What is Config review

Config review periodically verifies your AWS resources to ensure they are configured according to established rules. By using Config review, it makes easy for anyone to see if the AWS environment is operating as planned.

We regularly review without programming that AWS resources such as EC2, ELB, RDS, etc. are configured correctly from fault tolerance, availability and security point of view. Regular reviews ensure system quality to a certain level.

The Config review feature creates a " policy set " by selecting the " policy ", which you want to review, from the " policy set templates " , so that the programming is not required.
* Config review uses AWS Config Rules at the backend, and AWS Config Rules costs will be charged separately from Cloud Automator usage fee

 

Preparation

In order to use Config Review feature, it is necessary to have AWS Config initial setup.

AWS config initial setup

 

Available policy

You can use following policies

Serverworks recommended Policy-set template

  • ACM certificate is setup on Cloudfront Distribution filtered by tag
  • ElastiCache clusters (Redis) filtered by tag are created on multi availability zone and enabled failover
  • Security group that the TCP/3389 (RDP) permission rules specified 0.0.0.0/0 to inbound rules does not exit
  • All EBS volumes are associated tag that have specified key
  • ELBs filtered by tag are created in VPCs filtered by tag
  • Automated backups are enabled for db instances
  • EC2 instances filtered by tag are launched in VPCs filtered by tag
  • ELB filtered by tag are created on multi availability zone, and EC2 instances are equally registered.
  • All IAM users belong to one of the IAM group
  • Multi-factor authentication that uses a virtual device has been enabled in the root AWS account
  • All S3 buckets are associated tag that have specified key
  • SSM Agent is online state on EC2 instances filtered by tag
  • Life cycle events that delete object after one year is set to the S3 bucket that is set for billing report
  • All IAM groups are allocated one or more IAM policies
  • EC2Config Service is installed on EC2 Windows Instance filtered by tag
  • Permit rules that the TCP/3306 (MySQL) from specified ip address of maintenance bases exit in inbound rules of the security group that filtered by tag
  • Checked in the Trusted Advisor as a result, all is OK
  • Cache clusters filtered by tag are created in VPCs filtered by tag
  • IAM user has been created one or more
  • EC2 instances filtered by tag are created on multi availability zone
  • VPC Flow Logs that filtered by tag is enabled and specifying CloudWatch Log group for log as the destination
  • ElastiCache clusters (Memcached) filtered by tag are created on multi availability zone
  • The latest SSL policy is set to ELB
  • DB instances filtered by tag are launched in VPC filtered by tag
  • All IAM users are not set inline policy individually
  • 30 days log expire is set to the CloudWatch log group as the destination of CloudTrail
  • Multi-AZ deployment is enabled for db instances that filtered by tag
  • Life cycle events that delete object after one year is set to the S3 bucket that is set for access logs for ELB
  • ACM certificate is setup on ELB filtered by tag
  • Access logs for ELB are enabled and access logs outputted to S3 bucket
  • Permit rules that the TCP/11211 (Memcached) from specified ip address of maintenance bases exit in inbound rules of the security group that filtered by tag
  • Permit rules that the TCP/22 (SSH) from specified ip address of maintenance bases exit in inbound rules of the security group that filtered by tag
  • All VPN connections are associated tag that have specified key
  • CloudTrail by filtered tag is enabled and specifying S3 bucket as the destination
  • IAM group has been created one or more
  • S3 bucket is set for billing report
  • Filtered CloudTrail by tag is enabled and specifying CloudWatch Log group for log as the destination
  • Permit rules that the TCP/6379 (Redis) from specified ip address of maintenance bases exit in inbound rules of the security group that filtered by tag
  • All EC2 instances are associated tag that have specified key
  • EC2 instances filtered by tag are assigned iam role
  • Security group that the TCP/22 (SSH) permission rules specified 0.0.0.0/0 to inbound rules does not exit
  • The IAM operation permission has not been granted other than specified IAM group
  • CloudWatch billing alerts are enabled
  • Life cycle events that delete objects after one year is set to the S3 bucket as the destination of CloudTrail
  • All DB instances are associated tag that have specified key
  • Only the specified IAM users belong to the specified administrator IAM group
  • Permit rules that the TCP/3389 (RDP) from specified ip address of maintenance bases exit in inbound rules of the security group that filtered by tag
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request