AWS Config is an easy way to make us all more accurate and productive with very few resources
When we work in AWS, we tend to create, delete, and manage resources sporadically. We know that we would be much better off in the long run if we carefully tracked all of our resources. We could more easily manage and evaluate these resources with greater accuracy and less effort. We would have stronger governance, auditing, and tracking of notifications.
There is good news. AWS Config takes care of this tedious work for us. AWS Config provides a detailed inventory of the AWS resources and their current configuration while continuously recording changes. This helps in evaluating these configurations and changes for compliance with ideal configurations defined by AWS Config Rules.
AWS Config offers AWS defined, pre-built templates and config rules along with user-defined customized rules. The account owner is immediately notified via Amazon SNS about all changes to the resources.
This AWS Config rule is currently only available in AWS N. Virginia region for now, but AWS Config as a service is available in all the regions.
AWS Config does the following:
- Retrieves configurations of one or more resources that exist in your account
- Retrieves historical configurations of one or more resources
- Produces a snapshot of the current configurations of the supported resources that are associated with your AWS account
- Evaluates your AWS resource configurations for desired settings
- Sends notifications whenever a resource is created, modified, or deleted
- Shows relevant relationships between resources
The supported resources for AWS Config are:
|AWS Services||Service Components|
|Amazon EC2||EC2 Instance
EC2 Network Interface
EC2 Security Group
EC2 Elastic IP (VPC only)
EC2 Dedicated Hosts
|Amazon VPC||Customer Gateway
|Amazon EBS||General Purpose (SSD) Volume
Provisioned IOPS (SSD) Volume
|AWS IAM||IAM User
IAM Managed Policy (Customer-managed only)
Below are some of the terms and concepts associated with AWS Config and some AWS Config Rules. AWS Config rules is an efficient mechanism powered by AWS Lambda functions, which make the governance of AWS resources more efficient.
- AWS Resources: The entities of an AWS Service such as EC2 instance, VPC, IAM User, EBS volumes etc., which can be created, deleted, and tracked.
- Configuration Items: The attributes of a supported AWS resource such as metadata, attributes, relationships, current configuration, and related events at a certain point in time. AWS Config creates configuration items for every supported resource in the region. If you don’t want AWS Config to create configuration items for all supported resources, you can specify the resource types that you want it to track. For example, a security group inbound rules e.g. ssh on port 22 for the instances to access remotely.
- Resource Relationship: This is an association between two entities of supported AWS resources. E.g. an EBS volume vol-a1b2c3d4 is currently associated with an instance i-1a2b3c4d.
- Configuration Snapshot: A collection of the configuration items for the supported resources, and is a very useful tool for validating the configuration. For example, you may want to examine the configuration snapshot regularly for resources that are configured incorrectly, or that potentially should not exist.
- The configuration snapshot is available in multiple formats. You can have the configuration snapshot delivered to an Amazon Simple Storage Service (Amazon S3) bucket that you specify. You can select a point in time in the AWS Config console and navigate through the snapshot of configuration items using the relationships between the resources.
- Configuration Stream: Every time a resource is created, modified, or deleted, AWS Config creates a configuration item and adds to the configuration stream that AWS Config is recording. The stream is created by using an Amazon Simple Notification Service (Amazon SNS) topic.
- The configuration stream is helpful for observing configuration changes as they occur so that you can spot potential problems in realtime. It generates notifications when specific resources are changed, and Configuration Stream will notify the owner.
- Configuration History: This is a collection of the configuration items for a given resource over any time period, such as when an instance is created, modified or deleted. Configuration History logs the trail of actions taken on configuration items.
- AWS Config automatically delivers a configuration history file for each resource type that is being recorded to an Amazon S3 bucket that you specify. I’ll show you how it is done in our example.
- Configuration Recorder: Records and stores the configurations of the all supported resources in the region where AWS Config is running. Users must first create and start the configuration recorder before recording begins.
- Configuration Rules: An AWS Config rule represents customizable, predefined rules, and configuration settings for specific AWS resources (or for an entire AWS account).
- AWS Config flags non-compliance and notifies owners when a resource change deviates from the defined rule.
When users set AWS Config rules, AWS Config evaluates the resources periodically, or in response to configuration changes. Each rule is associated with an AWS Lambda function that contains the evaluation logic for the rule.
When AWS Config evaluates the supported resources, it invokes the rule’s AWS Lambda function. The function returns the compliance status of the evaluated resources. If a resource violates the conditions of a rule, AWS Config flags the resource and the rule as noncompliant. When the compliance status of resource changes, AWS Config sends a notification to the owner’s Amazon SNS topic.
When AWS Config is active, it sends updated configuration details to a specified S3 bucket. It sends configuration history in JSON format files for each tracked AWS resource every six hours if any changes are detected to the specified AWS resource. This means there will be a configuration history file for EC2, one for IAM or one for EBS volumes. It also sends a configuration snapshot file (also a JSON format file) to the specified AWS S3 bucket, when either deliver-config-snapshot CLI command is issued or a DeliverConfigSnapshot API is called.
With this information at hand, let’s get started with AWS Config using the AWS Console. We can use any region, but using N. Virginia offers the special privilege of experiencing AWS Config rules which promised are an exciting new feature.
Compare the two dashboards shown below. When you use the N.Virginia region, your AWS Config dashboard will look like this:
Currently, in all other regions such as Ireland (eu-west-1), the dashboard will be like the one shown below:
The main difference are the Customizable Rules in N. Virginia. Keeping Ireland as our control region, let’s get started.
In the Set Up AWS Config page, you have the following options.
