Monitoring Security Groups with AWS Config
SPL-137 - Version 2.0.1
© 2018 Amazon Web Services, Inc. and its affiliates. All rights reserved. This work may not be reproduced or redistributed, in whole or in part, without prior written permission from Amazon Web Services, Inc. Commercial copying, lending, or selling is prohibited.
Errors or corrections? Email us at email@example.com.
Other questions? Contact us at https://aws.amazon.com/contact-us/aws-training/
Amazon EC2 security groups are an important control for restricting access to your AWS infrastructure. In order to improve the effectiveness of this control, we can go one step further and monitor the configuration of a security group for unauthorized changes. In this lab you will learn how to use AWS Config Rules with an AWS Lambda function to monitor the ingress ports associated with an EC2 security group. The Lambda function will be triggered whenever the security group is modified. If the ingress rule configuration differs from that which is coded in the function, the Lambda function will revert the ingress rules back to the appropriate configuration.
By the end of this lab, you will be able to:
- Upload a preconfigured Lambda function
- Enable AWS Config
- Create and enable a custom AWS Config rule
- Use CloudWatch Logs to review the execution of the AWS Config rule
Technical knowledge prerequisites
To successfully complete this lab, you should be familiar with EC2 security groups. Python programming skills are helpful, although full solution code is provided. It would be helpful to have taken the Introduction to AWS Lambda lab at http://qwiklabs.com.
Other AWS services
AWS services other than those needed for this lab are disabled by IAM policy during your access time in this lab. In addition, the capabilities of the services used in this lab are limited to what's required by the lab and in some cases are even further limited as an intentional aspect of the lab design. You should expect errors when accessing other services or performing actions beyond those provided in this lab guide.
Notice the lab properties below the lab title:
- setup - The estimated time to set up the lab environment
- access - The time the lab will run before automatically shutting down
- completion - The estimated time the lab should take to complete
- At the top of your screen, launch your lab by clicking
If you are prompted for a token, use the one distributed to you (or credits you have purchased).
A status bar shows the progress of the lab environment creation process. The AWS Management Console is accessible during lab resource creation, but your AWS resources may not be fully available until the process is complete.
- Open your lab by clicking
This will automatically log you into the AWS Management Console.
Please do not change the Region unless instructed.
Common login errors
Error : Federated login credentials
If you see this message:
- Close the browser tab to return to your initial lab window
- Wait a few seconds
- Click again
You should now be able to access the AWS Management Console.
Error: You must first log out
If you see the message, You must first log out before logging into a different AWS account:
- Click click here
- Close your browser tab to return to your initial Qwiklabs window
- Click again
Join Qwiklabs to read the rest of this lab...and more!
- Get temporary access to the Amazon Web Services Console.
- Over 200 labs from beginner to advanced levels.
- Bite-sized so you can learn at your own pace.