The course is part of these learning paths
This course provides an introductory look to two AWS services that are used to help you audit, monitor and evaluate your AWS infrastructure and resources, these being AWS CloudTrail and AWS Config.
This course has been designed to help you understand how AWS CloudTrail can be used to track, audit, and monitor all API requests made in your AWS account, making it an effective security analysis tool. Also, you will gain an understanding of how AWS Config can help you to:
- Understand what resources you have
- Identify the status of resource configurations
- Review resource relationships
- Log a resource history, including all previous changes against that resource
- Understand if your resources are compliant with specific governance controls
- Provide up to date and accurate auditing information
Once you have completed this course, you will be able to determine when and why you would implement AWS CloudTrail and/or AWS Config within your environment.
This course has been created for:
- Security Architects
- Operations Analysts
- Compliance Managers
- Those looking to take the AWS Associate level certifications
To get the most from this course, you should be familiar with the basic concepts of AWS as well as with some of its core components, such as EC2.
Hello, and welcome to this lecture where we will talk about the AWS Config Service itself, what it is and what it does. So let's get started. As many of you will be aware, one of the biggest headaches in any organization when it comes to resource management of IT infrastructure is understanding the following, what resources do we have? What devices are out there within our infrastructure performing function? Do we have resources that are no longer needed? And therefore, can we be saving money by switching them off? What is the status of their current configuration? Are there any security vulnerabilities we need to worry about? How are our resources linked within the environment? What relationships are there and are there any dependencies? If we make a change to one resource, will this affect another? What changes have occurred on the resources and by whom? Do we have a history of changes for this resource that shows us how the resource has changed over time? Is the infrastructure compliant with specific governance controls? And how can we check to ensure that this configuration is meeting specific internal and external requirements? And do we have accurate auditing information that can be passed to external auditors for compliance checks?
Depending on the size of your deployment with AWS, trying to answer some of these questions can be very time consuming and laborious. Some of this information can be captured via the AWS CLI by performing a describe or list against the specific resource. But implementing a system to capture those results and output them into a readable format could be very resource intensive. And of course, this will only help you with a small piece of the puzzle.
AWS is aware that due to the very nature of the cloud and its benefits, the resources within an AWS environment are likely to fluctuate frequently along with the configurations of the resources. The cloud by its very nature is designed to do so. And so trying to keep up with the resource management can be a struggle. Because of this, AWS released AWS Config to help with this very task. The service has been designed to record and capture resource changes within your environment, allowing you to perform a number of actions against the data that helps to find answers to the questions that we highlighted previously.
So what did AWS design AWS Config to do? Well, in a nutshell, AWS Config can capture resource changes. So any change to a resource supported by Config can be recorded which will record what changed along with other useful metadata all held within a file known as a Configuration Item, a CI. It can act as a resource inventory.
AWS Config can discover supported resources running within your environment allowing you to see data about that resource type. You can store configuration history for individual resources. The service will record and hold all existing changes that have happened against the resource providing a useful history record of changes. It can provide a snapshot in time of current resource configurations.
An entire snapshot of all supported resources within a region can be captured that will detail their current configurations with all related metadata. Enable notifications of when a change has occurred on a resource. The Simple Notification Service, SNS is used with AWS Config to capture a configuration stream of changes enabling you to process and analyze the changes to resources.
It can provide information on who made the change and when through AWS CloudTrail integration. AWS CloudTrail is used with AWS Config to help you identify who made the change and when and with which API. You can enforce rules that check the compliancy of your resource against specific controls.
Predefined and custom rules can be configured with AWS Config allowing you to check resources compliance against these rules. You can perform security analysis within your AWS environment. A number of security resources can be recorded. And when this is coupled with rules relating to security such as encryption checks, this can become a powerful analysis tool. And it can provide relationship connectivity information between resources.
The AWS Management Console provides a great relationship query, allowing you to quickly see and identify which resources are related to any other resource. For example, when looking at an EBS volume, you'll be able to see which EC2 instance it is connected to. And it does all of this and presents the data in a friendly format. This is a lot of incredibly useful data that can be used across a range of different scenarios.
Now, unfortunately, at the time of writing this course, the AWS Config Service does not capture this information for all services, but it certainly captures data for the most common services and resources which you would want to hold information for. Services such as EC2, RDS, IAM, and VPC. And it's great to see that within each of these, there are specific security resources that are covered such as security groups and custom IAM policies.
This makes AWS Config very useful when it comes to carrying out a security analysis. For more information on the latest resources that AWS Config supports. Please see the link on screen. AWS Config is region specific, meaning that if you have resources in multiple regions, then you will have to configure AWS Config for each region you want to record resource changes for.
When doing so, you are able to specify different options for each region. For example, you could configure Config in one region to record all supportive resources across all services within that region. And that at a predefined AWS managed Config rule that will check if EBS volumes are encrypted.
In another region, you could select to only record a specific type of resource such as security groups with no predefined rules allocated. Some of you may be wondering what if the service you want to monitor is not region specific such as IAM? well, in this case, there was a separate option to include Global Services, which IAM falls under.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 80+ courses relating to Cloud reaching over 100,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.