Tracking X-Ray encryption configuration changes with Amazon Config - Amazon X-Ray
Creating a Lambda function triggerCreating a custom Amazon Config rule for x-rayExample resultsAmazon SNS notifications
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Tracking X-Ray encryption configuration changes with Amazon Config

Amazon X-Ray integrates with Amazon Config to record configuration changes made to your X-Ray encryption resources. You can use Amazon Config to inventory X-Ray encryption resources, audit the X-Ray configuration history, and send notifications based on resource changes.

Amazon Config supports logging the following X-Ray encryption resource changes as events:

  • Configuration changes – Changing or adding an encryption key, or reverting to the default X-Ray encryption setting.

Use the following instructions to learn how to create a basic connection between X-Ray and Amazon Config.

Creating a Lambda function trigger

You must have the ARN of a custom Amazon Lambda function before you can generate a custom Amazon Config rule. Follow these instructions to create a basic function with Node.js that returns a compliant or non-compliant value back to Amazon Config based on the state of the XrayEncryptionConfig resource.

To create a Lambda function with an AWS::XrayEncryptionConfig change trigger

  1. Open the Lambda console. Choose Create function.

  2. Choose Blueprints, and then filter the blueprints library for the config-rule-change-triggered blueprint. Either click the link in the blueprint's name or choose Configure to continue.

  3. Define the following fields to configure the blueprint:

    • For Name, type a name.

    • For Role, choose Create new role from template(s).

    • For Role name, type a name.

    • For Policy templates, choose Amazon Config Rules permissions.

  4. Choose Create function to create and display your function in the Amazon Lambda console.

  5. Edit your function code to replace AWS::EC2::Instance with AWS::XrayEncryptionConfig. You can also update the description field to reflect this change.

    Default Code

        if (configurationItem.resourceType !== 'AWS::EC2::Instance') {
        return 'NOT_APPLICABLE';
    } else if (ruleParameters.desiredInstanceType === configurationItem.configuration.instanceType) {
        return 'COMPLIANT';
    }
        return 'NON_COMPLIANT';

    Updated Code

        if (configurationItem.resourceType !== 'AWS::XRay::EncryptionConfig') {
        return 'NOT_APPLICABLE';
    } else if (ruleParameters.desiredInstanceType === configurationItem.configuration.instanceType) {
        return 'COMPLIANT';
    }
        return 'NON_COMPLIANT';

  6. Add the following to your execution role in IAM for access to X-Ray. These permissions allow read-only access to your X-Ray resources. Failure to provide access to the appropriate resources will result in an out of scope message from Amazon Config when it evaluates the Lambda function associated with the rule.

        {
        "Sid": "Stmt1529350291539",
        "Action": [
            "xray:GetEncryptionConfig"
        ],
        "Effect": "Allow",
        "Resource": "*"
     }

Creating a custom Amazon Config rule for x-ray

When the Lambda function is created, note the function's ARN, and go to the Amazon Config console to create your custom rule.

To create an Amazon Config rule for X-Ray

  1. Open the Rules page of the Amazon Config console.

  2. Choose Add rule, and then choose Add custom rule.

  3. In Amazon Lambda Function ARN, insert the ARN associated with the Lambda function you want to use.

  4. Choose the type of trigger to set:

    • Configuration changes – Amazon Config triggers the evaluation when any resource that matches the rule's scope changes in configuration. The evaluation runs after Amazon Config sends a configuration item change notification.

    • Periodic – Amazon Config runs evaluations for the rule at a frequency that you choose (for example, every 24 hours).

  5. For Resource type, choose EncryptionConfig in the X-Ray section.

  6. Choose Save.

The Amazon Config console begins to evaluate the rule's compliance immediately. The evaluation can take several minutes to complete.

Now that this rule is compliant, Amazon Config can begin to compile an audit history. Amazon Config records resource changes in the form of a timeline. For each change in the timeline of events, Amazon Config generates a table in a from/to format to show what changed in the JSON representation of the encryption key. The two field changes associated with EncryptionConfig are Configuration.type and Configuration.keyID.

Example results

Following is an example of an Amazon Config timeline showing changes made at specific dates and times.

Amazon Config timeline.

Following is an example of an Amazon Config change entry. The from/to format illustrates what changed. This example shows that the default X-Ray encryption settings were changed to a defined encryption key.

X-Ray encryption configuration change entry.

Amazon SNS notifications

To be notified of configuration changes, set Amazon Config to publish Amazon SNS notifications. For more information, see Monitoring Amazon Config Resource Changes by Email.