AWS Config: An Introduction and Walkthrough

AWS Config is an easy way to make us all more accurate and productive with very few resources

When we work in AWS, we tend to create, delete, and manage resources sporadically. We know that we would be much better off in the long run if we carefully tracked all of our resources. We could more easily manage and evaluate these resources with greater accuracy and less effort. We would have stronger governance, auditing, and tracking of notifications.

There is good news. AWS Config takes care of this tedious work for us. AWS Config provides a detailed inventory of the AWS resources and their current configuration while continuously recording changes. This helps in evaluating these configurations and changes for compliance with ideal configurations defined by AWS Config Rules.

AWS Config offers AWS defined, pre-built templates and config rules along with user-defined customized rules. The account owner is immediately notified via Amazon SNS about all changes to the resources.

This AWS Config rule is currently only available in AWS N. Virginia region for now, but AWS Config as a service is available in all the regions.

AWS Config does the following:

  • Retrieves configurations of one or more resources that exist in your account
  • Retrieves historical configurations of one or more resources
  • Produces a snapshot of the current configurations of the supported resources that are associated with your AWS account
  • Evaluates your AWS resource configurations for desired settings
  • Sends notifications whenever a resource is created, modified, or deleted
  • Shows relevant relationships between resources

The supported resources for AWS Config are:

AWS Services Service Components
Amazon EC2 EC2 Instance
EC2 Network Interface
EC2 Security Group
EC2 Elastic IP (VPC only)
EC2 Dedicated Hosts
Amazon VPC Customer Gateway
Internet Gateway
Network ACL
Route Table
Subnet
VPC
VPN Gateway
VPN Connection
Amazon EBS General Purpose (SSD) Volume
Provisioned IOPS (SSD) Volume
Magnetic Volume
AWS CloudTrail Trail
AWS IAM IAM User
IAM Group
IAM Role
IAM Managed Policy (Customer-managed only)

Below are some of the terms and concepts associated with AWS Config and some AWS Config Rules. AWS Config rules is an efficient mechanism powered by AWS Lambda functions, which make the governance of AWS resources more efficient.

  • AWS Resources: The entities of an AWS Service such as EC2 instance, VPC, IAM User, EBS volumes etc., which can be created, deleted, and tracked.
  • Configuration Items: The attributes of a supported AWS resource such as metadata, attributes, relationships, current configuration, and related events at a certain point in time. AWS Config creates configuration items for every supported resource in the region. If you don’t want AWS Config to create configuration items for all supported resources, you can specify the resource types that you want it to track. For example, a security group inbound rules e.g. ssh on port 22 for the instances to access remotely.
  • Resource Relationship: This is an association between two entities of supported AWS resources. E.g. an EBS volume vol-a1b2c3d4 is currently associated with an instance i-1a2b3c4d.
  • Configuration Snapshot: A collection of the configuration items for the supported resources, and is a very useful tool for validating the configuration. For example, you may want to examine the configuration snapshot regularly for resources that are configured incorrectly, or that potentially should not exist.
    • The configuration snapshot is available in multiple formats. You can have the configuration snapshot delivered to an Amazon Simple Storage Service (Amazon S3) bucket that you specify. You can select a point in time in the AWS Config console and navigate through the snapshot of configuration items using the relationships between the resources.
  • Configuration Stream: Every time a resource is created, modified, or deleted, AWS Config creates a configuration item and adds to the configuration stream that AWS Config is recording. The stream is created by using an Amazon Simple Notification Service (Amazon SNS) topic.
    • The configuration stream is helpful for observing configuration changes as they occur so that you can spot potential problems in realtime. It generates notifications when specific resources are changed, and Configuration Stream will notify the owner.
  • Configuration History: This is a collection of the configuration items for a given resource over any time period, such as when an instance is created, modified or deleted. Configuration History logs the trail of actions taken on configuration items.
    • AWS Config automatically delivers a configuration history file for each resource type that is being recorded to an Amazon S3 bucket that you specify. I’ll show you how it is done in our example.
  • Configuration Recorder: Records and stores the configurations of the all supported resources in the region where AWS Config is running. Users must first create and start the configuration recorder before recording begins.
  • Configuration Rules: An AWS Config rule represents customizable, predefined rules, and configuration settings for specific AWS resources (or for an entire AWS account).
    • AWS Config flags non-compliance and notifies owners when a resource change deviates from the defined rule.

When users set AWS Config rules, AWS Config evaluates the resources periodically, or in response to configuration changes. Each rule is associated with an AWS Lambda function that contains the evaluation logic for the rule.
When AWS Config evaluates the supported resources, it invokes the rule’s AWS Lambda function. The function returns the compliance status of the evaluated resources. If a resource violates the conditions of a rule, AWS Config flags the resource and the rule as noncompliant. When the compliance status of resource changes, AWS Config sends a notification to the owner’s Amazon SNS topic.

