Config
General Info¶
- Description
-
- Fully managed service that provides with an AWS resource inventory, configuration history, and configuration change notifications
- Once turned on, it discovers supported AWS resources & generates a
CONFIGURATION ITEM
for each resource - Monitors resource configuration for drifts & can setup trigger to enforce drifts (like when using the wrong instance type)
- Use Cases
- Discovery of resources in accounts
- Change management
- Continuous audit & compliance
- Troubleshooting
- Security & incident analysis
Components
Component | Description |
---|---|
Configuration Item |
|
Configuration Recorder | Maintains historical records of the config items |
Configuration Rule |
|
Delivery Channel |
|
Functioning¶
- Similar to CloudWatch
-
- When make changes, for example to security group or bucket access control list —> fire off as an Event picked up by AWS Config
- Stores everything in S3 bucket
- Depending on the setup, as soon as something changes it could trigger a lambda function OR schedule lambda function to periodically look through the AWS Config settings
- Lambda feeds back to Config
- If rule has been broken, Config fires up an SNS
- Delivery
-
- Sends notification when a
CONFIGURATION HISTORY
file is delivered to S3 & when customer initiates aCONFIGURATION SNAPSHOT
- Automatically delivers a
HISTORY FILE
to S3 every 6 hours that contains all changes to theRESOURCE CONFIGURATION
- Sends notification when a
- Characteristics
-
- Inspects software running on SSM managed EC2 instances (including OS version, installed apps, network config)
- Configuration changes or deviations -> SNS, CloudWatch Events, console dashboard, S3
- Regionality
- regional, but can aggregate data across regions and accounts
- can't centrally manage rules
- Permissions
- Managed audit role:
AWSConfigRole
- IAM role with Read only permissions to the recorded resources
- Write access to S3 logging bucket
- Publish access to SNS
- Managed audit role: