By using AWS re:Post, you agree to the Terms of Use

Implementing Guardrails

0

I am going to start setting up guardrails, but I was some clarification before pulling the trigger, and also have some questions.

  1. If I implement a guard rail, and we see non-compliant resources will this serve ONLY as an alert, or is some other action taken by AWS. For example, if I use the Detect EBS without encryption, it will just alert of any out of compliance, how can I stop new EBS volumes from being made without encryption? If this is implemented while some are out of compliance will it cause issues with the function\use of these EBS drives?
  2. If I do not see a guardrail, for example Cannot create Lambda function without Tracing enabled, how would I go about making that? I will use this to apply to likely dozens of other items once I get this part working.

Thanks all! D

1 Answers
0

First lets look at difference between detective and preventive guardrails. The documentation located here gives a very good description and understanding of the two.

https://docs.aws.amazon.com/wellarchitected/latest/management-and-governance-guide/controlsandguardrails.html

Detective guardrails (ex. AWS Config Rules) wont prevent an action from happening, its only going to let you know its out of compliance.

Preventive guardrails are implemented with Service Control Policies or IAM Policies. These will deny an action from happening. For example, if you wanted to prevent someone from creating an unencrypted volume, or creating n EC2 instance with an unencrypted colume, you can attach an SCP to the OU like this:

{
  "Effect": "Deny",
  "Action": "ec2:CreateVolume",
  "Resource": "*",
  "Condition": {
    "Bool": {
      "ec2:Encrypted": "false"
    }
  }
},
{
  "Sid": "PreventEc2MountUnencryptedVolume",
  "Effect": "Deny",
  "Action": "ec2:RunInstances",
  "Resource": "arn:aws:ec2:*:*:volume/*",
  "Condition": {
    "Bool": {
      "ec2:Encrypted": "false"
     }
   }
}

You can see other examples of SCPs here:

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html

And some more info about how SCPs work, and best practices for using them

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html

To answer your question

If this is implemented while some are out of compliance will it cause issues with the function\use of these EBS drives?

The answer is, it depends. If you have an EC2 instance running with an unencrypted EBS volume, it will continue to run uninterrupted. But lets say you applied the above SCP to your OU, and you had an EC2 auto scaling group with a launch configuration that creates instances with unencrypted volumes. The SCP will deny new EC2 instances from being created and auto-scaling will not function. So you can see, its very important to test preventive guardrails thoroughly to fully understand the downstream effects.

profile picture
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions