AWS Config Cheat Sheet
AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. It continuously monitors and records your resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. This is a key service for compliance, security analysis, and operational troubleshooting.
Core Concepts
Configuration Items (CI)
-
A Configuration Item is a point-in-time record of the configuration of a supported resource in your account.
-
A new CI is created whenever a change is detected in a resource that Config is recording.
-
Components of a CI include:
-
Metadata about the resource.
-
Resource attributes and configuration data.
-
Relationships to other resources.
-
Related CloudTrail event IDs.
-
Configuration Recorder
-
The Configuration Recorder is the component that detects changes to your resources and captures them as Configuration Items.
-
By default, it records all supported resources in the region where it is enabled.
-
You can customize it to record only specific resource types.
-
It can also be configured to record global resources, such as IAM users, groups, roles, and customer-managed policies.
Delivery and History
-
Configuration History: A collection of all the CIs for a given resource over time. Config delivers a history file for each resource type to a specified S3 bucket, typically every six hours.
-
Configuration Snapshot: A complete picture of all recorded resources and their configurations at a specific point in time. This is also delivered to your S3 bucket.
-
Configuration Stream: An automatically updated stream of all CIs, sent via an Amazon SNS topic. This is useful for real-time notification of configuration changes.
Compliance and Evaluation
AWS Config Rules
-
Config Rules represent your desired configuration settings for your AWS resources. They are used to evaluate whether your resources are compliant with your policies.
-
AWS Managed Rules: Pre-built, customizable rules provided by AWS to help you get started quickly (e.g., checking if S3 buckets have public read access disabled).
-
Custom Rules: Rules that you create from scratch using AWS Lambda functions. This allows you to define specific, internal best practices and guidelines.
-
A resource is flagged as
NON_COMPLIANTif it violates a rule. You can be notified of compliance changes via Amazon SNS.
Conformance Packs
-
A Conformance Pack is a collection of AWS Config Rules and remediation actions that can be easily deployed as a single entity in an account and region, or across an entire organization.
-
They are defined using a YAML template and are useful for packaging the rules and actions needed to meet common compliance standards (e.g., PCI-DSS, HIPAA) or your own internal security policies.
Multi-Account and Multi-Region Management
Data Aggregator
-
An aggregator is a feature that collects AWS Config configuration and compliance data from multiple sources:
-
Multiple AWS accounts and multiple regions.
-
A single account across multiple regions.
-
All accounts within an AWS Organization.
-
-
This provides a centralized dashboard for viewing all resource configurations and compliance statuses across your enterprise.
Key Use Cases
-
Security Analysis: Continuously monitor for configurations that violate security policies (e.g., overly permissive security groups).
-
Compliance Auditing: View the compliance history of your resources and generate reports to prove compliance with internal policies and external regulations.
-
Change Management: Track all changes to your resources and view a complete history of configurations.
-
Troubleshooting: Correlate configuration changes to operational issues by reviewing the resource's configuration history around the time an incident occurred.
Pricing
-
You are charged based on:
-
The number of Configuration Items recorded.
-
The number of active AWS Config Rule evaluations.
-
The number of Conformance Pack evaluations.
-