New – Amazon Web Services Config Rules Now Support Proactive Compliance

{"value":"When operating a business, you have to find the right balance between speed and control for your cloud operations. On one side, you want to have the ability to quickly provision the cloud resources you need for your applications. At the same time, depending on your industry, you need to maintain compliance with regulatory, security, and operational best practices.\n\n[Amazon Web Services Config](https://aws.amazon.com/config/) provides rules, which you can run in **detective mode** to evaluate if the configuration settings of your Amazon Web Services resources are compliant with your desired configuration settings. Today, we are extending Amazon Web Services Config rules to support **proactive mode** so that they can be run at any time before provisioning and save time spent to implement custom pre-deployment validations.\n\nWhen creating standard resource templates, platform teams can run Amazon Web Services Config rules in proactive mode so that they can be tested to be compliant before being shared across your organization. When implementing a new service or a new functionality, development teams can run rules in proactive mode as part of their continuous integration and continuous delivery (CI/CD) pipeline to identify noncompliant resources.\n\nYou can also use [Amazon Web Services CloudFormation Guard](https://docs.aws.amazon.com/cfn-guard/latest/ug/what-is-guard.html) in your deployment pipelines to check for compliance proactively and ensure that a consistent set of policies are applied both before and after resources are provisioned.\n\nLet’s see how this works in practice.\n\n**++Using Proactive Compliance with Amazon Web Services Config++**\n\nIn the [Amazon Web Services Config console](https://console.aws.amazon.com/config), I choose Rules in the navigation pane. In the rules table, I see the new **Enabled evaluation mode** column that specifies whether the rule is **proactive** or **detective**. Let’s set up my first rule.\n\n\n\nI choose **Add rule**, and then I enter ```rds-storage``` in the **Amazon Web Services Managed Rules** search box to find the **rds-storage-encrypted** rule. This rule checks whether storage encryption is enabled for your [Amazon Relational Database Service (RDS)](https://aws.amazon.com/rds/) DB instances and can be added in proactive or detective evaluation mode. I choose **Next**.\n\n\n\nIn the **Evaluation mode** section, I turn on proactive evaluation. Now both the proactive and detective evaluation switches are enabled.\n\n\n\nI leave all the other settings to their default values and choose **Next**. In the next step, I review the configuration and add the rule.\n\n\n\nNow, I can use proactive compliance via the Amazon Web Services Config API (including the [Amazon Web Services Command Line Interface (CLI)](https://aws.amazon.com/cli/) and [Amazon Web Services SDKs](https://aws.amazon.com/tools/)) or with CloudFormation Guard. In my CI/CD pipeline, I can use the Amazon Web Services Config API to check the compliance of a resource before creating it. When deploying using [Amazon Web Services CloudFormation](https://aws.amazon.com/cloudformation/), I can set up a CloudFormation [hook ](https://docs.aws.amazon.com/cloudformation-cli/latest/userguide/hooks.html)to proactively check my configuration before the actual deployment happens.\n\nLet’s do an example using the Amazon Web Services CLI. First, I call the ```StartProactiveEvaluationResponse ```API with in input the resource ID (for reference only), the resource type, and its configuration using the CloudFormation schema. For simplicity, in the database configuration, I only use the ```StorageEncrypted ```option and set it to ```true ```to pass the evaluation. I use an evaluation timeout of ```60 ```seconds, which is more than enough for this rule.