Generate an AWS CloudFormation template containing AWS Config managed rules using Troposphere - AWS Prescriptive Guidance
SummaryPrerequisites and limitationsEpicsAttachments

Generate an AWS CloudFormation template containing AWS Config managed rules using Troposphere

Created by Lucas Nation (AWS) and Freddie Wilson (AWS)

Environment: Production

Technologies: DevOps; Management & governance; Security, identity, compliance

Workload: Microsoft; Open-source

AWS services: AWS Config; AWS CloudFormation

Summary

Many organizations use AWS Config managed rules to evaluate the compliance of their Amazon Web Services (AWS) resources against common best practices. However, these rules can be time consuming to maintain and this pattern helps you leverage Troposphere, a Python library, to generate and manage AWS Config managed rules.

The pattern helps you to manage your AWS Config managed rules by using a Python script to convert a Microsoft Excel spreadsheet containing AWS managed rules into an AWS CloudFormation template. Troposphere acts as the infrastructure as code (IaC) and this means that you can update the Excel spreadsheet with managed rules, instead of using a JSON or YAML-formatted file. You then use the template to launch an AWS CloudFormation stack that creates and updates the managed rules in your AWS account.

The AWS CloudFormation template defines each AWS Config managed rule by using the Excel spreadsheet and helps you to avoid manually creating individual rules in the AWS Management Console. The script defaults each managed rule's parameters to an empty dictionary and the scope's ComplianceResourceTypes defaults from THE_RULE_IDENTIFIER.template fileFor more information about the rule identifier, see Creating AWS Config managed rules with AWS CloudFormation templates in the AWS Config documentation.

Prerequisites and limitations

Prerequisites 

  • An active AWS account.

  • Familiarity with using AWS CloudFormation templates to create AWS Config managed rules. For more information about this, see Creating AWS Config managed rules with AWS CloudFormation templates in the AWS Config documentation.  

  • Python 3, installed and configured. For more information about this, see the Python documentation.

  • An existing integrated development environment (IDE) such as AWS Cloud9. For more information about this, see What is AWS Cloud9? in the AWS Cloud9 documentation. 

  • Identify your organizational units (OUs) in a column in the sample excel_config_rules.xlsx Excel spreadsheet (attached).

Epics

TaskDescriptionSkills required
Update the sample Excel spreadsheet.

Download the sample excel_config_rules.xlsx Excel spreadsheet (attached) and label as Implemented the AWS Config managed rules that you want to use. 

Rules marked as Implemented will be added to the AWS CloudFormation template.

Developer
(Optional) Update the config_rules_params.json file with AWS Config rule parameters.

Some AWS Config managed rules require parameters and should be passed to the Python script as a JSON file by using the --param-file option. For example, the access-keys-rotated managed rule uses the following maxAccessKeyAge parameter:

{
         "access-keys-rotated": {
             "InputParameters": {
                 "maxAccessKeyAge": 90
             }
         }
     }

In this sample parameter, the maxAccessKeyAge is set to 90 days. The script reads the parameter file and adds any InputParameters that it finds.

Developer
(Optional) Update the config_rules_params.json file with AWS Config ComplianceResourceTypes.

By default, the Python script retrieves the ComplianceResourceTypes from AWS defined templates. If you want to override the scope of a specific AWS Config managed rule, then you need to pass it to the Python script as a JSON file using the --param-file option.

For example, the following sample code shows how the ComplianceResourceTypes for ec2-volume-inuse-check is set to the ["AWS::EC2::Volume"] list:

{
         "ec2-volume-inuse-check": {
             "Scope": {
                 "ComplianceResourceTypes": [
                     "AWS::EC2::Volume"
                 ]
             }
         }
     }
Developer
TaskDescriptionSkills required
Install the pip packages from the requirements.txt file.

Download the requirements.txt file (attached) and run the following command in your IDE to install the Python packages:

pip3 install -r requirements.txt

Developer
Run the Python script.

  1. Download the aws_config_rules.py  file (attached) to your local machine.

  2. Run the - python3 aws_config_rules.py --ou <OU_NAME> command. Note: --ou defines which OU column to choose in the Excel spreadsheet.

You can also add the following optional parameters:

  • --config-rule-option  – Defines the rules to choose from the Excel spreadsheet. The default is the Implemented parameter.

  • --excel-file  – The path for the Excel spreadsheet. The default is aws_config_rules.xlsx.

  • --param-file  – The path of the parameter JSON file. The default is config_rules_params.json.

  • --max-execution-frequency  – Defines how often the AWS Config managed rules are evaluated. The choices are One_Hour, Three_Hours, Six_Hours, Twelve_Hours, or TwentyFour_Hours. The default is TwentyFour_Hours.

Developer
TaskDescriptionSkills required
Launch the AWS CloudFormation stack.

  1. Sign in to the AWS Management Console, open the AWS CloudFormation console, and then choose Create stack. 

  2. On the Specify template page, choose Upload a template file and then upload your AWS CloudFormation template. 

  3. Specify a stack name and then choose Next.

  4. Specify tags and then choose Next.

  5. Choose Create stack.

Developer

Attachments

To access additional content that is associated with this document, unzip the following file: attachment.zip