Announced at AWS re:Invent 2015, AWS Config Rules was made generally available in the us-east-1 region (it was previously available as a preview). Jeff Barr has the details on the release and the steps to implement a basic, pre-defined rule. While Jeff’s post touches on the basics, this feature is capable of a lot more. The key to unlocking this functionality is to understand how to build custom rules for AWS Config.

Rule Structure

The documentation on the AWS site explains the logistics of how to create a custom rule. These custom rules are AWS Lambda functions that accepts a specific event context (see the example from AWS below) and returns the evaluation response via the AWS Config API.
# AWS Config Rule event context
  "invokingEvent": "{\"configurationItem\":{\"configurationItemCaptureTime\":\"2015-09-25T04:05:35.693Z\",\"configurationItemStatus\":\"OK\",\"resourceId\":\"resourceId\",\"resourceType\":\"AWS::EC2::Instance\",\"tags\":{},\"relationships\":[],\"configuration\":{\"instanceType\":\"t2.micro\"}}}",
  "ruleParameters": "{\"desiredInstanceType\":\"t2.micro\"}",
  "resultToken": "38400000-8cf0-11bd-b23e-10b96e4ef00d",
  "eventLeftScope": false
A lot can happen between the invocation and the return call! We’re going to take advantage of that in order to bubble up data on the security protections of your EC2 instances from Deep Security into AWS Config. While you can easily look in Deep Security for this information, centralizing it in AWS Config–along will all of the AWS deployment information the service already tracks–makes it a lot easier to maintain a state of continuous compliance.

Deep Security

AWS Config Rules Results For Deep Security As a launch partner for AWS Config Rules, we’ve been exploring this functionality for a while and have developed four rules to cover the most common compliance challenges around security. Available now in our AWS Config Rules repository;
Checks to see if the current instance is protected by Deep Security’s anti-malware controls
Checks to see if the current instance is protected by any of Deep Security’s controls. This is the generic version of ds-IsInstanceProtectedByAntiMalware
Checks to see if the current instance is protected by a specific Deep Security policy
Checks to see if the current instance is has any warnings, alerts, or errors in Deep Security
These rules can easily be configured to run every time there is a configuration change in your deployment. This ensures that each time an instance is started, stopped, etc. you will have a record of it’s security state. This combination creates a strong audit trail of the security status.

More To Come

This is the first of a few planned integrations between Deep Security and AWS Config Rules. Using both services together can provide a robust, automated audit trail that will help you with continuous compliance.. Questions or comments? Let me know on Twitter where I’m @marknca.