\n\n```\\naws configservice start-resource-evaluation --evaluation-mode PROACTIVE \\\\\\n --resource-details '{\\"ResourceId\\":\\"myDB\\",\\n \\"ResourceType\\":\\"AWS::RDS::DBInstance\\",\\n \\"ResourceConfiguration\\":\\"{\\\\\\"StorageEncrypted\\\\\\":true}\\",\\n \\"ResourceConfigurationSchemaType\\":\\"CFN_RESOURCE_SCHEMA\\"}' \\\\\\n --evaluation-timeout 60\\n```\n\nJSON\n\n```\\n{\\n \\"ResourceEvaluationId\\": \\"be2a915a-540d-4595-ac7b-e105e39b7980-1847cb6320d\\"\\n}\\n```\n\nI get back in output the ```ResourceEvaluationId ```that I use to check the evaluation status using the ```GetResourceEvaluationSummary ```API. In the beginning, the evaluation is ```IN_PROGRESS```. It usually takes a few seconds to get a ```COMPLIANT ```or ```NON_COMPLIANT``` result.\n\n```\\naws configservice get-resource-evaluation-summary \\\\\\n --resource-evaluation-id be2a915a-540d-4595-ac7b-e105e39b7980-1847cb6320d\\n```\n\nJSON\n\n```\\n{\\n \\"ResourceEvaluationId\\": \\"be2a915a-540d-4595-ac7b-e105e39b7980-1847cb6320d\\",\\n \\"EvaluationMode\\": \\"PROACTIVE\\",\\n \\"EvaluationStatus\\": {\\n \\"Status\\": \\"SUCCEEDED\\"\\n },\\n \\"EvaluationStartTimestamp\\": \\"2022-11-15T19:13:46.029000+00:00\\",\\n \\"Compliance\\": \\"COMPLIANT\\",\\n \\"ResourceDetails\\": {\\n \\"ResourceId\\": \\"myDB\\",\\n \\"ResourceType\\": \\"AWS::RDS::DBInstance\\",\\n \\"ResourceConfiguration\\": \\"{\\\\\\"StorageEncrypted\\\\\\":true}\\"\\n }\\n}\\n```\n\nAs expected, the [Amazon RDS](https://aws.amazon.com/cn/rds/?trk=cndc-detail) configuration is compliant to the **rds-storage-encrypted** rule. If I repeat the previous steps with ```StorageEncrypted ```set to ```false```, I get a noncompliant result.\n\nIf more than one rule is enabled for a resource type, all applicable rules are run in proactive mode for the resource evaluation. To find out individual rule-level compliance for the resource, I can call the ```GetComplianceDetailsByResource ```API:\n\n```\\naws configservice get-compliance-details-by-resource \\\\\\n --resource-evaluation-id be2a915a-540d-4595-ac7b-e105e39b7980-1847cb6320d\\n```\n\nJSON\n\n```\\n{\\n \\"EvaluationResults\\": [\\n {\\n \\"EvaluationResultIdentifier\\": {\\n \\"EvaluationResultQualifier\\": {\\n \\"ConfigRuleName\\": \\"rds-storage-encrypted\\",\\n \\"ResourceType\\": \\"AWS::RDS::DBInstance\\",\\n \\"ResourceId\\": \\"myDB\\",\\n \\"EvaluationMode\\": \\"PROACTIVE\\"\\n },\\n \\"OrderingTimestamp\\": \\"2022-11-15T19:14:42.588000+00:00\\",\\n \\"ResourceEvaluationId\\": \\"be2a915a-540d-4595-ac7b-e105e39b7980-1847cb6320d\\"\\n },\\n \\"ComplianceType\\": \\"COMPLIANT\\",\\n \\"ResultRecordedTime\\": \\"2022-11-15T19:14:55.588000+00:00\\",\\n \\"ConfigRuleInvokedTime\\": \\"2022-11-15T19:14:42.588000+00:00\\"\\n }\\n ]\\n}\\n```\n\nIf, when looking at these details, your desired rule is not invoked, be sure to check that proactive mode is turned on.\n\n**++Availability and Pricing++**\n\nProactive compliance will be available in all commercial [Amazon Web Services Regions](https://aws.amazon.com/about-aws/global-infrastructure/regions_az/) where [Amazon Web Services Config](https://aws.amazon.com/config/) is offered but it might take a few days to deploy this new capability across all these Regions. I’ll update this post when this deployment is complete. To see which [Amazon Web Services Config](https://aws.amazon.com/config/) rules can be turned into proactive mode, see the [Developer Guide](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config-rules.html).\n\nYou are charged based on the number of Amazon Web Services Config rule evaluations recorded. A rule evaluation is recorded every time a resource is evaluated for compliance against an Amazon Web Services Config rule. Rule evaluations can be run in detective mode and/or in proactive mode, if available. If you are running a rule in both detective mode and proactive mode, you will be charged for only the evaluations in detective mode. For more information, see [Amazon Web Services Config pricing.](https://aws.amazon.com/config/pricing/)\n\n[With this new feature, you can use Amazon Web Services Config to check your rules before provisioning and avoid implementing your own custom validations.