What is AWS Config

AWS Config - records configurations and configuration changes.

This is separate from cloud trail that records user events.

How to visualize this

Peope leave trails 🚶... (Cloud Trail)

Computers have configuration

Cloudtrail = Who did it?

AWS Config = What did they do?

AWS config has a configuration recorder that lets you inventory in real time.

Can be used in across multiple regions or accounts.

Resources can be evaluated constantly or on a fixed schedule.

Lambda or System manager can be used to automatically remediate any compliance problems.

AWS Config allows a system to be continuously compliant by maintaining records of the systems sin

Any time a change is made on the system - the change is captured with who or what made the change.

This enabled auditing and checking of compliance levels at any time, on demand.

Why use AWS config

It is hard to understand what resources you are using in AWS.

Think of the problems running a massive system.

How can you ever keep up with the what / where?

How do you know what is no longer required?

How do you know developers and engineers are following security policy?

This can be used for risk reduction:

Checking server exposure to the internet

Volumes that may not be encrypted.

Servers than hardening.

Accurate records of changes are recorded.

What can AWS config do

• Checks configurations

• Can save a snapshot of the current configuration

• Lets you pull historical configurations

• Allows the viewing of relationships

• Can find resources been used easily and quickly

• Can help reduce troubleshooting times though the comparison with the last known good configuration.

Does AWS config have associated charges

• Yes - recoding has two different prices for continuous and periodic recording.

• Rule evaulations will also cost you.

• How to avoid pricing:

• Exclude resources you don't care about.

• Filter out regions or systems you don't care about.

• Monitor your bill!

How AWS Config works

When a service is started AWS config scans the account for supported resources or services.

A configuation item is created for each resource or service.

Each time a change takes place a new configuration item is created.

This allows changes to be determined in the configuration.

Configuration Items

These are snapshots that are stored in JSON format.

They represent the configuration at a point in time.

Most resources are supported by AWS Config - but not all.

An updare to the CI is made every time something changes on a monitored resource.

Inside a configuration item:

• Metadata - Information about the configuration item.

• Attributes - Resourde data of the configuraton item.

• Relationship - Holds related data:

For example subnet infomation or VPC infomation.

• Current configuration

Confguration recorder

The configuration recorder discoveres changes in resources, new or existing.

These changes are then fed into configration item.

A configuration recorder is a must to monitor configurations.

The configuration recorder is the eyes of the config system.

The recorder can be setup severa ways:

• Command line interface

• IaC - Infrastrcture as code such as:

• CloudFormation

• Terraform

By default this will setup configuration items for all resources by defauly.

Configuration role

This is an IAM role that provides read only access to record the configuration items.

This role also needs write permissions to the S3 bucket where the snapshots will be stored.

Configuration streams

When a new configuration item is created it's added to a configuration stream.

The configuration stream is the same as an SNS topic.

Basic Setup

• Create an S3 bucket to store the configuration items

• Create an SNS topic for the config service

• Create the IAM role for the config service