Config

Solution Architect Associate

Developer Associate

Security Specialty

AWS Config is a fully managed service that provides you with an AWS Resource inventory that also provides you with configuration history and change notification

Similar to CloudTrail in some ways, but gives you a 30,000 ft view of your provisioned resources

Enables things like:

  • Compliance auditing
  • Security Analysis
  • Resource Tracking

Provides

  • Configuration snapshots and logs config changes to AWS resources
  • Automated compliance checking

Only admins needing to setup and maintain Config require full access to this. Others should just get read only permission

Features

  • Allows you to create rules to enforce that resources obey best practices
  • Allows you to query your resources by type, tag, deleted resources, etc.
  • Shows you the history of your environment. When did changes occur, who made them, etc. Helps with ops troubleshooting
  • You can use automation documents or Lambda functions to support enforcement

Resources

  • Displays a list of all resources in the account, and whether or not they’re in compliance with any rules you’ve established
  • Displays a list of events associated with the resource under “Resource Timeline”
    • Each event shows a diff of what changed
  • You can also set a remediation action for rules not in compliance, and then kick this off under the resource

Conformance Packs

  • Collections of AWS Config rules and remediation actions that can be easily deployed in your account
  • Several common ones like FEDRAMP, CMMC, NIST, etc.

How Does This All Work?

  • As soon as anyone makes a change to a resource an event is triggered and sent to AWS Config
  • AWS Config stores events in S3
  • You can then establish event targets to respond to events that are coming through. At this point, Lambda is used as the event target and it will evaluate the event to determine if it’s breaking any of your config rules
  • All Lambda will say is that a rule is being broken or not, and if it is it will fire this off via SNS
  • As soon as a rule is created in AWS Config it will be evaluated immediately
  • You will need to grant Config read only permission to your resources in order to see changes, as well as write access to the S3 logging bucket and publish permission to SNS

Terminology

  • Configuration items: Point in time attributes of a resource
  • Configuration snapshots: Collection of Configuration Items

  • Configuration streams: Stream of changed Configuration items

  • Recorder setup:
    • Logs are configured for an account per region. You can’t enable it globally yet
    • Stores logs in S3
  • What you can see in AWS Config
    • Resource Type, Resource ID
    • Compliance
    • Timeline of changes
  • Compliance checks:
    • Have a trigger, which can be periodic or you can establish a configuration snapshot delivery on demand
  • Managed Rules
    • There are more than 40 provided by AWS. They are basic but very fundamental and should be evaluated
< Previous: CloudWatch Next: Organizations >