AWS Config is an easy way to make us all more accurate and productive with very few resources
When we work in AWS, we tend to create, delete, and manage resources sporadically. We know that we would be much better off in the long run if we carefully tracked all of our resources. We could more easily manage and evaluate these resources with greater accuracy and less effort. We would have stronger governance, auditing, and tracking of notifications.
There is good news. AWS Config takes care of this tedious work for us. AWS Config provides a detailed inventory of the AWS resources and their current configuration while continuously recording changes. This helps in evaluating these configurations and changes for compliance with ideal configurations defined by AWS Config Rules.
AWS Config offers AWS defined, pre-built templates and config rules along with user-defined customized rules. The account owner is immediately notified via Amazon SNS about all changes to the resources.
This AWS Config rule is currently only available in AWS N. Virginia region for now, but AWS Config as a service is available in all the regions.
AWS Config does the following:
- Retrieves configurations of one or more resources that exist in your account
- Retrieves historical configurations of one or more resources
- Produces a snapshot of the current configurations of the supported resources that are associated with your AWS account
- Evaluates your AWS resource configurations for desired settings
- Sends notifications whenever a resource is created, modified, or deleted
- Shows relevant relationships between resources
The supported resources for AWS Config are:
|AWS Services||Service Components|
|Amazon EC2||EC2 Instance
EC2 Network Interface
EC2 Security Group
EC2 Elastic IP (VPC only)
EC2 Dedicated Hosts
|Amazon VPC||Customer Gateway
|Amazon EBS||General Purpose (SSD) Volume
Provisioned IOPS (SSD) Volume
|AWS IAM||IAM User
IAM Managed Policy (Customer-managed only)
Below are some of the terms and concepts associated with AWS Config and some AWS Config Rules. AWS Config rules is an efficient mechanism powered by AWS Lambda functions, which make the governance of AWS resources more efficient.
- AWS Resources: The entities of an AWS Service such as EC2 instance, VPC, IAM User, EBS volumes etc., which can be created, deleted, and tracked.
- Configuration Items: The attributes of a supported AWS resource such as metadata, attributes, relationships, current configuration, and related events at a certain point in time. AWS Config creates configuration items for every supported resource in the region. If you don’t want AWS Config to create configuration items for all supported resources, you can specify the resource types that you want it to track. For example, a security group inbound rules e.g. ssh on port 22 for the instances to access remotely.
- Resource Relationship: This is an association between two entities of supported AWS resources. E.g. an EBS volume vol-a1b2c3d4 is currently associated with an instance i-1a2b3c4d.
- Configuration Snapshot: A collection of the configuration items for the supported resources, and is a very useful tool for validating the configuration. For example, you may want to examine the configuration snapshot regularly for resources that are configured incorrectly, or that potentially should not exist.
- The configuration snapshot is available in multiple formats. You can have the configuration snapshot delivered to an Amazon Simple Storage Service (Amazon S3) bucket that you specify. You can select a point in time in the AWS Config console and navigate through the snapshot of configuration items using the relationships between the resources.
- Configuration Stream: Every time a resource is created, modified, or deleted, AWS Config creates a configuration item and adds to the configuration stream that AWS Config is recording. The stream is created by using an Amazon Simple Notification Service (Amazon SNS) topic.
- The configuration stream is helpful for observing configuration changes as they occur so that you can spot potential problems in realtime. It generates notifications when specific resources are changed, and Configuration Stream will notify the owner.
- Configuration History: This is a collection of the configuration items for a given resource over any time period, such as when an instance is created, modified or deleted. Configuration History logs the trail of actions taken on configuration items.
- AWS Config automatically delivers a configuration history file for each resource type that is being recorded to an Amazon S3 bucket that you specify. I’ll show you how it is done in our example.
- Configuration Recorder: Records and stores the configurations of the all supported resources in the region where AWS Config is running. Users must first create and start the configuration recorder before recording begins.
