Set up AWS Config Rules

Workload Security supports the use of AWS Config Rules to query the status of your AWS instances. This can be especially useful if you want to have a centralized view into whether your instances meet certain compliance requirements.

There are four Lambda functions available from the Deep Security AWS Config Rules Repository on GitHub:

  • ds-IsInstanceProtectedByAntiMalware checks whether the current instance is protected by the Workload Security Anti-Malware module.
  • ds-IsInstanceProtectedBy checks whether the current instance is protected by any of the Workload Security protection modules. This is a generic version of ds-IsInstanceProtectedByAntiMalware.
  • ds-DoesInstanceHavePolicy checks whether the current instance is protected by a specific Workload Security policy.
  • ds-IsInstanceClear checks whether the current instance has any warnings, alerts, or errors in Workload Security.

For more information about using AWS Config Rules with Workload Security, including a helpful video that walks you through the process of setting up a rule, see Deploying AWS Config Rules for Deep Security. For more information about AWS Config, see the AWS Config section of the Amazon AWS website.