.png?sv=2022-11-02&spr=https&st=2024-12-04T19%3A06%3A58Z&se=2024-12-04T19%3A16%3A58Z&sr=c&sp=r&sig=xP9AknA%2FYpomuby9oRc3v6HVJY7yrOKKQJr%2FzR%2BWT9o%3D){kind=logo}
API Compliance (AWS) - Golden Configuration
- 18 Oct 2024
-
DarkLight
-
PDF
API Compliance (AWS) - Golden Configuration
- Updated on 18 Oct 2024
-
DarkLight
-
PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
In our use case today, we are going to be working with an AWS Security Group to ensure access is not allowed from a specific network. For example, perhaps we want to make sure that the guest WiFi network does not have access to specific AWS resources. Similar to what we did with CLI Compliance, we are going to grab the configuration from AWS, update the configuration to match our expected Golden Configuration and then check the compliance. Let's get started.
Golden Configuration Video
Step 1
From the IAP dashboard, click Configuration Manager.
Step 2
From the Configuration Manager dashboard, click the + at the top of the left navigation panel
Step 3
The Create window opens. Click the dropdown and select Golden Configuration.
Step 4
Next, we need to select JSON as the OS Type. Click the drop down and scroll until you see the JSON selection. Click the JSON.
Step 5
Enter the name Lab - JSON Golden Configuration - XX (XX represents your initials) and click Create.
Step 6
The Configuration window opens, click Manage to begin configuring.
Step 7
Click the highlighted + and enter describeSecurityGroups. The task list will filter as you type.
Step 8
Select the describeSecurityGroups task. Next, click Add and select Add & Run.
Step 9
Click Add.
Step 10
Next, we need to define the parameters for the Adapter task. For Instance Name enter AWS Security Group. For filter, groupID and groupName enter [] (square brackets).
Step 11
The describeSecurityGroup task runs and the output is shown. This is what will be checked for compliance. Click Save.
Step 12
For this exercise, we have modified the returned AWS configuration into our desired Golden Configuration. You will paste the configuration into the base node in the following steps.
Copy the JSON code block.
{
"response": {
"DescribeSecurityGroupsResponse": {
"securityGroupInfo": {
"item": [
{
"ipPermissions": {
"item": [
{
"ipRanges": {
"item": [
{
"cidrIp": "192.168.84.0/24"
}
]
}
}
]
}
}
]
}
}
}
}
Step 13
Click the Configuration tab.
Step 14
Click the curly braces and paste the copied configuration. Click the Save icon.
Step 15
There are a few differences in how API compliance works in comparison to CLI compliance:
- There is no configuration inheritance
- You can use the tree structure to group similar API compliance templates
For instance, in this exercise we have created one called AWS Security Groups, and we could easily add a second node for AWS VPCs or AWS Subnets. The way we create and update the rules on our templates is also different. Instead of selecting a line of config and then clicking the icons in the toolbar, we right click on the portion of the JSON to which we want to add a rule. Let's go ahead and give that a try now.
Right click on line 6.
Step 16
Select ignored.
Step 17
Click Update.
Step 18
Next, we want to configure a new rule. Right click line 13.
Step 19
The JSON Configuration Options window opens. Here we will select the configuration option needed for the JSON Golden Configuration for evaluation. Select Disallowed.
Step 20
For Violation Severity, choose Error.
Step 21
For Object Key, choose Disallowed.
Step 22
Click to toggle on Check Every Key and Check Value.
Step 23
The last configuration needed is for the identifier used when showing violations. Click the +Keys button.