AWS Config provides the following services:
- Assesses and retrieves configurations of AWS resources and produces snapshots of current configurations.
- Evaluates AWS resource configurations against rules for desired settings and sends notifications when resources are modified.
- Shows relevant relationships between resources to help with security analysis and troubleshooting.
5. Assess
Retrieves configurations of one or more resources that exist in your account
Retrieves historical configurations of one or more resources
Produces a snapshot of the current configurations of the supported resources
that are associated with your AWS account
10. Foundational Element of Security
Inventory and Configuration Management
• What’s currently out there
• What is the latest configuration state of my resources
• What relationships exist between my resources
• What configuration changes occurred in the last ‘X’
number of days?
• Which EC2 instances are build on top of a particular
machine image?
12. Retrieve Configurations of one or more resources
Retrieve Historical Configurations of One or More Resources
Produce a snapshot of the current configurations of the supported resources
Produce a snapshot of the current configurations of the supported resources
Evaluates your AWS resources configurations for desired settings
Sends notifications whenever a resource is created, modified or deleted
Shows relevant relationships between resources
14. Amazon EC2 Systems
Manager
AWS Organizations
AWS CloudTrail
Application Load
Balancer
Amazon EC2
Dedicated Host
AWS Config integrates with AWS CloudTrail to correlate configuration changes to
particular events in your account.
AWS Config integrates with AWS Systems Manager to record configuration changes to
software on your Amazon EC2 instances and servers in your on-premises environment.
Config records when instances are launched, stopped, or terminated on a Dedicated Host, and pairs
this information with host and instance level information relevant to software licensing, such as Host
ID, Amazon Machine Image (AMI) IDs, number of sockets and physical cores.
Config records changes to your ALBs and also includes relationships with associated EC2
security groups,VPCs, and subnets.You can use this information for security analysis and
troubleshooting.
You can use AWS Organizations to define the accounts to use for AWS Config’s
multi-account, multi-region data aggregation capability.
15. Rules represent your ideal configuration settings
Use pre-built rules byAWS
Build your own rules using AWS Lambda
Invoked automatically for continual assessment
Use the dashboard for visualizing compliance and
identifying offending changes
• 60+ prebuilt rules by AWS
• Custom rules by Lambda
• GitHub repo: Community
Sourced Rules
16. For Compute there are 22 pre-
defined rules available including:
• ec2-managedinstance-
applications-required
• encrypted-volumes
For IAM there are 14 pre-defined rules
available including:
• Iam-group-has-users
• Iam-user-group-membership-
check
• root-account-mfa-enabled
17. Rules are triggered in 1 of 2 ways:
Triggered by changes
Triggered by time (i.e. every 3 hours )
Triggering Rules
Configuration Item
All configuration attributes for a given resource at a given point in time,
captured at every configuration change.
18. Configuration Item
Component Description Contains
Metadata Information about this
configuration Item
Version ID, Configuration Item ID,Time when the
configuration item was captured, State ID indicating
the ordering of the configurating items of a resource,
MD5 hash, etc.
Common Attributes Resource Attributes Resource ID, tags, ResourceType, ARN , Availability
Zone etc.
Relationships How the resource is related to
other resources in the account
EBS volume vol-1234567 is attached to instance EC2-
a1b2c3d4
Current Configuration Information returned through a
call to the Describe or ListAPI of
the resource
e.g. For EBS volume State of Delete onTermination
flag,Type of volume – for example. gp2, io1 or standard
Related Events The AWS CloudTrail events that
are related to the current
configuration item
AWS CloudTrail ID
19. There is a rule development kit (RDK) available from amazon available on Github to help you
get started writing custom rules:
https://github.com/awslabs/aws-config-rdk
There are also a number of predefined rule where you can see the example code for
https://github.com/awslabs/aws-config-rules
Editor's Notes
This comes from the AWS CAF (or Cloud Adoption Framework)
This allows you to quickly get progress updates across all of your migrations, easily identify and troubleshoot any issues, and reduce the overall time and effort spent on your migration projects.
Even though you access the hub console from Oregon, you can move into any region as long as the migration tool supports it.
The first thing you need to do is understand what is a configuration item
The first thing you need to do is understand what is a configuration item
Even though you access the hub console from Oregon, you can move into any region as long as the migration tool supports it.