AWS Config

Overview

AWS Config provides a detailed view of AWS resource configurations and tracks changes over time to help monitor compliance and relationships between resources.

Key Components of AWS Config:

  1. Resource Discovery and Tracking:

    • AWS Config discovers and records configuration items for AWS resources in your account.

    • It tracks changes using Describe or List API calls and stores configuration history.

    • Configuration items are created for any supported resource changes, even those not triggered by API calls.

  2. AWS Config Rules:

    • Rules continuously evaluate resources for compliance based on desired configurations.

    • Each rule is associated with a Lambda function that returns the compliance status.

    • Noncompliant resources trigger notifications via Amazon SNS.


Delivery of Configuration Data:

  1. Amazon S3:

    • AWS Config sends configuration history files every six hours to an S3 bucket.

    • Configuration snapshots provide the complete configuration of all resources on demand.

    • Data is stored in JSON format, and lifecycle policies can manage archive and deletion.

  2. Amazon SNS:

    • SNS topics send notifications about configuration changes, compliance, and delivery status.

    • Example message types include:

      • ComplianceChangeNotification: Indicates compliance status change for a resource.

      • ConfigurationSnapshotDeliveryCompleted: Confirms delivery of a snapshot to S3.

      • ConfigurationItemChangeNotification: Alerts when a resource is created, modified, or deleted.

    • For large configuration items, oversized notifications are summarized, and full data is stored in S3.

Control Access to AWS Config:

  • Use IAM roles, permission sets, or identity federation to provide access.

  • Best practices include:

    • IAM Identity Center: Create permission sets for access management.

    • Identity Federation: Use roles with third-party identity providers.

    • IAM Users: Assign roles for users to assume for AWS Config management.

Usage and Considerations:

  • AWS Config evaluates resource changes in near real-time or at scheduled intervals.

  • It works on a best-effort basis, and delays may occur; if issues persist, AWS Support can assist using AWS Config metrics from CloudWatch.

  • AWS Config is region-specific, so ensure resources are enabled in the required regions.

Last updated