AWS Config Use Cases
Start course
2h 12m

This course covers the core learning objective to meet the requirements of the 'Architecting for Management & Governance in AWS - Level 2' skill

Learning Objectives:

  • Understand the different AWS management services available to monitor the performance of a solution
  • Apply Amazon CloudWatch monitoring contols to respond to system-wide performance changes
  • Apply AWS Config controls to manage compliance based upon business guidelines

Hello, and welcome to this lecture on AWS Config Use Cases. We will look at some of the common scenarios of where and why you would want to use this service.

In an earlier lecture, we looked at some of the scenarios we are faced with, when looking at resource asset and change management and how hard it can be to have deep visibility of your infrastructure. Following this, there are a few key use cases, for when using AWS Config is ideal within your environment. Let's take a quick look at each.

Security Compliance. As we learned in the previous lecture, AWS Config can be a great tool, when enforcing strict compliance against specific security controls. Being notified of noncompliant resource configurations from a security stance is critical, especially in highly sensitive environments, where these controls are imperative to protect both internal corporate and external customer data. Through the use of config rules, you can have the service continually monitor and check your resources remain compliant throughout its life cycle.

Discovery of Resources. When you first activate AWS Config, or run the configuration recorder, AWS Config will discover all supported resources types, allowing you to view them from within the AWS Config dashboard. A configuration item will be recorded for each and so these resources could also be found in the configuration history file on S3. Being aware of all the resources you have is key to understanding your environment. You may find that you have EBS volumes out there, that are no longer attached to instances, which you could then take a snapshot of to keep the data and then delete the volumes, saving you money or perhaps you have subnets configured, that no longer have any instances in, that you no longer need and so it allows you to perform some essential housekeeping within your network and VPC. There are many benefits to knowing what you have, where it is and what it's connected to. Many of these benefits will end up saving you money and help you run a streamlined environment.

Audit Compliance. As well as using AWS Config for being compliant for internal security standards, there are also many external audit and governance controls, where the service can also enforce specific controls on resources to maintain compliance. For example, the Health Insurance Portability and Accountability Act, known as HiPAA and Payment Card Industry Data Security Standard, known as PCI DSS. These programs require strict controls in many different areas. Being able to set custom and manage configurals in place help adhere to these external governance controls. In addition to this, you could show the auditors all of your configuration history files, which will allow them to go back to any point in time to check the configuration of any of your supported resources. Having this kind of information to hand is essential from an audit compliance point of view.

Resource Change Management. When planning changes within your infrastructure, it's often required that you have an understanding of what affect the change will have on other resources. More often than not, this information is not always known, as you may not have full visibility of other attached resources. With AWS Config, you are able to use the dashboard to list all related resources of a particular resource, thanks to the relationship section within the configuration item. This allows you to plan your changes more effectively, by ensuring all resources that have a relationship to the source being changed, continue to function as expected post-changes. This helps to prevent outages and configurational mistakes being made by having an overall better visual awareness of the environment.

Troubleshooting and Problem Management. AWS Config is a great tool to help you troubleshoot issues, that may arise within your environment. Using the config dashboard within the AWS management console, you can see a timeline of events allowing you to go back to any point in time and in the case of an in instant, you'll be able to go back to just before it happened. By doing this, you can understand what changes happened on your supported resources. If there were changes made to a resource, that was affected by an incident, then this can significantly help you reduce the time to resolution, by identifying the possible cause of the problem. You would also be able to see the changes made to the resource and make any amendments to resolve the issue, not forgetting thanks to its incorporation with AWS CloudTrail, you can see who or what triggered the change, via which API call. If similar events occur frequently, then AWS Config can become a great tool to help you spot potential, underlying problems within your infrastructure, allowing you to find the root cause and manage them effectively.

You might want to look at some Real World Use Cases of other AWS customers. If so, then take a look at their customer success stories found here. That brings us to the end of this lecture. In the next lecture, we will summarize what we have learned throughout this course.

About the Author
Learning Paths

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.