When AWS Config is active, it sends updated configuration details to a specified S3 bucket. It sends configuration history in JSON format files for each tracked AWS resource every six hours if any changes are detected to the specified AWS resource. This means there will be a configuration history file for EC2, one for IAM or one for EBS volumes. It also sends a configuration snapshot file (also a JSON format file) to the specified AWS S3 bucket, when either deliver-config-snapshot CLI command is issued or a DeliverConfigSnapshot API is called.

With this information at hand, let’s get started with AWS Config using the AWS Console. We can use any region, but using N. Virginia offers the special privilege of experiencing AWS Config rules which promised are an exciting new feature.
Compare the two dashboards shown below. When you use the N.Virginia region, your AWS Config dashboard will look like this:

AWS Config

Currently, in all other regions such as Ireland (eu-west-1), the dashboard will be like the one shown below:

AWS Config

The main difference are the Customizable Rules in N. Virginia. Keeping Ireland as our control region, let’s get started.
In the Set Up AWS Config page, you have the following options.

  1. You can specify tracking in all the resources in a defined region
  2. or optionally you can add certain types of AWS resources

AWS Config

  1. We have selected “Record all resources in this region,” specified the new bucket name as “config-test-bucket-18dec2015“ and provided a new topic as “config-test-topic-18dec2015”. We also wanted to track all the global resources, like IAM Users, groups, roles and managed policies.
  2. Click on Continue.
  3. In the next page, a new IAM role will be created. Click Allow.

AWS Config

4. In the next page, select Resources and click Look Up to view the resources. Here we have chosen IAM User Group.

AWS Config

5. Clicking on one resource will take you to the timeline page where you can see when the configuration items are recorded. If this is the first time, you can start from today.

AWS Config

6. Trying to access from an earlier date, before recording was turned ON, shows an error message like this:

AWS Config

7. Once the above necessary steps are taken, select SNS service from the Services menu and go to the SNS home page. From Topics, select the topic we just created, page i.e. “config-test-topic-18dec2015,” select & copy the ARN of the topic.

8. Select the Subscription menu, click on Create Subscription.

AWS Config

9. Once this is done, you are requested to confirm subscription from an email sent to the email address you provided. You must confirm the request to receive email notifications.

10. Go to the AWS IAM service page, select the IAM role you created and click it. Click on the Attach Policy button, and attach AWSConfigRole.

AWS Config

11. Now add a User to the Group you have been tracking. In our example above, we were tracking an IAM Group named EC2User. We added a new user to the group. We got a message and the change is reflected in our timeline page.

AWS Config

12. The email message looks like this:

AWS Config

Conclusion:

This is a small example of how AWS Config is set and used to track AWS Resources. We will discuss more on Config Rules available in North Virginia and go through an example in the second part of this topic. If you want to review additional resources, Nitheesh Poojary published an excellent article about a year ago, AWS VPC configuration: 5 kick-yourself mistakes.
I hope you are gaining practical knowledge from this post. The steps are many and my hope is that I have made the reasons for using different features clear and simple. Please provide comments and feedback on this post below and I’ll incorporate them into the second related post on this topic.

To learn more about AWS Config in general, how to utilize it in your organization, and how to manage compliance with AWS Config, try out Cloud Academy’s AWS Config: An Introduction course. The short video below is part of the course and will give you an overview of how to best manage the compliance you need to adhere to within your AWS environment

Avatar

Written by

Chandan Patra

Cloud Computing and Big Data professional with 10 years of experience in pre-sales, architecture, design, build and troubleshooting with best engineering practices. Specialities: Cloud Computing - AWS, DevOps(Chef), Hadoop Ecosystem, Storm & Kafka, ELK Stack, NoSQL, Java, Spring, Hibernate, Web Service


Related Posts

Joe Nemer
Joe Nemer
— October 14, 2020

New Content: AWS Data Analytics – Specialty Certification, Azure AI-900 Certification, Plus New Learning Paths, Courses, Labs, and More

This month our Content Team released two big certification Learning Paths: the AWS Certified Data Analytics - Speciality, and the Azure AI Fundamentals AI-900. In total, we released four new Learning Paths, 16 courses, 24 assessments, and 11 labs.  New content on Cloud Academy At any ...

Read more
  • AWS
  • Azure
  • DevOps
  • Google Cloud Platform
  • Machine Learning
  • programming
Joe Nemer
Joe Nemer
— September 15, 2020

New Content: Azure DP-100 Certification, Alibaba Cloud Certified Associate Prep, 13 Security Labs, and Much More

This past month our Content Team served up a heaping spoonful of new and updated content. Not only did our experts release the brand new Azure DP-100 Certification Learning Path, but they also created 18 new hands-on labs — and so much more! New content on Cloud Academy At any time, y...

