Use AWS Config to evaluate the configuration settings of your AWS resources. You do this by creating AWS Config rules, which represent your ideal configuration settings. AWS Config provides customizable, predefined rules called managed rules to help you get started. While AWS Config continuously tracks the configuration changes that occur among your resources, it checks whether these changes violate any of the conditions in your rules. If a resource violates a rule, AWS Config flags the resource and the rule as noncompliant.
This solution includes a serverless architecture for running a query against AWS Config. Amazon EventBridge Rule triggers an AWS Lambda function on the day and time of your choice to find the list of non-compliant resources from non compliant rules which are not remediated over a period of 30 days.
The following figure provides the architecture for this end-to-end flow within the solution:
- The Lambda function will run a query against AWS Config, thereby getting the list of non-compliant resources over a period of 30 days.
- The Lambda function will generate a CSV report and send it via email using Amazon Simple Email Service (Amazon SES)
Before getting started, make sure that you have a basic understating of the following:
- Amazon EventBridge rule that runs on a schedule
- Multi-Account Multi-Region Data Aggregation
- AWS Lambda Function
- Python and Boto3.
- CDK environments.
You will also need to have a pre-configured Multi-Account AWS Config Aggregator and Amazon SES for sending email.
A pre-configured AWS Config Aggregator. A pre-configured Amazon SES.
- Amazon EventBridge rule - triggers an AWS Lambda function on a specific configurable day and time.
- AWS Lambda - will run API against AWS Config, creates a CSV file with details and sends email using SES.
- AWS Config aggregator - collects AWS Config configuration and compliance data.
- Amazon Simple Email Service - will be used to send an email with the CSV file created by Lambda function.
-
git clone https://github.com/aws-samples/Config-report
-
cd Config-Report/config_report
-
cdk bootstrap
-
cdk deploy ConfigReport --parameters Aggregator=<aggregator name> --parameters Recipient=<recipient email address> --parameters Sender=<sender email address> --parameters Weekday=<Day-of-week 1-7 or SUN-SAT> --parameters Hour=<time in UTC (hour)> --parameters Minute=<time in UTC (minute)> --parameters SESarn=<ses arn>
Replace the parameters as follows:
- Aggregator - Name of AWS Config Aggregator.
- Recipient - Email recipient that will get the csv report.
- Sender - Email sender as configured on SES.
- Weekday - Day-of-week 1-7 or SUN-SAT Lambda will run.
- Hour - The hour (UTC) the Lambda will run.
- Minute - The minute (UTC) the Lambda will run.
- SESarn - The preconfigured SES arn.
-
The deployment will generate a report.
-
Check your recipient email inbox.
See CONTRIBUTING for more information.
This library is licensed under the MIT-0 License. See the LICENSE file.