AWS Config Network Rules
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
AWS Config Network Rules: Mastering Compliance and Governance
Introduction: The Necessity of Automated Network Governance
In the modern cloud-native environment, network infrastructure is no longer a static entity managed by a central team. With the rise of Infrastructure as Code (IaC) and rapid deployment cycles, network configurations—such as Security Group rules, Network Access Control Lists (NACLs), and VPC configurations—change constantly. This speed is a benefit for agility but a significant risk for security. A single misconfigured Security Group that accidentally exposes a database to the public internet can lead to a catastrophic data breach in a matter of seconds.
Managing this risk manually is impossible at scale. You cannot rely on periodic audits or spreadsheet tracking to ensure your network remains compliant with your internal security policies or industry standards like PCI-DSS, HIPAA, or SOC2. This is where AWS Config comes into play. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Specifically, AWS Config Rules allow you to define "desired states" for your network components and automatically detect or remediate deviations.
This lesson explores how to use AWS Config to enforce network security policies. We will move beyond the basics, diving into how to write custom rules, how to implement automated remediation, and how to maintain a continuous compliance posture that protects your network perimeter without hindering developer productivity.
Understanding the AWS Config Framework
AWS Config acts as a continuous monitoring tool for your AWS environment. It records configuration changes, tracks relationships between resources, and evaluates those configurations against predefined rules. When you apply this to networking, you are essentially creating a digital guardrail system.
The Anatomy of a Config Rule
An AWS Config rule consists of three primary components:
- Trigger: This determines when the rule runs. It can be triggered by a configuration change (e.g., a Security Group is modified) or on a periodic basis (e.g., every 24 hours to check for drift).
- Logic: This is the actual code (either a managed AWS rule or a custom Lambda function) that examines the resource configuration to determine if it complies with your policy.
- Remediation (Optional): This defines the action to take if a resource is found to be non-compliant. This could be an automated script to delete an unauthorized rule, or a notification sent to a security team via SNS.
Callout: Managed vs. Custom Rules AWS provides a library of "Managed Rules" which are pre-built for common scenarios, such as checking if an S3 bucket is public or if a Security Group allows unrestricted SSH access. Custom rules are required when your organization has unique requirements, such as enforcing specific naming conventions for VPCs or ensuring all Load Balancers are integrated with a specific WAF instance.
Essential Network Rules for Security
To build a robust network governance strategy, you should start by implementing rules that cover the most common vectors of network misconfiguration.
1. Restricted SSH and RDP Access
The most common network security failure is leaving port 22 (SSH) or port 3389 (RDP) open to the entire internet (0.0.0.0/0). AWS Config provides the restricted-ssh and restricted-common-ports managed rules to detect this immediately.
2. VPC Flow Log Verification
Network visibility is the foundation of security. If you cannot see what traffic is hitting your instances, you cannot respond to threats. You should implement a rule that checks if VPC Flow Logs are enabled for all VPCs in your account.
3. Unauthorized Public Subnets
Sometimes, developers might accidentally create a route to an Internet Gateway in a subnet that should be private. By creating a rule that monitors the routing tables associated with subnets, you can ensure that only designated "public" subnets have a route to the IGW.
Implementing Managed Rules: A Step-by-Step Guide
Managed rules are the fastest way to get started. They require no coding and are maintained by AWS.
Step 1: Accessing the Config Console
Navigate to the AWS Config console in your target region. If you haven't enabled Config yet, you will need to set up a delivery channel (where logs are stored, usually an S3 bucket) and an IAM role that allows Config to read your resource configurations.
Step 2: Adding a Rule
- Click on Rules in the left-hand navigation pane.
- Click Add rule.
- Select Add managed rule.
- Search for
restricted-ssh. - Review the parameters. By default, this rule checks for ingress rules that allow unrestricted access. You can customize the parameters to specify a different port if needed.
Step 3: Setting the Trigger
For most security-sensitive rules, you should choose the Configuration changes trigger. This ensures that as soon as someone modifies a Security Group, the rule is evaluated, providing near-real-time feedback.
Custom Config Rules: Beyond the Basics
When managed rules are insufficient, you must write custom rules using AWS Lambda. This is where you gain true control over your network governance.
Example: Enforcing Approved Security Group Descriptions
Suppose your organization requires that every Security Group has a "Description" field that includes a Ticket ID for tracking purposes. A managed rule cannot check the content of a metadata string, but a custom Lambda rule can.