\\n](https://aws.amazon.com/config/)\n\n— [Danilo](https://twitter.com/danilop)\n\n\n\n### **[Danilo Poccia](https://aws.amazon.com/blogs/aws/author/danilop/)**\n\nDanilo works with startups and companies of any size to support their innovation. In his role as Chief Evangelist (EMEA) at Amazon Web Services, he leverages his experience to help people bring their ideas to life, focusing on serverless architectures and event-driven programming, and on the technical and business impact of machine learning and edge computing. He is the author of Amazon Web Services Lambda in Action from Manning.","render":"<p>When operating a business, you have to find the right balance between speed and control for your cloud operations. On one side, you want to have the ability to quickly provision the cloud resources you need for your applications. At the same time, depending on your industry, you need to maintain compliance with regulatory, security, and operational best practices.</p>\n<p><a href=\\"https://aws.amazon.com/config/\\" target=\\"_blank\\">Amazon Web Services Config</a> provides rules, which you can run in <strong>detective mode</strong> to evaluate if the configuration settings of your Amazon Web Services resources are compliant with your desired configuration settings. Today, we are extending Amazon Web Services Config rules to support <strong>proactive mode</strong> so that they can be run at any time before provisioning and save time spent to implement custom pre-deployment validations.</p>\\n<p>When creating standard resource templates, platform teams can run Amazon Web Services Config rules in proactive mode so that they can be tested to be compliant before being shared across your organization. When implementing a new service or a new functionality, development teams can run rules in proactive mode as part of their continuous integration and continuous delivery (CI/CD) pipeline to identify noncompliant resources.</p>\n<p>You can also use <a href=\\"https://docs.aws.amazon.com/cfn-guard/latest/ug/what-is-guard.html\\" target=\\"_blank\\">Amazon Web Services CloudFormation Guard</a> in your deployment pipelines to check for compliance proactively and ensure that a consistent set of policies are applied both before and after resources are provisioned.</p>\\n<p>Let’s see how this works in practice.</p>\n<p><strong><ins>Using Proactive Compliance with Amazon Web Services Config</ins></strong></p>\n<p>In the <a href=\\"https://console.aws.amazon.com/config\\" target=\\"_blank\\">Amazon Web Services Config console</a>, I choose Rules in the navigation pane. In the rules table, I see the new <strong>Enabled evaluation mode</strong> column that specifies whether the rule is <strong>proactive</strong> or <strong>detective</strong>. Let’s set up my first rule.</p>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/f0fefe657d604b96a5a419cec86ee173_image.png\\" alt=\\"image.png\\" /></p>\n<p>I choose <strong>Add rule</strong>, and then I enter <code>rds-storage</code> in the <strong>Amazon Web Services Managed Rules</strong> search box to find the <strong>rds-storage-encrypted</strong> rule. This rule checks whether storage encryption is enabled for your <a href=\\"https://aws.amazon.com/rds/\\" target=\\"_blank\\">Amazon Relational Database Service (RDS)</a> DB instances and can be added in proactive or detective evaluation mode. I choose <strong>Next</strong>.</p>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/5687690de86f45d2b04d3b4bb3eea400_image.png\\" alt=\\"image.png\\" /></p>\n<p>In the <strong>Evaluation mode</strong> section, I turn on proactive evaluation. Now both the proactive and detective evaluation switches are enabled.