AWS Config is an easy way to make us all more accurate and productive with very few resources
When we work in AWS, we tend to create, delete, and manage resources sporadically. We know that we would be much better off in the long run if we carefully tracked all of our resources. We could more easily manage and evaluate these resources with greater accuracy and less effort. We would have stronger governance, auditing, and tracking of notifications.
There is good news. AWS Config takes care of this tedious work for us. AWS Config provides a detailed inventory of the AWS resources and their current configuration while continuously recording changes. This helps in evaluating these configurations and changes for compliance with ideal configurations defined by AWS Config Rules.
AWS Config offers AWS defined, pre-built templates and config rules along with user-defined customized rules. The account owner is immediately notified via Amazon SNS about all changes to the resources.
This AWS Config rule is currently only available in AWS N. Virginia region for now, but AWS Config as a service is available in all the regions.
AWS Config does the following:
- Retrieves configurations of one or more resources that exist in your account
- Retrieves historical configurations of one or more resources
- Produces a snapshot of the current configurations of the supported resources that are associated with your AWS account
- Evaluates your AWS resource configurations for desired settings
- Sends notifications whenever a resource is created, modified, or deleted
- Shows relevant relationships between resources
The supported resources for AWS Config are:
|AWS Services||Service Components|
|Amazon EC2||EC2 Instance
EC2 Network Interface
EC2 Security Group
EC2 Elastic IP (VPC only)
EC2 Dedicated Hosts
|Amazon VPC||Customer Gateway
|Amazon EBS||General Purpose (SSD) Volume
Provisioned IOPS (SSD) Volume
|AWS IAM||IAM User
IAM Managed Policy (Customer-managed only)
Below are some of the terms and concepts associated with AWS Config and some AWS Config Rules. AWS Config rules is an efficient mechanism powered by AWS Lambda functions, which make the governance of AWS resources more efficient.
- AWS Resources: The entities of an AWS Service such as EC2 instance, VPC, IAM User, EBS volumes etc., which can be created, deleted, and tracked.
- Configuration Items: The attributes of a supported AWS resource such as metadata, attributes, relationships, current configuration, and related events at a certain point in time. AWS Config creates configuration items for every supported resource in the region. If you don’t want AWS Config to create configuration items for all supported resources, you can specify the resource types that you want it to track. For example, a security group inbound rules e.g. ssh on port 22 for the instances to access remotely.
- Resource Relationship: This is an association between two entities of supported AWS resources. E.g. an EBS volume vol-a1b2c3d4 is currently associated with an instance i-1a2b3c4d.
- Configuration Snapshot: A collection of the configuration items for the supported resources, and is a very useful tool for validating the configuration. For example, you may want to examine the configuration snapshot regularly for resources that are configured incorrectly, or that potentially should not exist.
- The configuration snapshot is available in multiple formats. You can have the configuration snapshot delivered to an Amazon Simple Storage Service (Amazon S3) bucket that you specify. You can select a point in time in the AWS Config console and navigate through the snapshot of configuration items using the relationships between the resources.
- Configuration Stream: Every time a resource is created, modified, or deleted, AWS Config creates a configuration item and adds to the configuration stream that AWS Config is recording. The stream is created by using an Amazon Simple Notification Service (Amazon SNS) topic.
- The configuration stream is helpful for observing configuration changes as they occur so that you can spot potential problems in realtime. It generates notifications when specific resources are changed, and Configuration Stream will notify the owner.
- Configuration History: This is a collection of the configuration items for a given resource over any time period, such as when an instance is created, modified or deleted. Configuration History logs the trail of actions taken on configuration items.
- AWS Config automatically delivers a configuration history file for each resource type that is being recorded to an Amazon S3 bucket that you specify. I’ll show you how it is done in our example.
- Configuration Recorder: Records and stores the configurations of the all supported resources in the region where AWS Config is running. Users must first create and start the configuration recorder before recording begins.
- Configuration Rules: An AWS Config rule represents customizable, predefined rules, and configuration settings for specific AWS resources (or for an entire AWS account).
- AWS Config flags non-compliance and notifies owners when a resource change deviates from the defined rule.
When users set AWS Config rules, AWS Config evaluates the resources periodically, or in response to configuration changes. Each rule is associated with an AWS Lambda function that contains the evaluation logic for the rule.
When AWS Config evaluates the supported resources, it invokes the rule’s AWS Lambda function. The function returns the compliance status of the evaluated resources. If a resource violates the conditions of a rule, AWS Config flags the resource and the rule as noncompliant. When the compliance status of resource changes, AWS Config sends a notification to the owner’s Amazon SNS topic.
When AWS Config is active, it sends updated configuration details to a specified S3 bucket. It sends configuration history in JSON format files for each tracked AWS resource every six hours if any changes are detected to the specified AWS resource. This means there will be a configuration history file for EC2, one for IAM or one for EBS volumes. It also sends a configuration snapshot file (also a JSON format file) to the specified AWS S3 bucket, when either deliver-config-snapshot CLI command is issued or a DeliverConfigSnapshot API is called.
With this information at hand, let’s get started with AWS Config using the AWS Console. We can use any region, but using N. Virginia offers the special privilege of experiencing AWS Config rules which promised are an exciting new feature.
Compare the two dashboards shown below. When you use the N.Virginia region, your AWS Config dashboard will look like this:
Currently, in all other regions such as Ireland (eu-west-1), the dashboard will be like the one shown below:
The main difference are the Customizable Rules in N. Virginia. Keeping Ireland as our control region, let’s get started.
In the Set Up AWS Config page, you have the following options.
