Resources with non-compliant AWS configuration rules

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

AWS configuration rules let you define configuration policies and monitor resources created in violation of those policies. You want to evaluate all resources currently in violation of one or more config rules.

Data required

AWS: Configuration logs

Procedure

Configure the Splunk Add-on for Amazon Web Services.
Ensure that your deployment is ingesting AWS data through one of the following methods:
- Pulling the data from Splunk via AWS APIs. At small scale, pull via the AWS APIs will work.
- Pushing the data from AWS into Splunk via Lambda/Firehose to Splunk HTTP event collector. As the size and scale of either your AWS accounts or the amount of data to be collected grows, pushing data from AWS into the Splunk platform is the easier and more scalable method.

Run the following search:

sourcetype="aws:config:rule" ComplianceType=NON_COMPLIANT
|rename EvaluationResultIdentifier.EvaluationResultQualifier.* AS *
|stats max(_time) AS _time BY ConfigRuleName ResourceType ResourceId account_id region
|table _time *

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search	Explanation
`sourcetype="aws:config:rule"`	Search only AWS configuration rules.
`ComplianceType=NON_COMPLIANT`	Return only results with a status of non-compliant.
`\|rename EvaluationResultIdentifier.EvaluationResultQualifier.* AS *`	Rename the field as shown for better readability.
`\|stats max(_time) AS _time BY ConfigRuleName ResourceType ResourceId account_id region`	Set the `_time` field to the latest time available for each resource.
`\|table _time *`	Display the results in a table with columns in the order shown. Use the wildcard to match the fields in the stats command.

Next steps

Sample results for this search are shown in the table below. After identifying items that are not in compliance with the desired configuration, a logical next step is to send this information to the contact for the account_id and request that the required configuration rule be remediated to a compliant setting. If your organization isn't using configuration rules to validate the integrity of cloud resources, it might be a good time to revisit that decision.

`_time`	`ConfigRuleName`	`ResourceId`	`ResourceType`	`account_id`	`region`
`2020-10-16T00:01:30.000+0000`	`cloudtrail-enabled`	`i-3c89ef98`	`AWS::EC2::Instance`	`63605715280`	`us-west-2`
`2020-10-15T13:24:59.000+0000`	`cloudtrail-enabled`	`i-91b5c935`	`AWS::EC2::Instance`	`63605715280`	`us-west-2`
`2020-10-16T01:29:24.000+0000`	`cloudtrail-enabled`	`i-d655b2fd`	`AWS::EC2::Instance`	`63605715280`	`us-west-2`
`2020-10-15T20:53:47.000+0000`	`cloudtrail-enabled`	`i-f775b8dc`	`AWS::EC2::Instance`	`63605715280`	`us-west-2`
`2020-10-15T14:31:46.000+0000`	`eip-attached`	`i-33780497`	`AWS::EC2::Instance`	`63605715280`	`us-west-2`

You might also be interested in other processes associated with the Managing an Amazon Web Services environment use case.