</p>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/199d53f16c8848eca03db41695e3ad28_image.png\\" alt=\\"image.png\\" /></p>\n<p>I leave all the other settings to their default values and choose <strong>Next</strong>. In the next step, I review the configuration and add the rule.</p>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/4ada0e902c06409f961d054d02a59c15_image.png\\" alt=\\"image.png\\" /></p>\n<p>Now, I can use proactive compliance via the Amazon Web Services Config API (including the <a href=\\"https://aws.amazon.com/cli/\\" target=\\"_blank\\">Amazon Web Services Command Line Interface (CLI)</a> and <a href=\\"https://aws.amazon.com/tools/\\" target=\\"_blank\\">Amazon Web Services SDKs</a>) or with CloudFormation Guard. In my CI/CD pipeline, I can use the Amazon Web Services Config API to check the compliance of a resource before creating it. When deploying using <a href=\\"https://aws.amazon.com/cloudformation/\\" target=\\"_blank\\">Amazon Web Services CloudFormation</a>, I can set up a CloudFormation <a href=\\"https://docs.aws.amazon.com/cloudformation-cli/latest/userguide/hooks.html\\" target=\\"_blank\\">hook </a>to proactively check my configuration before the actual deployment happens.</p>\\n<p>Let’s do an example using the Amazon Web Services CLI. First, I call the <code>StartProactiveEvaluationResponse </code>API with in input the resource ID (for reference only), the resource type, and its configuration using the CloudFormation schema. For simplicity, in the database configuration, I only use the <code>StorageEncrypted </code>option and set it to <code>true </code>to pass the evaluation. I use an evaluation timeout of <code>60 </code>seconds, which is more than enough for this rule.</p>\\n<pre><code class=\\"lang-\\">aws configservice start-resource-evaluation --evaluation-mode PROACTIVE \\\\\\n --resource-details '{&quot;ResourceId&quot;:&quot;myDB&quot;,\\n &quot;ResourceType&quot;:&quot;AWS::RDS::DBInstance&quot;,\\n &quot;ResourceConfiguration&quot;:&quot;{\\\\&quot;StorageEncrypted\\\\&quot;:true}&quot;,\\n &quot;ResourceConfigurationSchemaType&quot;:&quot;CFN_RESOURCE_SCHEMA&quot;}' \\\\\\n --evaluation-timeout 60\\n</code></pre>\\n<p>JSON</p>\n<pre><code class=\\"lang-\\">{\\n &quot;ResourceEvaluationId&quot;: &quot;be2a915a-540d-4595-ac7b-e105e39b7980-1847cb6320d&quot;\\n}\\n</code></pre>\\n<p>I get back in output the <code>ResourceEvaluationId </code>that I use to check the evaluation status using the <code>GetResourceEvaluationSummary </code>API. In the beginning, the evaluation is <code>IN_PROGRESS</code>. It usually takes a few seconds to get a <code>COMPLIANT </code>or <code>NON_COMPLIANT</code> result.</p>\\n<pre><code class=\\"lang-\\">aws configservice get-resource-evaluation-summary \\\\\\n --resource-evaluation-id be2a915a-540d-4595-ac7b-e105e39b7980-1847cb6320d\\n</code></pre>\\n<p>JSON</p>\n<pre><code class=\\"lang-\\">{\\n &quot;ResourceEvaluationId&quot;: &quot;be2a915a-540d-4595-ac7b-e105e39b7980-1847cb6320d&quot;,\\n &quot;EvaluationMode&quot;: &quot;PROACTIVE&quot;,\\n &quot;EvaluationStatus&quot;: {\\n &quot;Status&quot;: &quot;SUCCEEDED&quot;\\n },\\n &quot;EvaluationStartTimestamp&quot;: &quot;2022-11-15T19:13:46.029000+00:00&quot;,\\n &quot;Compliance&quot;: &quot;COMPLIANT&quot;,\\n &quot;ResourceDetails&quot;: {\\n &quot;ResourceId&quot;: &quot;myDB&quot;,\\n &quot;ResourceType&quot;: &quot;AWS::RDS::DBInstance&quot;,\\n &quot;ResourceConfiguration&quot;: &quot;{\\\\&quot;StorageEncrypted\\\\&quot;:true}&quot;\\n }\\n}\\n</code></pre>\\n<p>As expected, the Amazon RDS configuration is compliant to the <strong>rds-storage-encrypted</strong> rule. If I repeat the previous steps with <code>StorageEncrypted </code>set to <code>false</code>, I get a noncompliant result.