules allow customers who do not have knowledge of Lambda and languages such as Python or Java, but are familiar with Guard DSL, to write custom logic to evaluate rule compliance. In order to do this at scale, they leverage conformance packs.

A conformance pack is a collection of AWS Config rules and remediation actions that can be easily deployed as a single entity in an account and an AWS Region or across an organization in AWS Organizations (conformance packs). AWS Config rules deployed to member accounts using regular or organization conformance packs are immutable. Customers can add managed, custom Lambda and custom policy rules to the same custom conformance pack (or multiple custom conformance packs) and therefore have multiple controls and rules grouped and deployed together.

For the purpose of the blog post, a sample conformance pack is provided with one managed rule, for which we changed the parameter value to suit our requirements, and three custom policy rules.

Sample conformance pack

Below, you will find the sample conformance pack prepared for this blog post. This example contains three custom policy rules and one managed rule which has a custom parameter value. The conformance pack does not follow any specific frameworks or requirements, rather provides an example on how to add managed and custom policy rules in a single conformance pack.

Download the sample conformance pack prepared for this blog post:

blog_post_sample_cpack.yml

Please note that the name of each rule in the conformance pack (under Properties: ConfigRuleName:) must be unique to that Region and account.

Summary of the rules in the sample conformance pack:

• access-keys-rotated – a managed rule which allows AWS Config to check if the IAM access keys have been rotated in the time specified to ensure reduced business impact if compromised. By default, this managed rule checks if the keys have been rotated in the last 90 days but in this example, this default value has been over-ridden to 30 days.
• custom-ddb-pit-recovery – a custom policy rule which checks whether point-in-time recovery for your active Amazon DynamoDB tables is enabled to ensure you are able to do backups and restores with per-second granularity.
• custom-gp3-iops – a custom policy rule which checks that your Amazon Elastic Block Store (Amazon EBS) gp3 volumes IOPS value is set between 3000 and 4000 to drive the performance behavior of your EBS volumes
• custom-s3-kms-encryption – a custom policy rule which checks whether Amazon Simple Storage Service (Amazon S3) buckets have AWS Key Management Service (KMS) encryption configured and turned on to ensure your data is encrypted.

How to deploy

For more information on how to deploy organization conformance pack visit here. Here are the steps to deploy a sample conformance pack:

1. Make sure you are in the Region you want to deploy the template in and navigate to the AWS Config console.
2. On the left panel, select Conformance packs.
3. Select Deploy conformance pack.
4. Under “Conformance pack template” section, select Template is ready.
5. Under “Specify template” section, choose Upload a template file, then Choose file and upload the template you have downloaded under the “Sample conformance pack” section of this blog. Select Next.(Figure 1: Deploy conformance pack in AWS console)
6. On the Specify conformance pack details page, enter the conformance pack name. For the purpose of this blog post, name it “CloudOpsCPack”. If you are using a conformance pack with parameters you would like to change during the conformance pack deployment, you can do this by selecting “Add parameter”. For the Key name use AccessKeysRotatedParamMaxAccessKeyAge and enter 30 for the Value. The default parameter value for the config rule access-keys-rotated is 90 days. We have just updated the default parameter value for the rule to be 30 days. Choose Next.(Figure 2: Specify conformance pack details in AWS console)
7. On the Review and deploy page, review the details and once finished, select Deploy conformance pack.(Figure 3: Reviewing and deploying conformance pack in AWS console)

Checking your conformance pack score

One you deployed the example conformance pack, to help you track your resource compliance, the AWS Config conformance pack score is automatically calculated for you. It might take a few hours for the score to show up. A compliance score is calculated based on the number of rule-to-resource combinations that are compliant within the scope of a conformance pack. This measurement allows you to track remediation progress, perform comparisons across different sets of requirements, and observe the impact a specific change or deployment has on your compliance posture.

The overall compliance score for the example conformance pack is shown under the Conformance packs section of the AWS Config console and displayed at high level under the context of each deployed conformance pack.

(Figure 4: Conformance pack in AWS console)

To learn more about conformance pack compliance scores, refer to this blog post which dives deeper into this capability of AWS Config.

Clean up

To remove the sample conformance pack from your account, follow these steps:

1. Making sure that you are in the region you deployed the template in, navigate to the AWS Config console.
2. On the left panel, select Conformance packs.
3. Find the sample conformance pack and select the radio button for the example conformance pack.
4. Select Actions and choose Delete.
5. Type “confirm” and then select Delete to confirm.

Conclusion

In this blog, we demonstrated how to centrally manage your compliance controls with custom rules written in Guard DSL. Please refer to AWS Config custom rule and conformance pack documentation for further information. If you want to deploy the conformance pack across all AWS accounts within an organization in AWS Organizations, please follow instructions from this blog post.