AWS Config & Configuration
With the ever-changing nature of Cloud Computing in AWS, through the use of Auto Scaling, and self-healing architecture mechanisms, having visibility and awareness of your AWS resources is invaluable. It can be difficult to understand what your resources within your infrastructure looks like, for example:
- Understanding what resources you have
- Having an awareness of the status of resource configurations
- Knowledge of resource relationships and connectivity within your environment
- Having a clear resource history, including all previous changes
- Understanding if your resources are compliant with specific governance controls
- Having up to date and accurate auditing information that can be passed to external auditors
Depending on the size of your deployment within AWS, obtaining this information can become both a time and resource-intensive exercise, unless you use AWS Config.
This course is an introduction to AWS Config and will explain how AWS Config allows you to have visibility of your entire AWS infrastructure from a configuration perspective. As well as how to use the service to act as a resource inventory, compliance checker and manage configuration changes of your resources. Also discussed, we look at how AWS Config be used as a part of your security analysis procedure.
This course is designed to take you from a beginner of AWS Config to being able to implement the service within your environment.
The topics covered in this course are as follows:
- What is AWS Config? Within this lecture, you will understand exactly what the Service is and what function it provides
- Key Components: This lecture breaks down the service looking at all the components and their relationships to each other and the role they play as a part of the AWS Config service
- Service Integration: This lecture will look at how the AWS Config service integrates with other AWS Services, such as SNS, S3, CloudTrail, etc
- Managing compliance with AWS Config: Here we focus on how to maintain compliance using AWS Config, whether these be internal or external requirements or standards
- Use cases and Best Practices: This lecture will focus on some of the use cases of when is best to use AWS Config to help you maintain, support and operate your AWS environment
If you have thoughts or suggestions for this course, please contact Cloud Academy at email@example.com.
Hello and welcome to this short lecture on AWS Config Service Integration where we shall look at the relationships between AWS Config and other AWS services.
AWS Config has a specific relationship with the following AWS services, SNS, SQS, S3, CloudTrail and IAM. Let's start by looking at SNS.
We have already covered much of this in the previous lecture where I explained how SNS is used as the configuration stream for CIs and other important event notifications. By using SNS you can subscribe multiple different endpoints to the SNS topic created as a part of your configuration recorder information to extract data and process information. And this is where SQS comes in. If you had multiple accounts, you may want to have AWS Config in each account subscribed to the same topic in a primary AWS account. This is possible by allowing access of the service principle to publish to the same topic in the primary account. See the 'permissions for the Amazon SNS topic' within the following AWS developer guide for a sample policy on how to do this.
The Simple Queue Service, SQS, can be subscribed to the AWS Config topic, the configuration stream, which gives you a highly available and decoupled environment for the data within your configuration streams. By using SQS it allows you to create and use your own applications to extract only information and data that is pertinent to you. There can be vast amount of data coming into the configuration stream but you might only want to be notified and made aware of any changes that may relate to any potential security issues. As a result, you may want to pull information from the queue that only relate to security groups, NACLS, IAM roles etc. or any other resource type that could affect the security of your environment.
If you did decide to have different configuration streams in each region, so effectively different SNS topics, then you could still subscribe the same SQS queue to multiple SNS topics preventing your application from poling from multiple queues to process data from the configuration stream. S3 is used to store the configuration history files and any configuration snapshots of your data within a single bucket. And again, this bucket is defined within the configuration recorder. You can get AWS Config to create a new bucket for you or select an existing bucket. If you have multiple AWS accounts you may want to aggregate your configuration history and snapshot files into the same S3 bucket for your primary account. However, you will need to grant the right access for the service principle which is config.amazonaws.com to be able to write to the S3 bucket. Take a look at the section 'Granting AWS Config Access to an Amazon S3 Bucket in Another Account' within the following link for a sample policy on how to do this.
AWS CloudTrail interacts with AWS Config at the configuration item level. If we remember back to the section in the previous lecture the CI is comprised of five different sections. The final section, Related Events, displays the AWS CloudTrail event ID that is related to the change that triggered the creation of the CI for that resource. This feature is very useful when identifying who or what made the change to the effective resource. This CloudTrail data can be accessed via the AWS Config Dashboard within the AWS Management console, which will then link you directly to the event within CloudTrail. For more information on CloudTrail we have a course AWS CloudTrail, An Introduction that will define exactly what the services and how it works.
Conversely, when CloudTrail tracks and recalls changes made within the AWS Config itself, the following APIs are tracked, DeleteDeliveryChannel. This deletes the delivery channel. DeliverConfigSnapshot. This sends a configuration snapshot to S3. DescribeConfigurationRecorderStatus. This returns the status of a specified configuration recorder. DescribeConfigurationRecorders. This returns the details of a specific configuration recorder. DescribeDeliveryChannels. This returns information about a specific delivery channel. GetResourceConfigHistory. This retrieves a list of configuration items for a specified resource. PutConfigurationRecorder. This creates a new configuration record. PutDeliveryChannel. This creates a new delivery channel for an S3 bucket and SNS topic. StartConfigurationRecorder. This starts recording data for supported resources within your account as per your configuration. And finally, StopConfigurationRecorder. And this stops recording the data.
The final service that has a relationship with AWS Config is IAM. And again, we briefly covered this in the previous lecture. As AWS Config has relationships with other services, specifically SNS and S3, the use of an IAM role is required to enable the service to publish data to an SNS topic for configuration streams and S3 to store configuration history files and configuration snapshots. The policy for this access would look similar to the following on screen. In addition to this access, AWS Config must also be able to perform the described list and some get API calls against all supported services within the region. As a result, the same IAM role also has a second policy attached which allows access to perform these actions against those resources.
That brings us to the end of this lecture of how other AWS services interact with AWS Config. Coming up next we'll start to look at how to manage specific compliance with AWS Config. We briefly touched on this earlier when we looked at the config rules, so we'll now look at this in greater depth.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.