This is in continuation of my previous Article Compliance Check of SAP Systems Using AWS Config – Part III
4.2.4 Adding AWS Config Rule
To make use of the above create Lambda environment, we need to create AWS Config Rule which is responsible for triggering the above Lambda function and fetch the data. To create Rule, we need to go to Rule and click on Add Rule
We need to specify the rule type, as this is not AWS managed rule, hence we need to select Create Custom Rule and click on Next
Now we need to specify the name of the rule and we need fill up the ARN of the Lambda function that we need to execute to evaluate the results of the execution
Specify the Triggering option which contains the scope of the execution, here we used tag for filtering the AWS resources and Frequency of the evaluation of the compliance data
Now we need to specify the list of SAP parameters that we need Lambda function to evaluate during the execution, here we are using most common security parameters which are login/no_automatic_user_sapstar and gw/acl_mode and provide the value for the same. If parameter and value provided here does not match with the value fetched by Lambda function, then AWS Config highlight this as Non-Compliant. Click Next to proceed
Review all the settings and click on Add Rule
Below screen will appear when Rules are added to the AWS Config
Now rule is ready to evaluate the SAP Security Parameters.
5.1 Setting Up EventBridge Rule
To setup the notification on each non-compliant events, we need to create a rule in EventBridge which will be responsible for sending notification of each non-compliant events. To do the same go to EventBridge and click on Create Rule
Specify the name and description of the Rule
Now we need to define the pattern for the rule. AWS provide very good document which elaborate that how to design the Custom Event pattern.
Specify the Event Bus for the Rule
Now select the targets to which Rule will hit once the Event Pattern matches. In our case we need to send email hence we select the SNS Topic and Notification
Now we need to use Input transformer to fetch the details from the event and transform the email from that details and send that to inboxes. AWS has provided user guide for the same to understand Input transformer
Specify the resource tags if any and click on Create
Below screen will appear after the successful create of Rule
Similarly, we can create multiple rules for multiple AWS Config Evaluations.
5.2 Email Notification
After setting up EventBridge rules for the AWS Config evaluation we can test the same to check the notification of the evolution of the resources we configured in the AWS Config
Below are the sample emails for 2 AWS EC2 resources which were created with non-compliant instance type is neither approved by AWS nor by SAP
Below is the sample email for the SAP instances which is non-compliant to the SAP Security Parameters i.e login/no_automatic_login_user_sapstar and gw/acl_mode specified in the AWS Config Rules
6. TROUBLESHOOTING LOGS
6.1 Lambda Execution Logs
To check and troubleshoot the Lambda function execution we can see the logs in log group under CloudWatch
Further details can be checked on clicking on the log streams
6.2 AWS Config Logs
To check and troubleshoot the logs of AWS Config we need to go to the S3 Bucket which was created during the Basic settings of AWS Config. There we can see all the logs uploaded in json format
Now we can do automated compliance check of SAP Systems hosted on AWS infra using these solutions.
BEST OF LUCK!!
In this 4 parts of article, we have discussed how we can use AWS resources to perform automatic checks on the compliance of the SAP Systems as per organization requirements.