Task 1: Enable AWS Config

  1. Sign in to your Lab’s AWS Console following the instructions provided

  2. Make sure your selected region is Oregon

  3. Go to Services search box > Config

    drawing

  4. Click drawing

  5. In the Settings page, leave defaults and click on drawing

  6. In the Rules page, leave defaults and click on drawing

  7. In the Review page, click on drawing

  8. AWS Config will start, you can close the “Welcome to AWS Config” window.

  9. Now we will create our first Config rule, it will check whether any security groups with inbound 0.0.0.0/0 have TCP or UDP ports accessible. The rule is NON_COMPLIANT when a security group with inbound 0.0.0.0/0 has a port accessible which is not specified in the rule parameters. In your left panel, click on Rules

    drawing

  10. Click on drawing

  11. In the AWS Managed Rules search box, type: vpc-sg-open-only-to-authorized-ports

  12. Select the managed rule and click drawing

  13. In the Configure rule page, in the Trigger section, select Tags.

  14. Under Resources by tag, type Compliance in the Tag Key box, and Prod in the Tag value box

    drawing

  15. Under Parameters, you will authorize only port 80 to be open to the internet

    drawing

  16. Click on drawing

  17. In the Review and create page click drawing

  18. Click on the Rule you just created, under Resources in scope, select All. after a couple of minutes you will see a security group in Compliant status

    drawing

    NOTE: you may need to refresh the displayed information on the rule console, click on the refresh botton drawing

  19. Now we will make a change on the security group inbound rule, and open port 22 to the internet, so this resource change its status to Noncompliant

  20. Go to Services search box > VPC

  21. On the left pane, under the Security section, click on Security Groups

  22. In the Security Group search box, type sc-web-secgroup-, and click on the lookup result

    drawing

    Note: You will notice this Security Group was created as part of your Service Catalog application deployment

  23. In the below panel, click on Inbound rules

    drawing

  24. Click on drawing

  25. Click on drawing

  26. You will edit the second rule line just added, in the inbound Type, select SSH and in Source select Anywhere IPv4

    drawing

  27. Click drawing

  28. Now return to Config console. Services search box > Config

  29. On the left pane, click on Rules

  30. Click on the rule you previously created, under Resources in scope, select All, after a minute the rule Resource compliance status will change from Compliant to Noncompliant

    NOTE: you may need to refresh the displayed information on the rule console, click on the refresh botton drawing

    drawing