AWS Config

Hands-On

Demo

In this Demo, we will:
 

  1. Verify AWS Config rules are set up (encrypted-volumes, s3-bucket-versioning-enabled, restricted-ssh)
  2. Create unencrypted EBS volume and attach to EC2 instance
  3. Create S3 bucket without versioning
  4. Create security group with open SSH
  5. Trigger rule evaluations
  6. Review non-compliant resources in AWS Config dashboard
  7. Clean up all resources

Agenda

Settings

Data governance

Delivery method

s3-bucket-versioning-enabled
restricted-ssh
encrypted-volumes

Review

Review and Confirm

Create Non Compliance Objects/Scenarios

Launch AWS CloudShell

# For EBS Volume Demo
# Create volume
echo "Creating EBS volume..."
VOLUME_ID=$(aws ec2 create-volume \
    --volume-type gp3 \
    --size 1 \
    --availability-zone us-east-1a \
    --query 'VolumeId' \
    --output text)
echo "Created Volume ID: $VOLUME_ID"

Scenario 1 : Unencrypted EBS Volume

# Get AMI ID
echo "Getting latest Amazon Linux 2 AMI..."
AMI_ID=$(aws ec2 describe-images \
    --owners amazon \
    --filters "Name=name,Values=amzn2-ami-hvm-*-x86_64-gp2" \
    "Name=state,Values=available" \
    --query 'sort_by(Images, &CreationDate)[-1].ImageId' \
    --output text)
echo "Using AMI ID: $AMI_ID"
# Get Subnet ID
echo "Getting subnet in us-east-1a..."
SUBNET_ID=$(aws ec2 describe-subnets \
    --filters "Name=availabilityZone,Values=us-east-1a" \
    --query 'Subnets[0].SubnetId' \
    --output text)
echo "Using Subnet ID: $SUBNET_ID"

Scenario 1 : Unencrypted EBS Volume

# Launch EC2 instance
echo "Launching EC2 instance..."
INSTANCE_ID=$(aws ec2 run-instances \
    --image-id $AMI_ID \
    --instance-type t2.micro \
    --subnet-id $SUBNET_ID \
    --count 1 \
    --query 'Instances[0].InstanceId' \
    --output text)
echo "Created Instance ID: $INSTANCE_ID"
# Wait for instance
echo "Waiting for instance to be running..."
aws ec2 wait instance-running --instance-ids $INSTANCE_ID

Scenario 1 : Unencrypted EBS Volume

# Attach volume
echo "Attaching volume to instance..."
aws ec2 attach-volume \
    --volume-id $VOLUME_ID \
    --instance-id $INSTANCE_ID \
    --device /dev/sdf
echo "Triggering encrypted-volumes rule evaluation..."
aws configservice start-config-rules-evaluation \
    --config-rule-names encrypted-volumes

Scenario 1 : Unencrypted EBS Volume

# For S3 Bucket Demo
echo -e "\nStarting S3 bucket versioning demo..."
BUCKET_NAME="test-config-bucket-$(date +%s)"
echo "Creating bucket: $BUCKET_NAME"
aws s3api create-bucket \
    --bucket $BUCKET_NAME \
    --region us-east-1
echo "Triggering s3-bucket-versioning-enabled rule evaluation..."
aws configservice start-config-rules-evaluation \
    --config-rule-names s3-bucket-versioning-enabled

Scenario 2 : Unversioned S3 Bucket

# For Security Group Demo (Automated version)
echo -e "\nStarting security group demo..."
echo "Creating security group..."
SG_ID=$(aws ec2 create-security-group \
    --group-name test-ssh-open \
    --description "Test security group for SSH rule" \
    --query 'GroupId' \
    --output text)
echo "Adding SSH rule to security group..."
aws ec2 authorize-security-group-ingress \
    --group-id $SG_ID \
    --protocol tcp \
    --port 22 \
    --cidr 0.0.0.0/0
echo "Triggering restricted-ssh rule evaluation..."
aws configservice start-config-rules-evaluation \
    --config-rule-names restricted-ssh

Scenario 3 : Open Security Group

Wait and Check in AWS Config

Clean Up

Terminate (delete) instance

Delete S3 Bucket

Delete volume

Delete security group

Wait and Check for Compliance after fixing

Some Rules can take time - upto 1 day

🙏

Thanks

for

Watching

AWS Config - Hands-On Demo

By Deepak Dubey

AWS Config - Hands-On Demo

AWS Config - Hands-On Demo

  • 142

More from Deepak Dubey