Getting an accurate and up to date inventory of your resources is a crucial step to the Cloud Maturity Model. Knowing this allows you to begin identifying potential security holes, gathering relevant information regarding your technical processes, and cost optimization.
Outlined in this post is a guide to help you begin the process of getting a full analysis for where you are operating properly and where you may need some work.
AWS Config
AWS has done a lot to help enable businesses to provide scalable and resilient software solutions. They also provide a comprehensive suite of solutions that helps manage and maintain your cloud environment. AWS Config provides the information needed to inventory, monitor, and evaluate your existing resources. We will evaluate your existing resources and determine where best practices can be included when operating in the cloud.
AWS Config (setup guide)
Note: Config will incur some additional costs depending on the number of resources you are running/evaluating in your account.
- Navigate to the AWS console and search for “Config”
- Select the option with the description “Track Resource Inventory and Changes”
- Select Get Started and leave all of the options as they are. If you are only deploying this option in a single region, check “Include global resources (e.g., AWS IAM resources)”
- Skip the rules for now, we’ll go over some conformance pack options that are more impactful
- Go ahead and deploy
Conformance Packs and Config Rules
Conformance packs are predefined or user defined aggregations of AWS configuration rules that are meant to evaluate running resources. Deploying a conformance pack is as simple as navigating to conformance pack and selecting “Deploy conformance pack”. The nuance begins when you start looking through all of the sample templates available, we’ve looked through all of them and found some good options to get you started:
Note: If you want to ensure you are maintaining a specific level of compliance, it’s important to consult with an expert in this domain.
AWS Identity And Access Management Best Practices: This covers IAM users, IAM roles, and evaluates IAM Policies and flags for issues with the access key rotation, IAM policies that are overly permissive, root access checks (MFA, access keys), checks for MFA, and administrative account configurations.
AWS Backup Best Practices: This covers data retention related items including backup frequency, backup encryption, and backup retention.
Asset Management Best Practices: This conformance pack evaluates whether or not you are utilizing all of your resources that you have deployed. Examples of checks include: if your elastic IP addresses are attached, your EBS volumes are in use, your VPC networks are in use, and if your instances are managed by AWS Systems Manager.
Next Steps
Now that you have config set up, it’s time to go over what you want evaluated. What data compliance controls are your customers requiring? Where do you feel your least amount of observability is? Use these findings to help provide strategic guidance to build our your security & compliance program.
