☁️
CTHFM: AWS
  • Welcome
  • Getting Started
    • Account Setup
  • AWS CLI
    • AWS CLI Overview
    • Installation
  • AWS Fundamentals
    • AWS Documentation
    • AWS Shared Responsibility Model
    • Organizational Hierarchy
    • AWS Principals
    • IAM Fundamentals
      • IAM Policy Components
      • IAM Documentation References
    • AWS Security Services Overview
    • AWS Core Services
    • AWS Frameworks
    • Regions and Availability Zones
  • SQL
    • SQL Refresher for Threat Hunting
  • Logging Reference
    • Cloudtrail
      • What is Cloudtrail?
      • Setting Up Cloudtrail
      • Cloudtrail Events Structure
      • Filtering and Searching CloudTrail Logs
      • IAM ID Prefixes
      • Additional Resources
      • API References
    • VPCFlow Logs
    • GuardDuty
      • Multi-Account Setup
      • GuardDuty Concepts
      • GuardDuty Finding References
      • S3 Protection
      • Malware Protection
        • EC2 Malware Protection
          • EC2 Protection Resources
          • Monitoring Scans
          • EC2 Malware Protection Events: CloudWatch
        • S3 Malware Protection
          • Enabling S3 Malware Protection
          • After Enabling S3 Malware Protection
          • S3 Malware Resource Plan Status
          • S3 Malware Protection Quotas
      • RDS Protection Enablement
      • Lambda Protection Enablement
      • Trusted IP Lists and Threat Lists in Amazon GuardDuty
      • Remediation Recommendations
      • GuardDuty API Reference
      • GuardDuty Quotas
    • Access Analyzer
      • Setup
      • External Access and Unused Access Analyzer Findings
      • Review Findings
      • Access Analyzer Resources
      • Access Analyzer API Reference
    • AWS Network Firewall
      • Permissions
      • Firewall Log Contents
      • Logging Destinations
      • CloudWatch Firewall Metrics
    • AWS Config
      • Resource Management in AWS Config
      • AWS Config Integrations
      • AWS Config Resources
      • Configuration Item
      • Config Rules
        • Evaluation Modes
  • CloudWatch
    • Amazon CloudWatch
      • CloudWatch Concepts
      • CloudWatch Metrics
        • Filter Pattern Syntax
      • CloudWatch Alarms
        • Alarm Recommendations
      • Subscriptions
      • CloudWatch Agent
      • CloudWatch Insights
        • Supported Logs and Discovered Fields
        • CloudWatch Insights Query Syntax
      • Anomaly Detection
        • Create Anomaly Detector
        • Alarms for Anomaly Detections
      • CloudWatch Filter Syntax
      • CloudWatch Service Quota
  • Athena For Threat Hunting
    • Introduction to Athena
    • Setting Up Athena
    • SQL For Threat Hunters
    • Automated Response
    • Query Best Practices
  • AWS Security Research and Resources
    • AWS Security Blog
    • AWS Goat
    • Cloud Goat
    • Pacu
    • Prowler
    • Scout Suite
  • Threat Hunting in AWS
    • Threat Hunting in AWS
    • Threat Hunting Introduction
    • Threat Hunting Process
      • Hypothesis Generation
      • Investigation
      • Identification
      • Resolution & Follow Up
    • Pyramid of Pain
    • MITRE Att&ck
      • MITRE Att&ck Concepts
      • MITRE Att&CK Data Sources
      • MITRE Att&CK Mitigations
    • MITRE Att&ck: AWS
      • MITRE Att&CK Matrix
      • Amazon Web Services Security Control Mappings
    • AWS Threat Hunting Ideas
      • AWS Threat Hunting Ideas: EC2
      • AWS Threat Hunting Ideas: Lambda
      • AWS Threat Hunting Ideas: SQS
      • AWS Threat Hunting Ideas: SNS
      • AWS Threat Hunting Ideas: RDS
Powered by GitBook
On this page
  • Overview
  • Core Components of AWS Config:
  • Configuration Recorder:
  • Delivery Channels:
  • Configuration Items and History:
  • Configuration Snapshot:
  • Configuration Stream:
  • AWS Config Rules:
  • Trigger Types for Rule Evaluations:
  • Conformance Packs:
  • Multi-Account Multi-Region Data Aggregation:
  1. Logging Reference
  2. AWS Config

Resource Management in AWS Config

Overview

AWS Config provides a detailed view of AWS resources, tracking their configuration and relationships over time. This helps manage resource inventory, monitor changes, and ensure compliance with configuration standards.

Core Components of AWS Config:

  1. AWS Resources: AWS Config tracks entities such as EC2 instances, security groups, VPCs, and EBS volumes. Resources are identified using resource IDs or ARNs.

  2. Resource Relationships: AWS Config maps the relationships between resources (e.g., an EBS volume attached to an EC2 instance within a specific security group).

Configuration Recorder:

  • Purpose: Records configuration changes for supported resources.

  • Customization: You can choose which resources to track.

  • Lifecycle: Start, stop, and restart recording as needed.

Delivery Channels:

AWS Config sends configuration updates through:

  • Amazon S3: Stores configuration history and snapshots.

  • Amazon SNS: Sends notifications on configuration changes.

Configuration Items and History:

  • Configuration Item: A point-in-time view of a resource’s attributes (e.g., metadata, relationships).

  • Configuration History: Tracks changes over time to answer when and how a resource was modified.

Configuration Snapshot:

  • A snapshot provides a complete view of resource configurations at a given time, useful for audits and validation.

Configuration Stream:

  • A real-time stream of configuration changes, updated via SNS topics for event-driven monitoring.

AWS Config Rules:

  • Managed Rules: Predefined rules by AWS.

  • Custom Rules: User-defined rules using Lambda functions or Guard policy language.

  • Evaluation Modes:

    • Proactive: Evaluates resources before deployment.

    • Detective: Evaluates deployed resources for compliance.

Trigger Types for Rule Evaluations:

  • Configuration Changes: Triggered by changes to tracked resources.

  • Periodic: Evaluations occur at user-defined intervals (e.g., every 24 hours).

  • Hybrid: Combines both change-based and periodic triggers.

Conformance Packs:

  • Definition: A collection of rules and remediation actions deployed as a single entity.

  • Customization: Use YAML templates to create custom conformance packs for specific compliance needs.

  • Process Checks: Track internal and external tasks that require verification.

Multi-Account Multi-Region Data Aggregation:

  • Aggregator Account: Centralizes data from multiple source accounts and regions for monitoring.

  • Source Account and Region: Provide resource data for aggregation.

  • Authorization: Required if aggregating data outside AWS Organizations.

PreviousAWS ConfigNextAWS Config Integrations

Last updated 8 months ago