Resources with non-compliant AWS configuration rules
AWS configuration rules let you define configuration policies and monitor resources created in violation of those policies. You want to evaluate all resources currently in violation of one or more config rules.
Data required
AWS: Configuration logs
Procedure
- Configure the Splunk Add-on for Amazon Web Services.
- Ensure that your deployment is ingesting AWS data through one of the following methods:
- Pulling the data from Splunk via AWS APIs. At small scale, pull via the AWS APIs will work.
- Pushing the data from AWS into Splunk via Lambda/Firehose to Splunk HTTP event collector. As the size and scale of either your AWS accounts or the amount of data to be collected grows, pushing data from AWS into the Splunk platform is the easier and more scalable method.
- Run the following search:
sourcetype="aws:config:rule" ComplianceType=NON_COMPLIANT |rename EvaluationResultIdentifier.EvaluationResultQualifier.* AS * |stats max(_time) AS _time BY ConfigRuleName ResourceType ResourceId account_id region |table _time *
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search | Explanation |
---|---|
|
Search only AWS configuration rules. |
|
Return only results with a status of non-compliant. |
|
Rename the field as shown for better readability. |
|
Set the |
|
Display the results in a table with columns in the order shown. Use the wildcard to match the fields in the stats command. |
Next steps
Sample results for this search are shown in the table below. After identifying items that are not in compliance with the desired configuration, a logical next step is to send this information to the contact for the account_id and request that the required configuration rule be remediated to a compliant setting. If your organization isn't using configuration rules to validate the integrity of cloud resources, it might be a good time to revisit that decision.
_time |
ConfigRuleName |
ResourceId |
ResourceType |
account_id |
region |
---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
You might also be interested in other processes associated with the Managing an Amazon Web Services environment use case.