Skip to main content

AWS Config

Health Check

Mission Control integrates with AWS Config to monitor your AWS resource configurations and compliance. Use it to:

  • Query AWS Config to discover and validate resource configurations
  • Monitor AWS Config Rules compliance status across accounts
  • Alert when resources become non-compliant with organizational policies
  • Track configuration changes and drift detection
  • Aggregate compliance data across multiple AWS accounts and regions

Health Check

Query AWS Config Resources

Query AWS Config to retrieve and validate resource configurations.

aws-config-query.yaml
apiVersion: canaries.flanksource.com/v1
kind: Canary
metadata:
  name: aws-config-query
spec:
  interval: 300
  awsConfig:
    - name: public-s3-buckets
      query: |
        SELECT resourceId, resourceType, configuration
        WHERE resourceType = 'AWS::S3::Bucket'
        AND configuration.publicAccessBlockConfiguration.blockPublicAcls = false
      connection: connection://aws/production
      test:
        expr: len(results) == 0  # No public buckets allowed

Query with Aggregator

Use a Configuration Aggregator for multi-account queries:

aws-config-aggregator.yaml
apiVersion: canaries.flanksource.com/v1
kind: Canary
metadata:
  name: aws-config-aggregated
spec:
  interval: 600
  awsConfig:
    - name: unencrypted-volumes
      aggregatorName: organization-aggregator
      query: |
        SELECT resourceId, accountId, awsRegion
        WHERE resourceType = 'AWS::EC2::Volume'
        AND configuration.encrypted = false
      connection: connection://aws/management

AWS Config Rules Compliance

Monitor AWS Config Rules and alert on non-compliant resources:

aws-config-rules.yaml
apiVersion: canaries.flanksource.com/v1
kind: Canary
metadata:
  name: aws-compliance
spec:
  interval: 300
  awsConfigRule:
    - name: compliance-check
      connection: connection://aws/production
      complianceTypes:
        - NON_COMPLIANT
      rules:
        - s3-bucket-ssl-requests-only
        - ec2-imdsv2-check
        - rds-storage-encrypted

Ignore Specific Rules

Exclude rules that are expected to fail or are not applicable:

aws-config-rules-filtered.yaml
apiVersion: canaries.flanksource.com/v1
kind: Canary
metadata:
  name: aws-compliance-filtered
spec:
  interval: 300
  awsConfigRule:
    - name: filtered-compliance
      connection: connection://aws/production
      complianceTypes:
        - NON_COMPLIANT
      ignoreRules:
        - cloudwatch-alarm-action-check  # Known exception
        - vpc-flow-logs-enabled          # Not required in dev

Configuration Options

AWS Config Query

FieldDescription
querySQL-like query for AWS Config resources
aggregatorNameConfiguration Aggregator name for multi-account queries
connectionAWS connection reference

AWS Config Rule

FieldDescription
rulesList of Config Rule names to check
ignoreRulesList of Config Rule names to exclude
complianceTypesFilter by compliance status (COMPLIANT, NON_COMPLIANT, NOT_APPLICABLE, INSUFFICIENT_DATA)
connectionAWS connection reference

Next Steps

AWS Integration

Learn about AWS resource scraping

AWS Scraper

AWS config scraper configuration options