AWS Config Project 4 Documentation

Project Overview

This project demonstrates how AWS Config can be used to monitor, flag, and enforce compliance with organizational security and operational policies in real time. The exercises involve intentionally creating non-compliant AWS resources, observing how AWS Config detects these deviations, and then remediating them to achieve compliance.

The selected tasks cover a range of AWS governance areas, including:

• Configuration Security Enforcement (ensuring best practices for EC2 instance metadata access)
• Access Control (enforcing the use of EC2 key pairs to maintain secure administrative access)
• Cost and Resource Hygiene (ensuring Elastic IP addresses are in active use to prevent unnecessary charges)

Through these hands-on activities, the project showcases how AWS Config rules map to real-world cloud governance needs, providing both technical skills for setup and security awareness for cloud operations.

Task 1 – EC2 Launch Template Policy

Rule: ec2-launch-template-imdsv2-check

Learning Outcome: Configuration Security Enforcement

Why This Gets Flagged

AWS Instance Metadata Service (IMDS) allows applications to access instance metadata. IMDSv1 is vulnerable to SSRF attacks and should be replaced with IMDSv2, which requires a session token. AWS Config flags any EC2 Launch Template that does not require IMDSv2 as NON_COMPLIANT.

Steps to Create Non-Compliant Resource

1. Go to EC2 → Launch Templates → click Create launch template.
2. Name: LT-IMDSv1-Allowed (or any name you like).
3. Amazon Machine Image (AMI): Choose any Amazon Linux 2 or Ubuntu AMI.
4. Instance type: t2.micro.