Read more
  • AWS
  • Azure
  • DevOps
  • Google Cloud Platform
  • Machine Learning
  • programming
Joe Nemer
Joe Nemer
— August 28, 2020

AWS Certification Practice Exam: What to Expect from Test Questions

If you’re building applications on the AWS cloud or looking to get started in cloud computing, certification is a way to build deep knowledge in key services unique to the AWS platform. AWS currently offers 12 certifications that cover major cloud roles including Solutions Architect, De...

Read more
  • AWS
  • AWS Certifications
Patrick Navarro
Patrick Navarro
— August 25, 2020

Overcoming Unprecedented Business Challenges with AWS

From auto-scaling applications with high availability to video conferencing that’s used by everyone, every day —  cloud technology has never been more popular or in-demand. But what does this mean for experienced cloud professionals and the challenges they face as they carve out a new p...

Read more
  • AWS
  • Cloud Adoption
  • digital transformation
Avatar
Andrew Larkin
— August 18, 2020

Constant Content: Cloud Academy’s Q3 2020 Roadmap

Hello —  Andy Larkin here, VP of Content at Cloud Academy. I am pleased to release our roadmap for the next three months of 2020 — August through October. Let me walk you through the content we have planned for you and how this content can help you gain skills, get certified, and...

Read more
  • alibaba
  • AWS
  • Azure
  • content roadmap
  • Content updates
  • DevOps
  • GCP
  • Google Cloud
  • New content
Alisha Reyes
Alisha Reyes
— August 5, 2020

New Content: Alibaba, Azure AZ-303 and AZ-304, Site Reliability Engineering (SRE) Foundation, Python 3 Programming, 16 Hands-on Labs, and Much More

This month our Content Team did an amazing job at publishing and updating a ton of new content. Not only did our experts release the brand new AZ-303 and AZ-304 Certification Learning Paths, but they also created 16 new hands-on labs — and so much more! New content on Cloud Academy At...

Read more
  • AWS
  • Azure
  • DevOps
  • Google Cloud Platform
  • Machine Learning
  • programming
Alisha Reyes
Alisha Reyes
— July 16, 2020

Blog Digest: Which Certifications Should I Get?, The 12 Microsoft Azure Certifications, 6 Ways to Prevent a Data Breach, and More

This month, we were excited to announce that Cloud Academy was recognized in the G2 Summer 2020 reports! These reports highlight the top-rated solutions in the industry, as chosen by the source that matters most: customers. We're grateful to have been nominated as a High Performer in se...

Read more
  • AWS
  • Azure
  • blog digest
  • Certifications
  • Cloud Academy
  • OWASP
  • OWASP Top 10
  • Security
  • VPCs
Avatar
Cloud Academy Team
— July 9, 2020

Which Certifications Should I Get?

The old AWS slogan, “Cloud is the new normal” is indeed a reality today. Really, cloud has been the new normal for a while now and getting credentials has become an increasingly effective way to quickly showcase your abilities to recruiters and companies. With all that in mind, the s...

Read more
  • AWS
  • Azure
  • Certifications
  • Cloud Computing
  • Google Cloud Platform
Alisha Reyes
Alisha Reyes
— July 2, 2020

New Content: AWS, Azure, Typescript, Java, Docker, 13 New Labs, and Much More

This month, our Content Team released a whopping 13 new labs in real cloud environments! If you haven't tried out our labs, you might not understand why we think that number is so impressive. Our labs are not “simulated” experiences — they are real cloud environments using accounts on A...

Read more
  • AWS
  • Azure
  • DevOps
  • Google Cloud Platform
  • Machine Learning
  • programming
Joe Nemer
Joe Nemer
— June 19, 2020

Kickstart Your Tech Training With a Free Week on Cloud Academy

Are you looking to make a jump in your technical career? Want to get trained or certified on AWS, Azure, Google Cloud Platform, DevOps, Kubernetes, Python, or another in-demand skill? Then you'll want to mark your calendar. Starting Monday, June 22 at 12:00 a.m. PDT (3:00 a.m. EDT), ...

Read more
  • AWS
  • Azure
  • cloud academy content
  • complimentary access
  • GCP
  • on the house
Alisha Reyes
Alisha Reyes
— June 11, 2020

New Content: AZ-500 and AZ-400 Updates, 3 Google Professional Exam Preps, Practical ML Learning Path, C# Programming, and More

This month, our Content Team released tons of new content and labs in real cloud environments. Not only that, but we introduced our very first highly interactive "Office Hours" webinar. This webinar, Acing the AWS Solutions Architect Associate Certification, started with a quick overvie...

Read more
  • AWS
  • Azure
  • DevOps
  • Google Cloud Platform
  • Machine Learning
  • programming
Rebecca Willis
Rebecca Willis
— June 3, 2020

Azure vs. AWS: Which Certification Provides the Brighter Future?

More and more companies are using cloud services, prompting more and more people to switch their current IT position to something cloud-related. The problem is most people only have that much time after work to learn new technologies, and there are plenty of cloud services that you can ...

Read more
  • AWS
  • Azure
  • certification