Skip to main content
Splunk Lantern

Resources with non-compliant AWS configuration rules

You might want to know what resources in your AWS infrastructure are violating configuration rules when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

AWS configuration rules let you define configuration policies and monitor resources created in violation of those policies. You want to evaluate all resources currently in violation of one or more config rules. 

To optimize the search shown below, you should specify an index and a time range.

  1. Run the following search: 
sourcetype="aws:config:rule" ComplianceType=NON_COMPLIANT
|rename EvaluationResultIdentifier.EvaluationResultQualifier.* AS *
|stats max(_time) AS _time BY ConfigRuleName ResourceType ResourceId account_id region
|table _time *

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype="aws:config:rule" 

Search only AWS configuration rules.

ComplianceType=NON_COMPLIANT

Return only results with a status of non-compliant.

|rename EvaluationResultIdentifier.EvaluationResultQualifier.* AS *

Rename the field as shown for better readability.

|stats max(_time) AS _time BY ConfigRuleName ResourceType ResourceId account_id region

Set the _time field to the latest time available for each resource. 

|table _time *

Display the results in a table with columns in the order shown. Use the wildcard to match the fields in the stats command.

Result

Sample results for this search are shown in the table below. After identifying items that are not in compliance with the desired configuration, a logical next step is to send this information to the contact for the account_id and request that the required config rule be remediated to a compliant setting. Note that if your organization isn't using configuration rules to validate the integrity of cloud resources, it might be a good time to revisit that decision. 

_time ConfigRuleName ResourceId ResourceType account_id region

2020-10-16T00:01:30.000+0000

cloudtrail-enabled

i-3c89ef98

AWS::EC2::Instance

63605715280

us-west-2

2020-10-15T13:24:59.000+0000

cloudtrail-enabled

i-91b5c935

AWS::EC2::Instance

63605715280

us-west-2

2020-10-16T01:29:24.000+0000

cloudtrail-enabled

i-d655b2fd

AWS::EC2::Instance

63605715280

us-west-2

2020-10-15T20:53:47.000+0000

cloudtrail-enabled

i-f775b8dc

AWS::EC2::Instance

63605715280

us-west-2

2020-10-15T14:31:46.000+0000

eip-attached

i-33780497

AWS::EC2::Instance

63605715280

us-west-2

The AWS app does a similar search and provides additional insight for configuration rules. The configuration dashboard is found by navigating to Insights -> Config Rules. 

  • Was this article helpful?