Using the out-of-the-box tools that come with AWS is a great start when it comes to securing your environment and reducing your blast radius. In this post, we’ll cover 12 AWS Config rules that should be considered a bare minimum requirement for any account.

Because most of security is doing the basic things. (Don’t “hide” your laptop under a hoodie on the passenger seat, and it’s a little less likely to wind up missing.) But, when it comes to securing your AWS environment, the basic things can be kind of hard.

What is AWS Config?

One key step for securing your AWS environment is to create an asset inventory.

There are various ways you can build an asset inventory. You can use third-party tools or CLI scripts, but there’s a quick and easy way and that’s using AWS Config.

AWS Config lets you record and assess the configurations of your AWS resources. It has two basic functions. 

1. It can record all of the configuration data that runs through the system.
2. It can build rules to help us ensure compliance.

---

Securing Your AWS Environment

In this free, on-demand webinar, get a breakdown of taking complex AWS environments from zero to secure.

---

Enabling AWS Config

To get started, you’ll need to enable AWS Config. You can get details on the full process here. During this process you’ll do the following:

• Create an S3 bucket to hold configuration data
• Create a Config configuration recorder
• Create a Delivery channel
• Verify with the AWS CLI:
  • aws configservice describe-delivery-channels
  • aws configservice describe-configuration-recorders
  • aws configservice describe-configuration-recorder-status

Once we’re done, the system is going to start collecting assets and storing them. We can see them in AWS Config and see changes from that point forward.

With the inventory configured, you can now:

• See counts on resources across the account
• Search the inventory with SQL
• View details on the assets
• Enable or create AWS Config rules to ensure compliance

If doing this in many accounts, it’s important to note that Config can be centrally collected for all accounts under your control.

12 recommended AWS Config rules

AWS Config has managed rules for many resources. As a bare minimum, here are 12 recommended Config rules courtesy of cloud architect and security engineer Don Magee, Cloud Security Lead at Stedi.

AWS Config ruleActioncloudformation-stack-drift-detection-checkAll stacks should have no drifts3-bucket-level-public-acess-prohibitedS3 buckets should not be publicec2-instance-no-public-ipEC2 instances should not have public IPsebs-snapshot-public-restorable-checkYour server snapshots should not be publiciam-root-access-key-checkThe root user should not have access keyscloudtrail-enabledCloudTrail should always be enabledec2-ebs-encryption-by-defaultAll EBS volumes should be encrypted by defaults3-bucket-server-side-encryption-enabledS3 should be encrypted by defaultvpc-default-security-group-closedThe default security group should not be in useacm-certificate-expiration-checkEnsure your certificates are not about to expireaccess-keys-rotatedEnsures IAM user access keys are rotatediam-user-unused-credentials-checkFind inactive accounts to disable

How does cost work with AWS Config?

From a cost perspective, the recorder (storing in S3) and each rule does have a charge. But these shouldn’t be too costly for most organizations.

Don said his organization eventually moved off of Config as it grew in search of a better dashboard than AWS could provide, but they were at 30 accounts and 26 Config rules and the cost was not prohibitive at that point.

---

Lock down your AWS security skills.

Want to learn more about security in the cloud? Check out our Mastering the AWS Well-Architected Framework course, or dig into our massive library of hands-on cloud learning.