Embedded Files
High Level Solution Design
Usecase
Usecase
An organization has Multiple accounts , using AWS Organizations , Infra Admins need to monitor certian activities and ensure compliance across all accounts
In our use case , Admin wants to have the application development teams to have flexibility on management of their application stack components but also want to have a centralised view of RDS and EC2 to ensure these changes or creation meets organisational compliance criteria
First Step before we design solution
First Step before we design solution
We document the overall design intent with tradeoff's and options ,for every resource we want to cover identify desired/Compliant state of resources . In current use case we consider RDS and EC2 instances that are created by development teams . The resources should follow organizational best practices.
Accepted Good configuration for Production , Staging. example : Apps should use organization created DBParameter groups approved by DB Admins. Instance size and Families can be higher than test .
Accepted Good configuration for Test ( dev, QA, integration ) example : Instance size acceptable for test are T4G small to large
Any other organizational or compliance requirements
Examples of Critical RDS Events to Monitor
Examples of Critical RDS Events to Monitor
Backup failures
High availability failover
Security group changes
Parameter group modifications
Encryption status changes
Example Compliance Categories
Example Compliance Categories
Security:
Encryption standards
Access controls
Network isolation
Operational:
Backup policies
Performance monitoring
Resource tagging
Financial:
Instance sizing
Storage optimization
Reserved instance coverage
Integration Considerations
Integration Considerations
Oraganization currently records config rules which is linked to Security hub , the solution should integrate with existing Config and Security hub dashboards ( this is usually the case with most enterprise usecases )
Understanding the Solution and Design Decisions
Understanding the Solution and Design Decisions
Capture Events across all accounts in organization
Capture Events across all accounts in organization
Our first requirement to address, is to be able to be know any RDS or Ec2 changes across our Organization ,so the first step is to be able to trap that event .The event could be create or update of a resource that may not align with organisational compliance requirements.
AWS Config is a service that provides a detailed view of the configuration of AWS resources , AWS Config can send notifications when resource configurations change, enabling quick response to potential issues or policy violation. This is a service we can use to trap change events.
Most organizations follow Multi VPC aMulti Account pattern , So we need to enable the service in Organization as below .
Multi-account, multi-region data aggregation in AWS Config enables you to aggregate AWS Config data from multiple accounts and AWS Regions into a single account. with this we can query in SQL about resources across out accounts
example
Query to list all EC2 instances with AMI ID ami-12345
Query for count of resources grouped by their AWS Config rules compliance status
Query for the compliance status of AWS Conformance packs
Query to get counts of AWS resources grouped by account ID
Enable trusted access
You can enable trusted access using either the AWS Config console or the AWS Organizations console.
While creating an aggregator, you can choose to add either individual account IDs or your organization.
So what Observes for change in every resource in all our accounts ?
This service feature within AWS Config is called config recorder ,for our requirement we will create a Custom recorder . for more details on other options relating to configuration of recording for details see FAQ section.
Why Custom Recorder :
In custom recorder we have full control on what recourse types we need to record this enabling only RDS and EC2 and Filter all other events.
Keep costs optimised
Design choices for Event Source
Design choices for Event Source
Config Recorder Option
Custom Config Recorder → SNS → EventBridge Pipe → Step Functions
Advantages:
Most Comprehensive resource tracking multiple service coverage, not just RDS
Historical tracking and audit capabilities
Point-in-time resource state analysis
Can handle both configuration changes and state changes
Best for complex scenarios
Disadvantages:
- More complex implementation
- Higher cost due to Config recorder charges
- Additional latency due to multiple service hops
Decision Matrix:
Use Config Recorder when:
Need historical configuration tracking
Relationship mapping between resources
Cross-account resource tracking
Complex resource dependencies
Comprehensive audit trails needed
Best for: Enterprise architects, Governance teams
Scenario:
Track security group relationships
Response: Historical security configuration
Additional Capabilities:
Track associated resources
Map network dependencies
Cross-account security analysis
Config Rule Option
Config Rules → Lambda → SNS → Step Functions
Advantages:
Built-in remediation capabilities
Simpler to implement than full Config recorder
Good for specific compliance checks
Direct integration with Lambda for custom logic
Disadvantages:
Maintenance of Custom Compliance code
May miss real-time events
Decision Matrix:
Use Config Rules when:
- Enforcing compliance standards
- Regular auditing required
- Configuration drift detection
- Long-term tracking needed
- State validation required
Scenarios:
1. Configuration Standards:
- Instance class compliance
- Multi-AZ requirement
- Storage type requirements
- Engine version compliance
2. Security Compliance:
- Encryption at rest
- Public accessibility
- Security group configuration
- IAM authentication enabled
3. Backup & DR Requirements:
- Backup retention period
- Read replica configuration
- Cross-region backup enabled
RDS Events Option
RDS Events
Advantages:
- Native RDS service integration
- Real-time event notification
- Lower cost compared to Config
- Lowest implementation effort
- Direct events for specific RDS actions
Disadvantages:
- Limited to RDS-specific events
- No built-in remediation
Decision Matrix:
Use RDS Events when:
Need immediate notification
Monitoring operational health
Tracking real-time changes
Response time is critical
Event is transient
Scenarios:
1. Immediate Operational Response Needed:
Failover events
Backup failures
Storage space running low
Database instance state changes
Pending maintenance windows
Recovery actions
2. Performance Issues:
High CPU utilization alerts
Storage IOPS constraints
Memory pressure events
Replica lag notifications
3. Security Events:
- Database shutdown/startup
Implementation Effort Ranking (Low to High):
Implementation Effort Ranking (Low to High):
RDS Events (Simplest)
Config Rules with Lambda
Custom Config Recorder (Most Complex)
Cost Efficiency Ranking (Low to High):
Cost Efficiency Ranking (Low to High):
RDS Events
Config Rules
Custom Config Recorder
Hybrid Approach to use best tool for the job
Record the task and the approach in tabular format or some data store overview
Page updated
Google Sites
Report abuse