Chef Inspec vs AWS Config

Hi,
I have to include compliance in my AWS devops environment. I have come across a service named AWS Config apart from Inspec. AWS config provides compliance check and remediation of AWS resources, predefined templates for checks based on CIS/NIST/PCI, multi account aggregation, integration with third party resources and other such features. I want to know if Inspec provides any other feature that can make inspec a better choice over AWS Config.

Which one will be better to use: AWS config or Inspec with AWS?
Thank you.

Hi there!

There are a few things I would add to the InSpec side of things that might make you consider InSpec over AWS Config.

  • AWS Config obviously will only run in your AWS environment. InSpec is platform-agnostic and will solve for continuous compliance on all clouds, VMs, and bare metal.
  • Contrary to AWS Config, InSpec (as part of Chef Compliance) gives you access to certified CIS and DISA STIGs benchmarks and profiles
  • InSpec is designed to provide you with continuous compliance across entire cloud resources (EC2 hosts, VPCs, etc). With AWS Config you will need multiple tools, like AWS Systems Manager for EC2 hosts compliance, AWS Security Hub for VPCs, Load Balancers compliance.

Hope that helps!

Hi,
Thank you for your response.

  • So I understand that InSpec will support multiple clouds.
  • But you are saying that chef provides certified CIS profiles. I have seen this with AWS Config Conformance packs also. So what is the difference?
  • As I saw the AWS config, all their rules are provided in the AWS config dashboard itself. Also if I want to write custom rules, I just have to use Lambda. So I did not understand your third point.
    Hope you can provide better clarity over this.
    Thank you.

Hi Ashima - a few more key points of consideration. AWS config works only on EC2 VMs, to determine compliance state for non-VM resources you use AWS Inspector/Security Hub, making it hard for you to get a single view and management interface for compliance across your AWS estate. Secondly, you cant customize the CIS rules from the AWS Config - yes you can write custom rules using Lambda - but starting from the baselines makes it easier. Moreover, InSpec shines in getting the DevOps teams and security teams work together by a human-readable language based on rubyDSL. LMK if this makes sense

Thank you Vikram for the explanation.

If anything, I would say Inspec has a lot of overlap (but most certainly 100%, a lot less) with cloudcustodian.io, if anything.

AWS Config can run custom rule payloads, and guessing with the runtime constraints of the RDK, it is just Lambda with managed configuration points. In current work, we use custodian separate of Config for better flexibility, but custodian even natively supports "deploying" custom rules within Config. How? It is wrapping this Rules Development Kit.

Now the RDK is Python only, so you are probably annoyed at an unhelpful response. I would be too! But if Inspec can use AWS Ruby SDK for aws-inspec, it is definitely possible, with a lot of effort, to extend AWS SDK and write your own "RDK" on top of it and use Inspec or something like Inspec in AWS Config.

Hope that helps.