Skip to content

Config

General Info

  • Fully managed service that provides with an AWS resource inventory, configuration history, and configuration change notifications
  • Information gathered belongs to the part assigned to AWS in the shared responsibility model
  • Use Cases
    • Discovery of resources in accounts
    • Change management
    • Continuous audit & compliance
    • Troubleshooting
    • Security & incident analysis
    • Monitors resource configuration for drifts & can setup trigger to enforce drifts (like when using the wrong instance type)

Components

Component Description
Configuration Recorder
  • Maintains historical records of the config items
  • One configuration recorder per account per region
  • Recording group: define the resources you want to monitor as a choice between all supported resources or a defined subset of them
  • Once turned on, it discovers supported AWS resources & generates a CONFIGURATION ITEM for each resource
Configuration Item
  • Point-in-time attributes of a resource
  • Includes:
    • Metadata
    • Attributes (including tags, resourceID, resource type, creation time, ARN, and AZ)
    • Relationships: descriptions of connections among different resources
    • Current configuration: the information that is retrieved by calling the describe or list APIs of the resource
Configuration Rule
  • Desired config settings for specific resources or an entire account
  • Checks if changes violate any of the conditions in your rules
  • If a resource violates a rule → Config flags the resource and the rule as non compliant and notifies via SNS
Delivery Channel
  • Defines an S3 bucket and an SNS topic that AWS Config uses to deliver information and notifications
  • You can have one delivery channel per region, per account

Views of Configuration Items

Configuration View Contains Frequency Delivery Channel
Configuration History Files with all configuration items (grouped by resource type) of resources that changed since last delivery 6h fixed S3 bucket (ConfigHistory prefix)
Configuration Snapshots One file with all the current configuration ítems Manual or configurable to 1h, 3h, 6h, 12h, 24h S3 bucket (ConfigSnapshot prefix)
Configuration Stream Configuration items as messages in a topic, delivered as soon as they were detected by Config Continuous SNS topic ("messageType": "ConfigurationItemChangeNotification")

Functioning

Similar to CloudWatch
  • When make changes, for example to security group or bucket access control list —> fire off as an Event picked up by AWS Config
  • Stores everything in S3 bucket
  • Depending on the setup, as soon as something changes it could trigger a lambda function OR schedule lambda function to periodically look through the AWS Config settings
  • Lambda feeds back to Config
  • If rule has been broken, Config fires up an SNS

Delivery
  • Sends notification when a CONFIGURATION HISTORY file is delivered to S3 & when customer initiates a CONFIGURATION SNAPSHOT
  • Automatically delivers a HISTORY FILE to S3 every 6 hours that contains all changes to the RESOURCE CONFIGURATION
Characteristics
  • Inspects software running on SSM managed EC2 instances (including OS version, installed apps, network config)
  • Configuration changes or deviations -> SNS, CloudWatch Events, console dashboard, S3
  • Regionality
    • Regional, but can aggregate data across regions and accounts
    • Can't centrally manage rules
  • Permissions
    • Managed audit role: AWSConfigRole
    • IAM role with Read only permissions to the recorded resources
    • Write access to S3 logging bucket
    • Publish access to SNS

Config Rules

Defines a template that specifies which resources it will evaluate, when the evaluation will occur, and what remediation action to take (if any).

Types of rules

Type Description
Custom
  • Trigger a custom Lambda you create and maintain
  • The Lambda must return a status of compliant or noncompliant
  • You define the configuration, parameters, and the Lambda function Config will actually summon
Managed
  • You can choose from a variety of predefined rules instead of creating one yourself
  • Does not allow you to modify the configuration related with the trigger type and the parameter's key attributes
  • Common security use cases covered by managed rules:
    • Detecting access keys that were not rotated in the past X days/months
    • Detecting the use of unapproved AMIs
    • Detecting attached EBS volumes without encryption
    • Ensuring GuardDuty and CloudTrail are enabled
    • Running IAM checks, such as detecting IAM policies attached directly to IAM users instead of using roles/groups, MFA, password policies, and unused credentials
    • Running security groups checks, such as detecting the use of unrestricted access to common ports like RDP, SSH, or databases ports
    • Running S3 checks, such as whether public access is allowed or whether any buckets have default encryption set
Service-linked
  • Considered good practices defined as standards by AWS service development teams
  • Only AWS services can create and deploy them

Triggering

Trigger Type Description
Periodic Every 1h, 3h, 6h, 12h, 24h
When a Configuration Change is detected
On demand Either via API call or Console
Remediation
  • Config provides Conformance packs, a structure that groups a set of rules under a unique name
    • A conformance pack is described by a YAML template that contains the list of rules and its remediation actions
  • If a noncompliance status is introduced, it can be automatically corrected using Systems Manager Automation, with the generation of alerts via SNS