Resource Management in AWS Config

Overview

AWS Config provides a detailed view of AWS resources, tracking their configuration and relationships over time. This helps manage resource inventory, monitor changes, and ensure compliance with configuration standards.

Core Components of AWS Config:

  1. AWS Resources: AWS Config tracks entities such as EC2 instances, security groups, VPCs, and EBS volumes. Resources are identified using resource IDs or ARNs.

  2. Resource Relationships: AWS Config maps the relationships between resources (e.g., an EBS volume attached to an EC2 instance within a specific security group).

Configuration Recorder:

  • Purpose: Records configuration changes for supported resources.

  • Customization: You can choose which resources to track.

  • Lifecycle: Start, stop, and restart recording as needed.

Delivery Channels:

AWS Config sends configuration updates through:

  • Amazon S3: Stores configuration history and snapshots.

  • Amazon SNS: Sends notifications on configuration changes.

Configuration Items and History:

  • Configuration Item: A point-in-time view of a resource’s attributes (e.g., metadata, relationships).

  • Configuration History: Tracks changes over time to answer when and how a resource was modified.

Configuration Snapshot:

  • A snapshot provides a complete view of resource configurations at a given time, useful for audits and validation.

Configuration Stream:

  • A real-time stream of configuration changes, updated via SNS topics for event-driven monitoring.

AWS Config Rules:

  • Managed Rules: Predefined rules by AWS.

  • Custom Rules: User-defined rules using Lambda functions or Guard policy language.

  • Evaluation Modes:

    • Proactive: Evaluates resources before deployment.

    • Detective: Evaluates deployed resources for compliance.

Trigger Types for Rule Evaluations:

  • Configuration Changes: Triggered by changes to tracked resources.

  • Periodic: Evaluations occur at user-defined intervals (e.g., every 24 hours).

  • Hybrid: Combines both change-based and periodic triggers.

Conformance Packs:

  • Definition: A collection of rules and remediation actions deployed as a single entity.

  • Customization: Use YAML templates to create custom conformance packs for specific compliance needs.

  • Process Checks: Track internal and external tasks that require verification.

Multi-Account Multi-Region Data Aggregation:

  • Aggregator Account: Centralizes data from multiple source accounts and regions for monitoring.

  • Source Account and Region: Provide resource data for aggregation.

  • Authorization: Required if aggregating data outside AWS Organizations.

Last updated