Resources with non-compliant AWS configuration rules

You might want to know what resources in your AWS infrastructure are violating configuration rules when doing the following:

• Managing an Amazon Web Services environment

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

• AWS configuration logs
• Splunk Add-on for Amazon Web Services

Example

AWS configuration rules let you define configuration policies and monitor resources created in violation of those policies. You want to evaluate all resources currently in violation of one or more config rules. 

NOTE: To optimize the search shown below, you should specify an index and a time range.

1. Run the following search: 

sourcetype="aws:config:rule" ComplianceType=NON_COMPLIANT
|rename EvaluationResultIdentifier.EvaluationResultQualifier.* AS *
|stats max(_time) AS _time BY ConfigRuleName ResourceType ResourceId account_id region
|table _time *

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Result

Sample results for this search are shown in the table below. After identifying items that are not in compliance with the desired configuration, a logical next step is to send this information to the contact for the account_id and request that the required config rule be remediated to a compliant setting. Note that if your organization isn't using configuration rules to validate the integrity of cloud resources, it might be a good time to revisit that decision. 

The AWS app does a similar search and provides additional insight for configuration rules. The configuration dashboard is found by navigating to Insights -> Config Rules.