AWS Config is an easy way to make us all more accurate and productive with very few resources
When we work in AWS, we tend to create, delete, and manage resources sporadically. We know that we would be much better off in the long run if we carefully tracked all of our resources. We could more easily manage and evaluate these resources with greater accuracy and less effort. We would have stronger governance, auditing, and tracking of notifications.
There is good news. AWS Config takes care of this tedious work for us. AWS Config provides a detailed inventory of the AWS resources and their current configuration while continuously recording changes. This helps in evaluating these configurations and changes for compliance with ideal configurations defined by AWS Config Rules.
AWS Config offers AWS defined, pre-built templates and config rules along with user-defined customized rules. The account owner is immediately notified via Amazon SNS about all changes to the resources.
This AWS Config rule is currently only available in AWS N. Virginia region for now, but AWS Config as a service is available in all the regions.
AWS Config does the following:
- Retrieves configurations of one or more resources that exist in your account
- Retrieves historical configurations of one or more resources
- Produces a snapshot of the current configurations of the supported resources that are associated with your AWS account
- Evaluates your AWS resource configurations for desired settings
- Sends notifications whenever a resource is created, modified, or deleted
- Shows relevant relationships between resources
The supported resources for AWS Config are:
|AWS Services||Service Components|
|Amazon EC2||EC2 Instance
EC2 Network Interface
EC2 Security Group
EC2 Elastic IP (VPC only)
EC2 Dedicated Hosts
|Amazon VPC||Customer Gateway
|Amazon EBS||General Purpose (SSD) Volume
Provisioned IOPS (SSD) Volume
|AWS IAM||IAM User
IAM Managed Policy (Customer-managed only)
Below are some of the terms and concepts associated with AWS Config and some AWS Config Rules. AWS Config rules is an efficient mechanism powered by AWS Lambda functions, which make the governance of AWS resources more efficient.
- AWS Resources: The entities of an AWS Service such as EC2 instance, VPC, IAM User, EBS volumes etc., which can be created, deleted, and tracked.
- Configuration Items: The attributes of a supported AWS resource such as metadata, attributes, relationships, current configuration, and related events at a certain point in time. AWS Config creates configuration items for every supported resource in the region. If you don’t want AWS Config to create configuration items for all supported resources, you can specify the resource types that you want it to track. For example, a security group inbound rules e.g. ssh on port 22 for the instances to access remotely.
- Resource Relationship: This is an association between two entities of supported AWS resources. E.g. an EBS volume vol-a1b2c3d4 is currently associated with an instance i-1a2b3c4d.
- Configuration Snapshot: A collection of the configuration items for the supported resources, and is a very useful tool for validating the configuration. For example, you may want to examine the configuration snapshot regularly for resources that are configured incorrectly, or that potentially should not exist.
- The configuration snapshot is available in multiple formats. You can have the configuration snapshot delivered to an Amazon Simple Storage Service (Amazon S3) bucket that you specify. You can select a point in time in the AWS Config console and navigate through the snapshot of configuration items using the relationships between the resources.
- Configuration Stream: Every time a resource is created, modified, or deleted, AWS Config creates a configuration item and adds to the configuration stream that AWS Config is recording. The stream is created by using an Amazon Simple Notification Service (Amazon SNS) topic.
- The configuration stream is helpful for observing configuration changes as they occur so that you can spot potential problems in realtime. It generates notifications when specific resources are changed, and Configuration Stream will notify the owner.
- Configuration History: This is a collection of the configuration items for a given resource over any time period, such as when an instance is created, modified or deleted. Configuration History logs the trail of actions taken on configuration items.
- AWS Config automatically delivers a configuration history file for each resource type that is being recorded to an Amazon S3 bucket that you specify. I’ll show you how it is done in our example.
- Configuration Recorder: Records and stores the configurations of the all supported resources in the region where AWS Config is running. Users must first create and start the configuration recorder before recording begins.