- Configuration Rules: An AWS Config rule represents customizable, predefined rules, and configuration settings for specific AWS resources (or for an entire AWS account).
- AWS Config flags non-compliance and notifies owners when a resource change deviates from the defined rule.
When users set AWS Config rules, AWS Config evaluates the resources periodically, or in response to configuration changes. Each rule is associated with an AWS Lambda function that contains the evaluation logic for the rule.
When AWS Config evaluates the supported resources, it invokes the rule’s AWS Lambda function. The function returns the compliance status of the evaluated resources. If a resource violates the conditions of a rule, AWS Config flags the resource and the rule as noncompliant. When the compliance status of resource changes, AWS Config sends a notification to the owner’s Amazon SNS topic.
When AWS Config is active, it sends updated configuration details to a specified S3 bucket. It sends configuration history in JSON format files for each tracked AWS resource every six hours if any changes are detected to the specified AWS resource. This means there will be a configuration history file for EC2, one for IAM or one for EBS volumes. It also sends a configuration snapshot file (also a JSON format file) to the specified AWS S3 bucket, when either deliver-config-snapshot CLI command is issued or a DeliverConfigSnapshot API is called.
With this information at hand, let’s get started with AWS Config using the AWS Console. We can use any region, but using N. Virginia offers the special privilege of experiencing AWS Config rules which promised are an exciting new feature.
Compare the two dashboards shown below. When you use the N.Virginia region, your AWS Config dashboard will look like this:
Currently, in all other regions such as Ireland (eu-west-1), the dashboard will be like the one shown below:
The main difference are the Customizable Rules in N. Virginia. Keeping Ireland as our control region, let’s get started.
In the Set Up AWS Config page, you have the following options.
- You can specify tracking in all the resources in a defined region
- or optionally you can add certain types of AWS resources
- We have selected “Record all resources in this region,” specified the new bucket name as “config-test-bucket-18dec2015“ and provided a new topic as “config-test-topic-18dec2015”. We also wanted to track all the global resources, like IAM Users, groups, roles and managed policies.
- Click on Continue.
- In the next page, a new IAM role will be created. Click Allow.
4. In the next page, select Resources and click Look Up to view the resources. Here we have chosen IAM User Group.
5. Clicking on one resource will take you to the timeline page where you can see when the configuration items are recorded. If this is the first time, you can start from today.
6. Trying to access from an earlier date, before recording was turned ON, shows an error message like this:
7. Once the above necessary steps are taken, select SNS service from the Services menu and go to the SNS home page. From Topics, select the topic we just created, page i.e. “config-test-topic-18dec2015,” select & copy the ARN of the topic.
8. Select the Subscription menu, click on Create Subscription.
9. Once this is done, you are requested to confirm subscription from an email sent to the email address you provided. You must confirm the request to receive email notifications.
10. Go to the AWS IAM service page, select the IAM role you created and click it. Click on the Attach Policy button, and attach AWSConfigRole.
11. Now add a User to the Group you have been tracking. In our example above, we were tracking an IAM Group named EC2User. We added a new user to the group. We got a message and the change is reflected in our timeline page.
12. The email message looks like this:
This is a small example of how AWS Config is set and used to track AWS Resources. We will discuss more on Config Rules available in North Virginia and go through an example in the second part of this topic. If you want to review additional resources, Nitheesh Poojary published an excellent article about a year ago, AWS VPC configuration: 5 kick-yourself mistakes.
I hope you are gaining practical knowledge from this post. The steps are many and my hope is that I have made the reasons for using different features clear and simple. Please provide comments and feedback on this post below and I’ll incorporate them into the second related post on this topic.
