This course covers the core learning objective to meet the requirements of the 'Architecting for Management & Governance in AWS - Level 1' skill
- Understand the different checks available with AWS Trusted Advisor
- Understand the capabilities of AWS Config
- Understand the capabilities of Amazon CloudWatch
- Understand the capabilities of Amazon CloudTrail
Hello, and welcome to this lecture, where we will talk about the AWS Config service itself, what it is, and what it does. So let's get started.
As many of you will be aware, one of the biggest headaches in any organization when it comes to resource management of IT infrastructure is understanding the following. What resources do we have? What devices are out there within our infrastructure performing functions?
Do we have resources that are no longer needed, and therefore, can we be saving money by switching them off?
What is status of their configuration? Are there any security vulnerabilities we need to worry about?
How are our resources linked within the environment? What relationships are there, and are there any dependencies? If we make a change to one resource, will this affect another?
What changes have occurred on the resources, and by whom? Do we have a history of changes for this resource that shows us how the resourced changed over time?
Is the infrastructure compliant with specific governance controls, and how can we check to ensure that this configuration is meeting specific internal and external requirements?
And, do we have accurate auditing information that can be passed to external auditors for compliance checks?
Depending on the size of your deployment with AWS, trying to answer some of these questions can be very time consuming and laborious. Some of this information can be captured via the AWS CLI by performing a 'describe', or 'list', against the specific resource. But implementing a system to capture those results and output them into a readable format could be very resource intensive. And of course, this will only help you with a small piece of the puzzle.
AWS is aware that, due to the very nature of the cloud and its benefits, the resources within an AWS environment are likely to fluctuate frequently, along with the configurations of the resources. The cloud, by its very nature, is designed to do so, and so trying to keep up with the resource management can be a struggle. Because of this, AWS released AWS Config to help with this very task. The service has been designed to record and capture resource changes within your environment, allowing you to perform a number of actions against the data that helps to find answers to the questions that we highlighted previously.
So what did AWS design AWS Config to do? Well, in a nutshell, AWS Config can capture resource changes, so any change to a resource supported by Config can be recorded, which will record what changed along with other useful metadata, all held within a file known as a configuration item, a CI.
It can act as resource inventory. AWS Config can discover supported resources running within your environment, allowing you to see data about that resource type.
It can store configuration history for individual resources. The service will record and hold all existing changes that have happened against the resource, providing a useful history record of changes.
It can provide a snapshot in time of current resource configurations. An entire snapshot of all supported resources within a region can be captured that will detail their current configurations with all related metadata.
Enable notifications of when a change has occurred on a resource. The Simple Notification Service, SNS, is used with AWS Config to capture a configuration stream of changes, enabling you to process and analyze to changes to resources.
It can provide information on who made the change and when through AWS CloudTrail Integration. AWS CloudTrail is used with AWS Config to help you identify who made the change and when, and with which API.
You can enforce rules that check the compliancy of your resource against specific controls. Pre-defined and custom rules can be configured with AWS Config, allowing you to check resources' compliance against these rules.
You can perform security analysis within your AWS environment. A number of security resources can be recorded, and when this is coupled with rules relating to security, such as encryption checks, this can become a powerful analysis tool, and it can provide relationship connectivity information between resources. The AWS Management Console provides a great relationship query, allowing you to quickly see and identify which resources are related to any other resource. For example, when looking at an EBS volume, you will able to see which EC2 instance it is connected to, and it does all of this and presents the data in a friendly format. This is a lot of incredibly useful data that can be used across a range of different scenarios, some of which we will cover later in this course.
AWS Config is region specific, meaning that if you have resources in multiple regions, then you will have to configure AWS Config for each region you want to record resource changes for. When doing so, you are able to specify different options for each region. For example, you could configure Config in one region to record all supported resources across all services within that region, and then add a pre-defined AWS-managed config rule that will check if EBS volumes are encrypted. In another region, you could select to only record a specific type of resource, such as security groups, with no pre-defined rules allocated.
Some of you may be wondering, what if the service you want to monitor is not region specific, such as IAM? Well in this case, there is a separate option to include global services, which IAM falls under.
Now we have an understanding of what AWS Config is used for, and what it does. In the next lecture, we will introduce the different components that make up the service, showing what each of them do and how these come together to deliver the service features.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.