Check compliance of EC2 instances for Session Mirroring
Part of the AWS Mirror Toolkit, this AWS Config rule is meant to check compliance of session mirroring sessions against individual network interfaces. It assumes that a Session Mirror Target exists.
This project is developed to work alongside AutoMirror. If you'd like to use it separately, make sure to adjust the configuration of the rule accordingly.
- Create an Execution Policy for the Lambda
- Deploy the Lambda function code in a Node.js 10 environment.
- Create a custom AWS Config rule following the example of this image and point at the previously deployed Lambda function
Instances that have a network interface for which a session mirroring session exists (NetworkInterfaceId) are considered COMPLIANT:
Instances for which no session mirroring sessions exists with their network interface (NetworkInterfaceId) are considered NOT COMPLIANT:
To reduce false positives we've created a third compliance state, NOT APPLICABLE. This is the result that is given to Amazon-owned resources. This applies, for example, to NAT Gateways, since they hold a network interface but configuration for session mirroring is not possible.
Found this interesting? Have a question/comment/request? Let us know!