To learn more about AWS Config in general, how to utilize it in your organization, and how to manage compliance with AWS Config, try out Cloud Academy’s AWS Config: An Introduction course. The short video below is part of the course and will give you an overview of how to best manage the compliance you need to adhere to within your AWS environment
New Content: AWS Data Analytics – Specialty Certification, Azure AI-900 Certification, Plus New Learning Paths, Courses, Labs, and More
This month our Content Team released two big certification Learning Paths: the AWS Certified Data Analytics - Speciality, and the Azure AI Fundamentals AI-900. In total, we released four new Learning Paths, 16 courses, 24 assessments, and 11 labs. New content on Cloud Academy At any ...
New Content: Azure DP-100 Certification, Alibaba Cloud Certified Associate Prep, 13 Security Labs, and Much More
This past month our Content Team served up a heaping spoonful of new and updated content. Not only did our experts release the brand new Azure DP-100 Certification Learning Path, but they also created 18 new hands-on labs — and so much more! New content on Cloud Academy At any time, y...
AWS Certification Practice Exam: What to Expect from Test Questions
If you’re building applications on the AWS cloud or looking to get started in cloud computing, certification is a way to build deep knowledge in key services unique to the AWS platform. AWS currently offers 12 certifications that cover major cloud roles including Solutions Architect, De...
Overcoming Unprecedented Business Challenges with AWS
From auto-scaling applications with high availability to video conferencing that’s used by everyone, every day — cloud technology has never been more popular or in-demand. But what does this mean for experienced cloud professionals and the challenges they face as they carve out a new p...
Constant Content: Cloud Academy’s Q3 2020 Roadmap
Hello — Andy Larkin here, VP of Content at Cloud Academy. I am pleased to release our roadmap for the next three months of 2020 — August through October. Let me walk you through the content we have planned for you and how this content can help you gain skills, get certified, and...
New Content: Alibaba, Azure AZ-303 and AZ-304, Site Reliability Engineering (SRE) Foundation, Python 3 Programming, 16 Hands-on Labs, and Much More
This month our Content Team did an amazing job at publishing and updating a ton of new content. Not only did our experts release the brand new AZ-303 and AZ-304 Certification Learning Paths, but they also created 16 new hands-on labs — and so much more! New content on Cloud Academy At...
Blog Digest: Which Certifications Should I Get?, The 12 Microsoft Azure Certifications, 6 Ways to Prevent a Data Breach, and More
This month, we were excited to announce that Cloud Academy was recognized in the G2 Summer 2020 reports! These reports highlight the top-rated solutions in the industry, as chosen by the source that matters most: customers. We're grateful to have been nominated as a High Performer in se...
Which Certifications Should I Get?
The old AWS slogan, “Cloud is the new normal” is indeed a reality today. Really, cloud has been the new normal for a while now and getting credentials has become an increasingly effective way to quickly showcase your abilities to recruiters and companies. With all that in mind, the s...
New Content: AWS, Azure, Typescript, Java, Docker, 13 New Labs, and Much More
This month, our Content Team released a whopping 13 new labs in real cloud environments! If you haven't tried out our labs, you might not understand why we think that number is so impressive. Our labs are not “simulated” experiences — they are real cloud environments using accounts on A...
Kickstart Your Tech Training With a Free Week on Cloud Academy
Are you looking to make a jump in your technical career? Want to get trained or certified on AWS, Azure, Google Cloud Platform, DevOps, Kubernetes, Python, or another in-demand skill? Then you'll want to mark your calendar. Starting Monday, June 22 at 12:00 a.m. PDT (3:00 a.m. EDT), ...
New Content: AZ-500 and AZ-400 Updates, 3 Google Professional Exam Preps, Practical ML Learning Path, C# Programming, and More
This month, our Content Team released tons of new content and labs in real cloud environments. Not only that, but we introduced our very first highly interactive "Office Hours" webinar. This webinar, Acing the AWS Solutions Architect Associate Certification, started with a quick overvie...
Azure vs. AWS: Which Certification Provides the Brighter Future?
More and more companies are using cloud services, prompting more and more people to switch their current IT position to something cloud-related. The problem is most people only have that much time after work to learn new technologies, and there are plenty of cloud services that you can ...