On this article, I’m gonna clarify easy methods to use AWS Config to have an entire stock of sources, in all accounts and areas, from a centralized level the place I can run SQL queries to filter them.
From AWS product web page:
AWS Config is a service that allows you to assess, audit, and consider the configurations of your AWS sources
Config is a service generally used for auditing the configuration of your AWS sources and to search out/remediate the configuration gaps. It’s generally used for Governance and Safety, to observe useful resource compliance, and examine it in opposition to the specified standing.
The service shops and maintains a listing of all AWS sources, and it additionally has an fascinating performance, referred to as Superior Queries, which permits us to run SQL queries in opposition to the inventoried sources.
When you have got a multi-account setup, stock begins turning into actually necessary, particularly if your organization has greater than 10 accounts. Having a listing can handle these sorts of questions:
- What number of situations do you have got operating?
- Which occasion has the IP handle 10.10.10.10 related?
- What number of lively DynamoDB tables does the corporate have?
Should you don’t have it, you’ll find yourself going by every AWS account, or if you happen to’re a talented programmer, perhaps you’ll create a script to do this. Each of them are tedious duties, that could possibly be resolved with a easy question.
At finest, you constructed an answer that creates and manages a listing, however anyway it’s one other system to care for and preserve, and as everyone knows, we don’t need another piece within the puzzle.
AWS Config has a method to centralize all sources in a single account, the characteristic it’s referred to as Aggregators. The aggregator can be in control of accumulating the info from accounts and centralizing it within the administration account. The administration account is designated by the administrator, and it could possibly be any account that you simply select.
There are 2 other ways of configuring the aggregator, utilizing AWS Organizations or with out it.
With out Organizations, it’s essential to add the Account IDs one after the other in the course of the setup, and in addition it’s essential to authorize the request in every Aggregated account, to permit the administration account to entry the info.
With Organizations, you simply have to create a task to grant entry from the administration account to the Group, and the permissions can be managed by the Group service, no want for configuring every account permission.
Whenever you configure an Aggregator you possibly can select the areas you wish to cowl, and in addition embody all future areas that AWS gonna launch.
Going to Superior Queries inside Config’s console, you’ll see greater than 6 pages of predefined queries, prepared to make use of with only a click on.
These queries had been constructed by AWS, and embody a variety of examples about what you are able to do with them, and in flip, function the idea for constructing customized queries.
Let’s see an instance. Within the under code, you’re gonna see a question to acquire all EC2 situations which can be operating. Should you see the code, it’s a standard SQL question.
On the left facet of the console, you possibly can see the Question Scope. It mainly determines from the place the service ought to take the info to course of the question. In case you have configured the Aggregator, you’re gonna see it contained in the dropdown menu.
It’s quite common for directors to make use of the identical queries time and again, particularly to do troubleshooting of issues, or to search out sources that they don’t know which account they’re on. Additionally, safety folks make use of it to determine weak sources based mostly on a configuration. It has quite a lot of purposes, the use circumstances are as much as you, and the sky is the restrict.
Because the SQL language used within the service is a subset of SQL SELECT, it doesn’t assist the complete performance that you simply’d anticipate from a typical SQL question motor.
For instance, it will probably’t work with JOIN and UNION key phrases. It has different limitations as effectively, to verify all of them see this.
Within the final months, I’ve taken a few coaching within the TheLinuxFoundation coaching academy, and I can let you know that they’ve such good programs and items of coaching, particularly these to get certifications.
Check out the Full Catalog, you’re gonna discover quite a lot of programs from DevOps to Blockchain, and so they had been ready by a few of the tech trade leaders.
This brief tutorial ought to assist you to get began with AWS Config Superior Queries, and it covers the fundamentals to begin utilizing it as a Multi-Account Multi-Area stock.
Thanks for studying.