</p>\\n<p>If more than one rule is enabled for a resource type, all applicable rules are run in proactive mode for the resource evaluation. To find out individual rule-level compliance for the resource, I can call the <code>GetComplianceDetailsByResource </code>API:</p>\\n<pre><code class=\\"lang-\\">aws configservice get-compliance-details-by-resource \\\\\\n --resource-evaluation-id be2a915a-540d-4595-ac7b-e105e39b7980-1847cb6320d\\n</code></pre>\\n<p>JSON</p>\n<pre><code class=\\"lang-\\">{\\n &quot;EvaluationResults&quot;: [\\n {\\n &quot;EvaluationResultIdentifier&quot;: {\\n &quot;EvaluationResultQualifier&quot;: {\\n &quot;ConfigRuleName&quot;: &quot;rds-storage-encrypted&quot;,\\n &quot;ResourceType&quot;: &quot;AWS::RDS::DBInstance&quot;,\\n &quot;ResourceId&quot;: &quot;myDB&quot;,\\n &quot;EvaluationMode&quot;: &quot;PROACTIVE&quot;\\n },\\n &quot;OrderingTimestamp&quot;: &quot;2022-11-15T19:14:42.588000+00:00&quot;,\\n &quot;ResourceEvaluationId&quot;: &quot;be2a915a-540d-4595-ac7b-e105e39b7980-1847cb6320d&quot;\\n },\\n &quot;ComplianceType&quot;: &quot;COMPLIANT&quot;,\\n &quot;ResultRecordedTime&quot;: &quot;2022-11-15T19:14:55.588000+00:00&quot;,\\n &quot;ConfigRuleInvokedTime&quot;: &quot;2022-11-15T19:14:42.588000+00:00&quot;\\n }\\n ]\\n}\\n</code></pre>\\n<p>If, when looking at these details, your desired rule is not invoked, be sure to check that proactive mode is turned on.</p>\n<p><strong><ins>Availability and Pricing</ins></strong></p>\n<p>Proactive compliance will be available in all commercial <a href=\\"https://aws.amazon.com/about-aws/global-infrastructure/regions_az/\\" target=\\"_blank\\">Amazon Web Services Regions</a> where <a href=\\"https://aws.amazon.com/config/\\" target=\\"_blank\\">Amazon Web Services Config</a> is offered but it might take a few days to deploy this new capability across all these Regions. I’ll update this post when this deployment is complete. To see which <a href=\\"https://aws.amazon.com/config/\\" target=\\"_blank\\">Amazon Web Services Config</a> rules can be turned into proactive mode, see the <a href=\\"https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config-rules.html\\" target=\\"_blank\\">Developer Guide</a>.</p>\\n<p>You are charged based on the number of Amazon Web Services Config rule evaluations recorded. A rule evaluation is recorded every time a resource is evaluated for compliance against an Amazon Web Services Config rule. Rule evaluations can be run in detective mode and/or in proactive mode, if available. If you are running a rule in both detective mode and proactive mode, you will be charged for only the evaluations in detective mode. For more information, see <a href=\\"https://aws.amazon.com/config/pricing/\\" target=\\"_blank\\">Amazon Web Services Config pricing.</a></p>\\n<p><a href=\\"https://aws.amazon.com/config/\\" target=\\"_blank\\">With this new feature, you can use Amazon Web Services Config to check your rules before provisioning and avoid implementing your own custom validations.<br />\\n</a></p>\\n<p>— <a href=\\"https://twitter.com/danilop\\" target=\\"_blank\\">Danilo</a></p>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/c3d7ff0b44414c30b4f3e8d7dfebbfa0_6465c675a51d44aca59965f281504693_image%283%29.png\\" alt=\\"6465c675a51d44aca59965f281504693_image3.png\\" /></p>\n<h3><a id=\\"Danilo_Pocciahttpsawsamazoncomblogsawsauthordanilop_123\\"></a><strong><a href=\\"https://aws.amazon.com/blogs/aws/author/danilop/\\" target=\\"_blank\\">Danilo Poccia</a></strong></h3>\n<p>Danilo works with startups and companies of any size to support their innovation. In his role as Chief Evangelist (EMEA) at Amazon Web Services, he leverages his experience to help people bring their ideas to life, focusing on serverless architectures and event-driven programming, and on the technical and business impact of machine learning and edge computing. He is the author of Amazon Web Services Lambda in Action from Manning.</p>\n"}