Skip to content

Config

General Info

  • Fully managed service that provides with an AWS resource inventory, configuration history, and configuration change notifications
  • Information gathered belongs to the part assigned to AWS in the shared responsibility model
  • Use Cases
    • Discovery of resources in accounts
    • Change management
    • Continuous audit & compliance
    • Troubleshooting
    • Security & incident analysis
    • Monitors resource configuration for drifts & can setup trigger to enforce drifts (like when using the wrong instance type)

Components

Component Description
Configuration Recorder
  • Maintains historical records of the config items
  • One configuration recorder per account per region
  • Recording group: define the resources you want to monitor as a choice between all supported resources or a defined subset of them
  • Once turned on, it discovers supported AWS resources & generates a CONFIGURATION ITEM for each resource
Configuration Item
  • Point-in-time attributes of a resource
  • Includes:
    • Metadata
    • Attributes (including tags, resourceID, resource type, creation time, ARN, and AZ)
    • Relationships: descriptions of connections among different resources
    • Current configuration: the information that is retrieved by calling the describe or list APIs of the resource
Configuration Rule
  • Desired config settings for specific resources or an entire account
  • Checks if changes violate any of the conditions in your rules
  • If a resource violates a rule → Config flags the resource and the rule as non compliant and notifies via SNS
Delivery Channel
  • Defines an S3 bucket and an SNS topic that AWS Config uses to deliver information and notifications
  • You can have one delivery channel per region, per account

Views of Configuration Items

Configuration View Contains Frequency Delivery Channel
Configuration History Files with all configuration items (grouped by resource type) of resources that changed since last delivery 6h fixed S3 bucket (ConfigHistory prefix)
Configuration Snapshots One file with all the current configuration ítems Manual or configurable to 1h, 3h, 6h, 12h, 24h s3 bucket (ConfigSnapshot prefix)
Configuration Stream Configuration items as messages in a topic, delivered as soon as they were detected by Config Continuous SNS topic ("messageType": "ConfigurationItemChangeNotification")

Functioning

Similar to CloudWatch
  • When make changes, for example to security group or bucket access control list —> fire off as an Event picked up by AWS Config
  • Stores everything in S3 bucket
  • Depending on the setup, as soon as something changes it could trigger a lambda function OR schedule lambda function to periodically look through the AWS Config settings
  • Lambda feeds back to Config
  • If rule has been broken, Config fires up an SNS

Delivery
  • Sends notification when a CONFIGURATION HISTORY file is delivered to S3 & when customer initiates a CONFIGURATION SNAPSHOT
  • Automatically delivers a HISTORY FILE to S3 every 6 hours that contains all changes to the RESOURCE CONFIGURATION
Characteristics
  • Inspects software running on SSM managed EC2 instances (including OS version, installed apps, network config)
  • Configuration changes or deviations -> SNS, CloudWatch Events, console dashboard, S3
  • Regionality
    • Regional, but can aggregate data across regions and accounts
    • Can't centrally manage rules
  • Permissions
    • Managed audit role: AWSConfigRole
    • IAM role with Read only permissions to the recorded resources
    • Write access to S3 logging bucket
    • Publish access to SNS