Skip to main content
Splunk Lantern

Resources with non-compliant AWS configuration rules

AWS configuration rules let you define configuration policies and monitor resources created in violation of those policies. You want to evaluate all resources currently in violation of one or more config rules. 

Data required 

AWS configuration logs

Procedure

  1. Configure the Splunk Add-on for Amazon Web Services.
  2. Ensure that your deployment is ingesting AWS data through one of the following methods:
    • Pulling the data from Splunk via AWS APIs. At small scale, pull via the AWS APIs will work fine.
    • Pushing the data from AWS into Splunk via Lambda/Firehose to Splunk HTTP event collector. As the size and scale of either your AWS accounts or the amount of data to be collected grows, pushing data from AWS into Splunk is the easier and more scalable method.
  3. Run the following search: 
sourcetype="aws:config:rule" ComplianceType=NON_COMPLIANT
|rename EvaluationResultIdentifier.EvaluationResultQualifier.* AS *
|stats max(_time) AS _time BY ConfigRuleName ResourceType ResourceId account_id region
|table _time *

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype="aws:config:rule" 

Search only AWS configuration rules.

ComplianceType=NON_COMPLIANT

Return only results with a status of non-compliant.

|rename EvaluationResultIdentifier.EvaluationResultQualifier.* AS *

Rename the field as shown for better readability.

|stats max(_time) AS _time BY ConfigRuleName ResourceType ResourceId account_id region

Set the _time field to the latest time available for each resource. 

|table _time *

Display the results in a table with columns in the order shown. Use the wildcard to match the fields in the stats command.

Next steps

Sample results for this search are shown in the table below. After identifying items that are not in compliance with the desired configuration, a logical next step is to send this information to the contact for the account_id and request that the required configuration rule be remediated to a compliant setting. If your organization isn't using configuration rules to validate the integrity of cloud resources, it might be a good time to revisit that decision. 

_time ConfigRuleName ResourceId ResourceType account_id region

2020-10-16T00:01:30.000+0000

cloudtrail-enabled

i-3c89ef98

AWS::EC2::Instance

63605715280

us-west-2

2020-10-15T13:24:59.000+0000

cloudtrail-enabled

i-91b5c935

AWS::EC2::Instance

63605715280

us-west-2

2020-10-16T01:29:24.000+0000

cloudtrail-enabled

i-d655b2fd

AWS::EC2::Instance

63605715280

us-west-2

2020-10-15T20:53:47.000+0000

cloudtrail-enabled

i-f775b8dc

AWS::EC2::Instance

63605715280

us-west-2

2020-10-15T14:31:46.000+0000

eip-attached

i-33780497

AWS::EC2::Instance

63605715280

us-west-2

The AWS app does a similar search and provides additional insight for configuration rules. The configuration dashboard is found by navigating to Insights -> Config Rules. 

You might also be interested in other processes associated with the Managing an Amazon Web Services environment use case.