AWS Config & Configuration
With the ever-changing nature of Cloud Computing in AWS, through the use of Auto Scaling, and self-healing architecture mechanisms, having visibility and awareness of your AWS resources is invaluable. It can be difficult to understand what your resources within your infrastructure looks like, for example:
- Understanding what resources you have
- Having an awareness of the status of resource configurations
- Knowledge of resource relationships and connectivity within your environment
- Having a clear resource history, including all previous changes
- Understanding if your resources are compliant with specific governance controls
- Having up to date and accurate auditing information that can be passed to external auditors
Depending on the size of your deployment within AWS, obtaining this information can become both a time and resource-intensive exercise, unless you use AWS Config.
This course is an introduction to AWS Config and will explain how AWS Config allows you to have visibility of your entire AWS infrastructure from a configuration perspective. As well as how to use the service to act as a resource inventory, compliance checker and manage configuration changes of your resources. Also discussed, we look at how AWS Config be used as a part of your security analysis procedure.
This course is designed to take you from a beginner of AWS Config to being able to implement the service within your environment.
The topics covered in this course are as follows:
- What is AWS Config? Within this lecture, you will understand exactly what the Service is and what function it provides
- Key Components: This lecture breaks down the service looking at all the components and their relationships to each other and the role they play as a part of the AWS Config service
- Service Integration: This lecture will look at how the AWS Config service integrates with other AWS Services, such as SNS, S3, CloudTrail, etc
- Managing compliance with AWS Config: Here we focus on how to maintain compliance using AWS Config, whether these be internal or external requirements or standards
- Use cases and Best Practices: This lecture will focus on some of the use cases of when is best to use AWS Config to help you maintain, support and operate your AWS environment
If you have thoughts or suggestions for this course, please contact Cloud Academy at email@example.com.
Hello, and welcome to this lecture on AWS Config Use Cases. We will look at some of the common scenarios of where and why you would want to use this service.
In an earlier lecture, we looked at some of the scenarios we are faced with, when looking at resource asset and change management and how hard it can be to have deep visibility of your infrastructure. Following this, there are a few key use cases, for when using AWS Config is ideal within your environment. Let's take a quick look at each.
Security Compliance. As we learned in the previous lecture, AWS Config can be a great tool, when enforcing strict compliance against specific security controls. Being notified of noncompliant resource configurations from a security stance is critical, especially in highly sensitive environments, where these controls are imperative to protect both internal corporate and external customer data. Through the use of config rules, you can have the service continually monitor and check your resources remain compliant throughout its life cycle.
Discovery of Resources. When you first activate AWS Config, or run the configuration recorder, AWS Config will discover all supported resources types, allowing you to view them from within the AWS Config dashboard. A configuration item will be recorded for each and so these resources could also be found in the configuration history file on S3. Being aware of all the resources you have is key to understanding your environment. You may find that you have EBS volumes out there, that are no longer attached to instances, which you could then take a snapshot of to keep the data and then delete the volumes, saving you money or perhaps you have subnets configured, that no longer have any instances in, that you no longer need and so it allows you to perform some essential housekeeping within your network and VPC. There are many benefits to knowing what you have, where it is and what it's connected to. Many of these benefits will end up saving you money and help you run a streamlined environment.
Audit Compliance. As well as using AWS Config for being compliant for internal security standards, there are also many external audit and governance controls, where the service can also enforce specific controls on resources to maintain compliance. For example, the Health Insurance Portability and Accountability Act, known as HiPAA and Payment Card Industry Data Security Standard, known as PCI DSS. These programs require strict controls in many different areas. Being able to set custom and manage configurals in place help adhere to these external governance controls. In addition to this, you could show the auditors all of your configuration history files, which will allow them to go back to any point in time to check the configuration of any of your supported resources. Having this kind of information to hand is essential from an audit compliance point of view.
Resource Change Management. When planning changes within your infrastructure, it's often required that you have an understanding of what affect the change will have on other resources. More often than not, this information is not always known, as you may not have full visibility of other attached resources. With AWS Config, you are able to use the dashboard to list all related resources of a particular resource, thanks to the relationship section within the configuration item. This allows you to plan your changes more effectively, by ensuring all resources that have a relationship to the source being changed, continue to function as expected post-changes. This helps to prevent outages and configurational mistakes being made by having an overall better visual awareness of the environment.
Troubleshooting and Problem Management. AWS Config is a great tool to help you troubleshoot issues, that may arise within your environment. Using the config dashboard within the AWS management console, you can see a timeline of events allowing you to go back to any point in time and in the case of an in instant, you'll be able to go back to just before it happened. By doing this, you can understand what changes happened on your supported resources. If there were changes made to a resource, that was affected by an incident, then this can significantly help you reduce the time to resolution, by identifying the possible cause of the problem. You would also be able to see the changes made to the resource and make any amendments to resolve the issue, not forgetting thanks to its incorporation with AWS CloudTrail, you can see who or what triggered the change, via which API call. If similar events occur frequently, then AWS Config can become a great tool to help you spot potential, underlying problems within your infrastructure, allowing you to find the root cause and manage them effectively.
You might want to look at some Real World Use Cases of other AWS customers. If so, then take a look at their customer success stories found here. That brings us to the end of this lecture. In the next lecture, we will summarize what we have learned throughout this course.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.