- You can specify tracking in all the resources in a defined region
- or optionally you can add certain types of AWS resources
- We have selected “Record all resources in this region,” specified the new bucket name as “config-test-bucket-18dec2015“ and provided a new topic as “config-test-topic-18dec2015”. We also wanted to track all the global resources, like IAM Users, groups, roles and managed policies.
- Click on Continue.
- In the next page, a new IAM role will be created. Click Allow.
4. In the next page, select Resources and click Look Up to view the resources. Here we have chosen IAM User Group.
5. Clicking on one resource will take you to the timeline page where you can see when the configuration items are recorded. If this is the first time, you can start from today.
6. Trying to access from an earlier date, before recording was turned ON, shows an error message like this:
7. Once the above necessary steps are taken, select SNS service from the Services menu and go to the SNS home page. From Topics, select the topic we just created, page i.e. “config-test-topic-18dec2015,” select & copy the ARN of the topic.
8. Select the Subscription menu, click on Create Subscription.
9. Once this is done, you are requested to confirm subscription from an email sent to the email address you provided. You must confirm the request to receive email notifications.
10. Go to the AWS IAM service page, select the IAM role you created and click it. Click on the Attach Policy button, and attach AWSConfigRole.
11. Now add a User to the Group you have been tracking. In our example above, we were tracking an IAM Group named EC2User. We added a new user to the group. We got a message and the change is reflected in our timeline page.
12. The email message looks like this:
This is a small example of how AWS Config is set and used to track AWS Resources. We will discuss more on Config Rules available in North Virginia and go through an example in the second part of this topic. If you want to review additional resources, Nitheesh Poojary published an excellent article about a year ago, AWS VPC configuration: 5 kick-yourself mistakes.
I hope you are gaining practical knowledge from this post. The steps are many and my hope is that I have made the reasons for using different features clear and simple. Please provide comments and feedback on this post below and I’ll incorporate them into the second related post on this topic.
To learn more about AWS Config in general, how to utilize it in your organization, and how to manage compliance with AWS Config, try out Cloud Academy’s AWS Config: An Introduction course. The short video below is part of the course and will give you an overview of how to best manage the compliance you need to adhere to within your AWS environment
New on Cloud Academy: AWS Solution Architect Lab Challenge, Azure Hands-on Labs, Foundation Certificate in Cyber Security, and Much More
Now that Thanksgiving is over and the craziness of Black Friday has died down, it's now time for the busiest season of the year. Whether you're a last-minute shopper or you already have your shopping done, the holidays bring so much more excitement than any other time of year. Since our...
Understanding Enterprise Cloud Migration
What is enterprise cloud migration? Cloud migration is about moving your data, applications, and even infrastructure from your on-premises computers or infrastructure to a virtual pool of on-demand, shared resources that offer compute, storage, and network services at scale. Why d...
6 Reasons Why You Should Get an AWS Certification This Year
In the past decade, the rise of cloud computing has been undeniable. Businesses of all sizes are moving their infrastructure and applications to the cloud. This is partly because the cloud allows businesses and their employees to access important information from just about anywhere. ...
AWS Regions and Availability Zones: The Simplest Explanation You Will Ever Find Around
The basics of AWS Regions and Availability Zones We’re going to treat this article as a sort of AWS 101 — it’ll be a quick primer on AWS Regions and Availability Zones that will be useful for understanding the basics of how AWS infrastructure is organized. We’ll define each section,...
Application Load Balancer vs. Classic Load Balancer
What is an Elastic Load Balancer? This post covers basics of what an Elastic Load Balancer is, and two of its examples: Application Load Balancers and Classic Load Balancers. For additional information — including a comparison that explains Network Load Balancers — check out our post o...
Advantages and Disadvantages of Microservices Architecture
What are microservices? Let's start our discussion by setting a foundation of what microservices are. Microservices are a way of breaking large software projects into loosely coupled modules, which communicate with each other through simple Application Programming Interfaces (APIs). ...
Kubernetes Services: AWS vs. Azure vs. Google Cloud
Kubernetes is a popular open-source container orchestration platform that allows us to deploy and manage multi-container applications at scale. Businesses are rapidly adopting this revolutionary technology to modernize their applications. Cloud service providers — such as Amazon Web Ser...
AWS Internet of Things (IoT): The 3 Services You Need to Know
The Internet of Things (IoT) embeds technology into any physical thing to enable never-before-seen levels of connectivity. IoT is revolutionizing industries and creating many new market opportunities. Cloud services play an important role in enabling deployment of IoT solutions that min...
Which Certifications Should I Get?
As we mentioned in an earlier post, the old AWS slogan, “Cloud is the new normal” is indeed a reality today. Really, cloud has been the new normal for a while now and getting credentials has become an increasingly effective way to quickly showcase your abilities to recruiters and compan...
How to Go Serverless Like a Pro
So, no servers? Yeah, I checked and there are definitely no servers. Well...the cloud service providers do need servers to host and run the code, but we don’t have to worry about it. Which operating system to use, how and when to run the instances, the scalability, and all the arch...
AWS Security: Bastion Hosts, NAT instances and VPC Peering
Effective security requires close control over your data and resources. Bastion hosts, NAT instances, and VPC peering can help you secure your AWS infrastructure. Welcome to part four of my AWS Security overview. In part three, we looked at network security at the subnet level. This ti...
Top 13 Amazon Virtual Private Cloud (VPC) Best Practices
Amazon Virtual Private Cloud (VPC) brings a host of advantages to the table, including static private IP addresses, Elastic Network Interfaces, secure bastion host setup, DHCP options, Advanced Network Access Control, predictable internal IP ranges, VPN connectivity, movement of interna...