- Configuration Rules: An AWS Config rule represents customizable, predefined rules, and configuration settings for specific AWS resources (or for an entire AWS account).
- AWS Config flags non-compliance and notifies owners when a resource change deviates from the defined rule.
When users set AWS Config rules, AWS Config evaluates the resources periodically, or in response to configuration changes. Each rule is associated with an AWS Lambda function that contains the evaluation logic for the rule.
When AWS Config evaluates the supported resources, it invokes the rule’s AWS Lambda function. The function returns the compliance status of the evaluated resources. If a resource violates the conditions of a rule, AWS Config flags the resource and the rule as noncompliant. When the compliance status of resource changes, AWS Config sends a notification to the owner’s Amazon SNS topic.
When AWS Config is active, it sends updated configuration details to a specified S3 bucket. It sends configuration history in JSON format files for each tracked AWS resource every six hours if any changes are detected to the specified AWS resource. This means there will be a configuration history file for EC2, one for IAM or one for EBS volumes. It also sends a configuration snapshot file (also a JSON format file) to the specified AWS S3 bucket, when either deliver-config-snapshot CLI command is issued or a DeliverConfigSnapshot API is called.
With this information at hand, let’s get started with AWS Config using the AWS Console. We can use any region, but using N. Virginia offers the special privilege of experiencing AWS Config rules which promised are an exciting new feature.
Compare the two dashboards shown below. When you use the N.Virginia region, your AWS Config dashboard will look like this:
Currently, in all other regions such as Ireland (eu-west-1), the dashboard will be like the one shown below:
The main difference are the Customizable Rules in N. Virginia. Keeping Ireland as our control region, let’s get started.
In the Set Up AWS Config page, you have the following options.
- You can specify tracking in all the resources in a defined region
- or optionally you can add certain types of AWS resources
- We have selected “Record all resources in this region,” specified the new bucket name as “config-test-bucket-18dec2015“ and provided a new topic as “config-test-topic-18dec2015”. We also wanted to track all the global resources, like IAM Users, groups, roles and managed policies.
- Click on Continue.
- In the next page, a new IAM role will be created. Click Allow.
4. In the next page, select Resources and click Look Up to view the resources. Here we have chosen IAM User Group.
5. Clicking on one resource will take you to the timeline page where you can see when the configuration items are recorded. If this is the first time, you can start from today.
6. Trying to access from an earlier date, before recording was turned ON, shows an error message like this:
7. Once the above necessary steps are taken, select SNS service from the Services menu and go to the SNS home page. From Topics, select the topic we just created, page i.e. “config-test-topic-18dec2015,” select & copy the ARN of the topic.
8. Select the Subscription menu, click on Create Subscription.
9. Once this is done, you are requested to confirm subscription from an email sent to the email address you provided. You must confirm the request to receive email notifications.
10. Go to the AWS IAM service page, select the IAM role you created and click it. Click on the Attach Policy button, and attach AWSConfigRole.
11. Now add a User to the Group you have been tracking. In our example above, we were tracking an IAM Group named EC2User. We added a new user to the group. We got a message and the change is reflected in our timeline page.
12. The email message looks like this:
This is a small example of how AWS Config is set and used to track AWS Resources. We will discuss more on Config Rules available in North Virginia and go through an example in the second part of this topic. If you want to review additional resources, Nitheesh Poojary published an excellent article about a year ago, AWS VPC configuration: 5 kick-yourself mistakes.
I hope you are gaining practical knowledge from this post. The steps are many and my hope is that I have made the reasons for using different features clear and simple. Please provide comments and feedback on this post below and I’ll incorporate them into the second related post on this topic.
To learn more about AWS Config in general, how to utilize it in your organization, and how to manage compliance with AWS Config, try out Cloud Academy’s AWS Config: An Introduction course. The short video below is part of the course and will give you an overview of how to best manage the compliance you need to adhere to within your AWS environment