- You can specify tracking in all the resources in a defined region
- or optionally you can add certain types of AWS resources
- We have selected “Record all resources in this region,” specified the new bucket name as “config-test-bucket-18dec2015“ and provided a new topic as “config-test-topic-18dec2015”. We also wanted to track all the global resources, like IAM Users, groups, roles and managed policies.
- Click on Continue.
- In the next page, a new IAM role will be created. Click Allow.
4. In the next page, select Resources and click Look Up to view the resources. Here we have chosen IAM User Group.
5. Clicking on one resource will take you to the timeline page where you can see when the configuration items are recorded. If this is the first time, you can start from today.
6. Trying to access from an earlier date, before recording was turned ON, shows an error message like this:
7. Once the above necessary steps are taken, select SNS service from the Services menu and go to the SNS home page. From Topics, select the topic we just created, page i.e. “config-test-topic-18dec2015,” select & copy the ARN of the topic.
8. Select the Subscription menu, click on Create Subscription.
9. Once this is done, you are requested to confirm subscription from an email sent to the email address you provided. You must confirm the request to receive email notifications.
10. Go to the AWS IAM service page, select the IAM role you created and click it. Click on the Attach Policy button, and attach AWSConfigRole.
11. Now add a User to the Group you have been tracking. In our example above, we were tracking an IAM Group named EC2User. We added a new user to the group. We got a message and the change is reflected in our timeline page.
12. The email message looks like this:
This is a small example of how AWS Config is set and used to track AWS Resources. We will discuss more on Config Rules available in North Virginia and go through an example in the second part of this topic. If you want to review additional resources, Nitheesh Poojary published an excellent article about a year ago, AWS VPC configuration: 5 kick-yourself mistakes.
I hope you are gaining practical knowledge from this post. The steps are many and my hope is that I have made the reasons for using different features clear and simple. Please provide comments and feedback on this post below and I’ll incorporate them into the second related post on this topic.
To learn more about AWS Config in general, how to utilize it in your organization, and how to manage compliance with AWS Config, try out Cloud Academy’s AWS Config: An Introduction course. The short video below is part of the course and will give you an overview of how to best manage the compliance you need to adhere to within your AWS environment
AWS Security: Bastion Host, NAT instances and VPC Peering
Effective security requires close control over your data and resources. Bastion hosts, NAT instances, and VPC peering can help you secure your AWS infrastructure. Welcome to part four of my AWS Security overview. In part three, we looked at network security at the subnet level. This ti...
Top 13 Amazon Virtual Private Cloud (VPC) Best Practices
Amazon Virtual Private Cloud (VPC) brings a host of advantages to the table, including static private IP addresses, Elastic Network Interfaces, secure bastion host setup, DHCP options, Advanced Network Access Control, predictable internal IP ranges, VPN connectivity, movement of interna...
Big Changes to the AWS Certification Exams
With AWS re:Invent 2019 just around the corner, we can expect some early announcements to trickle through with upcoming features and services. However, AWS has just announced some big changes to their certification exams. So what’s changing and what’s new? There is a brand NEW ...
New on Cloud Academy: ITIL® 4, Microsoft 365 Tenant, Jenkins, TOGAF® 9.1, and more
At Cloud Academy, we're always striving to make improvements to our training platform. Based on your feedback, we released some new features to help make it easier for you to continue studying. These new features allow you to: Remove content from “Continue Studying” section Disc...
AWS Security Groups: Instance Level Security
Instance security requires that you fully understand AWS security groups, along with patching responsibility, key pairs, and various tenancy options. As a precursor to this post, you should have a thorough understanding of the AWS Shared Responsibility Model before moving onto discussi...
Cloud Migration Risks & Benefits
If you’re like most businesses, you already have at least one workload running in the cloud. However, that doesn’t mean that cloud migration is right for everyone. While cloud environments are generally scalable, reliable, and highly available, those won’t be the only considerations dri...
Real-Time Application Monitoring with Amazon Kinesis
Amazon Kinesis is a real-time data streaming service that makes it easy to collect, process, and analyze data so you can get quick insights and react as fast as possible to new information. With Amazon Kinesis you can ingest real-time data such as application logs, website clickstre...
Google Cloud Functions vs. AWS Lambda: The Fight for Serverless Cloud Domination
Serverless computing: What is it and why is it important? A quick background The general concept of serverless computing was introduced to the market by Amazon Web Services (AWS) around 2014 with the release of AWS Lambda. As we know, cloud computing has made it possible for users to ...
Google Vision vs. Amazon Rekognition: A Vendor-Neutral Comparison
Google Cloud Vision and Amazon Rekognition offer a broad spectrum of solutions, some of which are comparable in terms of functional details, quality, performance, and costs. This post is a fact-based comparative analysis on Google Vision vs. Amazon Rekognition and will focus on the tech...
New on Cloud Academy: CISSP, AWS, Azure, & DevOps Labs, Python for Beginners, and more…
As Hurricane Dorian intensifies, it looks like Floridians across the entire state might have to hunker down for another big one. If you've gone through a hurricane, you know that preparing for one is no joke. You'll need a survival kit with plenty of water, flashlights, batteries, and n...
Amazon Route 53: Why You Should Consider DNS Migration
What Amazon Route 53 brings to the DNS table Amazon Route 53 is a highly available and scalable Domain Name System (DNS) service offered by AWS. It is named by the TCP or UDP port 53, which is where DNS server requests are addressed. Like any DNS service, Route 53 handles domain regist...
How to Unlock Complimentary Access to Cloud Academy
Are you looking to get trained or certified on AWS, Azure, Google Cloud Platform, DevOps, Cloud Security, Python, Java, or another technical skill? Then you'll want to mark your calendars for August 23, 2019. Starting Friday at 12:00 a.m. PDT (3:00 a.m. EDT), Cloud Academy is offering c...