The Lambda Logic (Python)
import boto3
import json
def evaluate_compliance(configuration_item):
# Check if the resource is a Security Group
if configuration_item['resourceType'] != 'AWS::EC2::SecurityGroup':
return 'NOT_APPLICABLE'
# Extract the description or tags
tags = configuration_item.get('configuration', {}).get('tags', [])
# Logic: Check if 'TicketID' exists in tags
ticket_found = any(tag['key'] == 'TicketID' for tag in tags)
if ticket_found:
return 'COMPLIANT'
else:
return 'NON_COMPLIANT'
def lambda_handler(event, context):
invoking_event = json.loads(event['invokingEvent'])
configuration_item = invoking_event['configurationItem']
compliance = evaluate_compliance(configuration_item)
config = boto3.client('config')
config.put_evaluations(
Evaluations=[{
'ComplianceResourceType': configuration_item['resourceType'],
'ComplianceResourceId': configuration_item['resourceId'],
'ComplianceType': compliance,
'OrderingTimestamp': configuration_item['configurationItemCaptureTime']
}],
ResultToken=event['resultToken']
)
Note: When writing custom rules, ensure your Lambda execution role has the
config:PutEvaluationspermission. Without this, your rule will execute but fail to report the compliance status back to the AWS Config service.
Automated Remediation: Fixing Issues Automatically
Detection is only half the battle. If a rule identifies a non-compliant Security Group, you can configure an automated remediation action to fix it.
The Remediation Workflow
- Trigger: Config rule identifies a non-compliant resource.
- Notification: Config sends an event to EventBridge.
- Action: EventBridge triggers an AWS Systems Manager (SSM) Automation Document or a Lambda function.
- Correction: The script modifies the resource (e.g., removes the offending ingress rule).
Best Practices for Remediation
- Start with "Manual" Remediation: Before automating, configure the rule to alert you. Only after you have tested the logic and verified it doesn't break production services should you enable the automated "Remediate" flag.
- Avoid "Flapping": If your remediation script is too aggressive, it might clash with legitimate configuration changes made by developers. Always implement a "cooldown" period or verify if the change was made by an authorized deployment pipeline.
- Audit Trail: Always log the actions taken by your remediation scripts to CloudWatch Logs. If a network outage occurs, you need to know exactly which automated rule took action.
Comparison of Network Governance Tools
| Feature | AWS Config Rules | Security Groups / NACLs | AWS Network Firewall |
|---|---|---|---|
| Primary Goal | Compliance Auditing | Traffic Filtering | Deep Packet Inspection |
| Scope | Account-wide / Global | Resource-specific | VPC / Edge |
| Automation | Can trigger remediation | Manual/IaC definition | Policy-based |
| Reaction Time | Near real-time | Instant (drop traffic) | Instant (drop traffic) |
Common Pitfalls and How to Avoid Them
1. The "Too Many Rules" Trap
It is tempting to implement hundreds of rules to cover every conceivable edge case. However, this creates "alert fatigue" where the security team ignores notifications because they are overwhelmed. Start with the most critical rules (e.g., public SSH, open database ports) and expand coverage gradually.
2. Ignoring "Not Applicable" Resources
In AWS Config, a resource might be marked as "Not Applicable" if it doesn't match the criteria of the rule. Ensure you are monitoring the "Compliance Summary" dashboard. If you see a large number of "Not Applicable" or "Error" statuses, your rules might be misconfigured or scope-limited incorrectly.
3. Hardcoding Values
Avoid hardcoding account IDs, VPC IDs, or specific IP ranges inside your Lambda functions. Use the Parameters field in the Config Rule definition. This allows you to update your compliance policy (e.g., adding a new authorized CIDR block) without modifying the underlying code.
Warning: Never delete a Security Group used by an active production resource during an automated remediation process. Always perform a "dry run" or use tags to exclude production-critical infrastructure from automated cleanup scripts.
Strategy for Scaling Governance Across Multiple Accounts
In a large organization, you will likely have multiple AWS accounts managed under an AWS Organization. You should not be configuring AWS Config in each account manually.
Using AWS Config Organizational Rules
AWS provides the ability to deploy rules across an entire Organization.
- Enable AWS Config in the Management Account.
- Enable All Supported Resource Types in the Organization settings.
- Use the
PutOrganizationConfigRuleAPI to deploy a rule to every account in your organization simultaneously.
This approach ensures that every new account created via AWS Control Tower or Organizations inherits your security baseline immediately. This is the gold standard for maintaining a consistent security posture.
Best Practices for Network Governance
- Integrate with CI/CD: Do not rely solely on Config to find mistakes. Use tools like
cfn-lintorterrascanto scan your Infrastructure as Code templates before they are deployed. AWS Config should be your "last line of defense" to catch manual changes made directly in the console (often called "ClickOps"). - Use Resource Tagging: Tag all your network resources with an
OwnerorEnvironmenttag. When a rule triggers a non-compliance event, your notification (via SNS) will include these tags, making it much easier for the responsible team to identify the resource and fix the issue. - Periodic Audits: Even if you have real-time rules, schedule a monthly report of all compliance data. Use AWS Config Aggregators to pull data from all regions and accounts into a single dashboard. This is invaluable for preparing for external audits.
