Config
General Info¶
- Fully managed service that provides with an AWS resource inventory, configuration history, and configuration change notifications
- Information gathered belongs to the part assigned to AWS in the shared responsibility model
- Use Cases
- Discovery of resources in accounts
- Change management
- Continuous audit & compliance
- Troubleshooting
- Security & incident analysis
- Monitors resource configuration for drifts & can setup trigger to enforce drifts (like when using the wrong instance type)
Components¶
Component | Description |
---|---|
Configuration Recorder |
|
Configuration Item |
|
Configuration Rule |
|
Delivery Channel |
|
Views of Configuration Items
Configuration View | Contains | Frequency | Delivery Channel |
---|---|---|---|
Configuration History | Files with all configuration items (grouped by resource type) of resources that changed since last delivery | 6h fixed |
S3 bucket (ConfigHistory prefix) |
Configuration Snapshots | One file with all the current configuration ítems | Manual or configurable to 1h , 3h , 6h , 12h , 24h |
S3 bucket (ConfigSnapshot prefix) |
Configuration Stream | Configuration items as messages in a topic, delivered as soon as they were detected by Config | Continuous | SNS topic ("messageType": "ConfigurationItemChangeNotification" ) |
Functioning¶
- Similar to CloudWatch
-
- When make changes, for example to security group or bucket access control list —> fire off as an Event picked up by AWS Config
- Stores everything in S3 bucket
- Depending on the setup, as soon as something changes it could trigger a lambda function OR schedule lambda function to periodically look through the AWS Config settings
- Lambda feeds back to Config
- If rule has been broken, Config fires up an SNS
- Delivery
-
- Sends notification when a
CONFIGURATION HISTORY
file is delivered to S3 & when customer initiates aCONFIGURATION SNAPSHOT
- Automatically delivers a
HISTORY FILE
to S3 every 6 hours that contains all changes to theRESOURCE CONFIGURATION
- Sends notification when a
- Characteristics
-
- Inspects software running on SSM managed EC2 instances (including OS version, installed apps, network config)
- Configuration changes or deviations -> SNS, CloudWatch Events, console dashboard, S3
- Regionality
- Regional, but can aggregate data across regions and accounts
- Can't centrally manage rules
- Permissions
- Managed audit role:
AWSConfigRole
- IAM role with Read only permissions to the recorded resources
- Write access to S3 logging bucket
- Publish access to SNS
- Managed audit role:
Config Rules¶
Defines a template that specifies which resources it will evaluate, when the evaluation will occur, and what remediation action to take (if any).
Types of rules
Type | Description |
---|---|
Custom |
|
Managed |
|
Service-linked |
|
Triggering
Trigger Type | Description |
---|---|
Periodic | Every 1h , 3h , 6h , 12h , 24h |
When a Configuration Change is detected | |
On demand | Either via API call or Console |
- Remediation
-
- Config provides Conformance packs, a structure that groups a set of rules under a unique name
- A conformance pack is described by a YAML template that contains the list of rules and its remediation actions
- If a noncompliance status is introduced, it can be automatically corrected using Systems Manager Automation, with the generation of alerts via SNS
- Config provides Conformance packs, a structure that groups a set of rules under a unique name