Recently, AWS Config released a Rule Development Kit (RDK) that greatly simplifies your custom rule authoring experience. The RDK is an open-source tool that helps you set up AWS Config, author rules, and then test them using a variety of AWS resource types. This allows you to focus on the development of the rule itself. The AWS Config RDK is now available for download from the aws-config-rdk GitHub repo. We follow semantic versioning, and are dedicated to maintaining backwards compatibility for each major version.

About AWS Config

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. AWS Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. Rules enable you to automatically check the configuration of AWS resources recorded by AWS Config. There are 37 managed AWS Config rules by default and 34 custom rules maintained by the community in the aws-config-rules GitHub repo.

Getting started

You can get started with AWS Config RDK and create a rule named “Hello World” in just a few minutes.

Prerequisites

Enable AWS Config

Create your first rule

Test your rule

Prerequisites

The AWS Config RDK requires the latest version of the AWS CLI. You must also log in to an AWS account. Use the following command to install the AWS CLI (requires pip to be installed already):

pip install --upgrade --user awscli

Use the following command to configure the AWS CLI. For more information, see Configuring the AWS CLI.

aws configure --profile myCLIprofile AWS Access Key ID [None]: AKIAI44QH8DHBEXAMPLE AWS Secret Access Key [None]: je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY Default region name [None]: us-east-1 Default output format [None]: text

Use the following command to clone the AWS Config RDK on macOS, Linux, or Windows platforms:

git clone https://github.com/awslabs/aws-config-rdk.git

Choose your platform (MacLinux or Windows).



Enable AWS Config

To begin, enable AWS Config in your AWS account for the region configured in the AWS CLI. For example, on macOS or Linux, use the following command to configure your profile:

cd MacLinux/setup; ./setup myCLIprofile

You see the following results:



On Windows, use the following command to configure your profile:

cd Windows/setup; ./setup.cmd myCLIprofile

You see the following results:



In this example, AWS Config in the us-east-1 region has been enabled by RDK setup.



Create your first rule

Now you can create your first rule. Use the following command to create the EBS_OPTIMIZED_INSTANCE managed rule, which checks whether Amazon EBS optimization is enabled for your EC2 instances that can be EBS-optimized. Create the rule under the folder /aws-config-rdk/MacLinux/rules on macOS or Linux:

cd MacLinux/rules; ./createRule myCLIprofile hello_world AWS::EC2::Instance

You see the following results:



On Windows, use the following command:

cd Windows/rules; ./createRule.cmd myCLIprofile hello_world AWS::EC2::Instance

You see the following results:

The following resources were created:

The parameter “APPLICABLE_RESOURCE_TYPES” has the same value as “APPLICABLE_RESOURCES” already defined in the rule code

The AWS Lambda function named “hello_world”

An AWS Config rule named “hello_world”, which was also associated with the Lambda function

The rule has started to evaluate EC2 instances for compliance with EBS optimization.



Now you can replace the default values with your own code. Make sure that resource types are consistent between the rule_code.py and createRule.cmd script parameters. Otherwise, your rule returns NOT_APPLICABLE. The rules/ruleCode/rule_util.py script handles the boring parts of a rule, and should not need to be modified.

Test your rule

The AWS Config RDK supports testing your rule by invoking the Lambda function with configuration items (used as test cases) from the /rules/testUtil/compliantCIs and /rules/testUtil/noncompliantCIs directories. The RDK checks that the Lambda function returns the corresponding result.

On macOS or Linux, use the following command:

cd MacLinux/rules; ./test myCLIprofile hello_world

You see the following results:

On Windows, use the following command:

cd Windows/rules; ./test.cmd myCLIprofile hello_world

You see the following results:

Besides, we have provided Configuration Item examples in “rules/testUtil/exampleCIs” to help you to write test cases by the modification to make them represent compliant or non-compliant resources.



Summary

The AWS Config RDK helps you build rules easily, including the following:

Preparing the initial rule development environment, by enabling AWS Config with a variety of automatically created AWS resources.

Creating Lambda functions, rules, and the association between them so that you don’t have to.

Supporting multiple platforms: macOS, Linux, and Windows.

Testing rules just by the code, with no more manual setup in complicated test environments.

We would love to hear your feedback. Feel free to leave comments or suggestions on the aws-config-rdk GitHub page.

About the Author



Henry Huang is a DevOps Consultant for the Professional Services Team at Amazon Web Services in China.