- Least Privilege for Remediation: The IAM role used by your remediation Lambda function should have the absolute minimum permissions required. If the function only needs to remove a security group rule, do not give it
ec2:*permissions. Give it onlyec2:RevokeSecurityGroupIngress.
Real-World Scenario: Protecting a Multi-Tier Web Application
Imagine you are managing a web application that consists of a Public ALB, a Private App Tier, and a Private Database Tier.
The Policy
You want to ensure that:
- The Database Security Group only accepts traffic from the App Tier Security Group (never from the public internet).
- The App Tier only accepts traffic from the ALB.
The Implementation
Instead of just relying on the Security Group settings, you implement an AWS Config custom rule that periodically checks the ingress rules of the Database Security Group.
- The Rule: The rule retrieves the
GroupIdof the App Tier. - The Logic: It inspects the Database Security Group to verify that the only
UserIdGroupPairsallowed are those matching the App Tier. - The Remediation: If the rule finds an IP range (e.g.,
0.0.0.0/0) or an unauthorized Security Group, it triggers a Lambda function that removes the offending ingress rule and sends an alert to the Security Operations Center (SOC) via Slack/Email.
This creates a self-healing network. Even if a developer accidentally modifies the Security Group via the console, the system will revert the unauthorized change within minutes.
The Role of AWS Config in Compliance Audits
When an auditor asks, "How do you ensure that your network remains secure?", you shouldn't just explain your processes. You should show them the data.
AWS Config provides a comprehensive history of every configuration change. You can export this data to S3 and use Amazon Athena to query it. For example, you can run a query to show the auditor:
- "Show me every time a Security Group was modified in the last six months."
- "Show me the compliance state of our network on the first of every month."
This level of transparency turns a stressful audit process into a simple data-retrieval task. It proves that your governance is not just a policy written on paper, but a functional, automated part of your infrastructure.
Common Questions (FAQ)
Q: Does AWS Config slow down my network?
A: No. AWS Config is an out-of-band service. It monitors the metadata of your resources via APIs. It does not sit in the data path, so it has zero impact on network latency or throughput.
Q: What happens if the rule is "NON_COMPLIANT" but I have a valid reason for it?
A: You should use a "whitelist" or "exception" logic within your custom rule. For example, your rule could check for a specific tag like Exempt: True. If the tag is present, the rule marks the resource as "COMPLIANT" (or "NOT_APPLICABLE") and skips remediation.
Q: Can I use AWS Config to manage third-party network tools?
A: AWS Config is designed for AWS resources. If you are using a third-party firewall (like Palo Alto or Fortinet) running on EC2, you can use Config to monitor the EC2 instance configuration, but you cannot use Config to peer directly into the firewall's internal rule set. You would need the vendor's API for that.
Q: How much does AWS Config cost?
A: AWS Config charges per configuration item recorded and per rule evaluation. It can get expensive if you have thousands of resources being modified constantly. Optimize your costs by only enabling Config for resources that are critical for security and compliance.
Key Takeaways
- Continuous Monitoring is Mandatory: Manual network auditing is a relic of the past. Continuous, automated governance via AWS Config is the only way to manage modern cloud infrastructure at scale.
- Start with Managed Rules: Always exhaust the library of AWS-provided managed rules before writing custom code. They are tested, optimized, and supported by AWS.
- Automation Requires Caution: Automated remediation is powerful but dangerous. Always test your scripts in a non-production environment and implement safeguards to prevent "flapping" or accidental service disruption.
- Governance is a Lifecycle: Security doesn't end at deployment. Integrate your Config rules with your CI/CD pipeline to ensure that compliance is checked from the moment code is written until it is running in production.
- Use Organizational Rules: If you manage multiple AWS accounts, use the AWS Organization integration to push security policies from the top down. This ensures that every account, regardless of age or purpose, adheres to your core security standards.
- Audit Readiness: Use the history and compliance data generated by AWS Config to simplify your compliance audits. Having a searchable, immutable record of your network configuration is a significant advantage for any security team.
- Keep it Simple: Don't over-engineer your rules. Focus on the high-impact risks like public access, unencrypted traffic, and unauthorized changes. A few well-defined, effective rules are better than a hundred poorly maintained ones.
By mastering AWS Config network rules, you are not just securing a perimeter; you are building a culture of accountability and automation that allows your organization to move fast without breaking the security of your cloud environment.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons