AWS Config & Configuration
With the ever-changing nature of Cloud Computing in AWS, through the use of Auto Scaling, and self-healing architecture mechanisms, having visibility and awareness of your AWS resources is invaluable. It can be difficult to understand what your resources within your infrastructure looks like, for example:
- Understanding what resources you have
- Having an awareness of the status of resource configurations
- Knowledge of resource relationships and connectivity within your environment
- Having a clear resource history, including all previous changes
- Understanding if your resources are compliant with specific governance controls
- Having up to date and accurate auditing information that can be passed to external auditors
Depending on the size of your deployment within AWS, obtaining this information can become both a time and resource-intensive exercise, unless you use AWS Config.
This course is an introduction to AWS Config and will explain how AWS Config allows you to have visibility of your entire AWS infrastructure from a configuration perspective. As well as how to use the service to act as a resource inventory, compliance checker and manage configuration changes of your resources. Also discussed, we look at how AWS Config be used as a part of your security analysis procedure.
This course is designed to take you from a beginner of AWS Config to being able to implement the service within your environment.
The topics covered in this course are as follows:
- What is AWS Config? Within this lecture, you will understand exactly what the Service is and what function it provides
- Key Components: This lecture breaks down the service looking at all the components and their relationships to each other and the role they play as a part of the AWS Config service
- Service Integration: This lecture will look at how the AWS Config service integrates with other AWS Services, such as SNS, S3, CloudTrail, etc
- Managing compliance with AWS Config: Here we focus on how to maintain compliance using AWS Config, whether these be internal or external requirements or standards
- Use cases and Best Practices: This lecture will focus on some of the use cases of when is best to use AWS Config to help you maintain, support and operate your AWS environment
If you have thoughts or suggestions for this course, please contact Cloud Academy at email@example.com.
Hello and welcome to this short lecture where we will briefly look at a high level what we have learnt throughout this course.
In summary, we have identified that AWS Config is a service within the management tools category that can perform a number of useful function when it comes to resource configuration visibility and compliance, such as capturing resource changes, acting as a resource inventory, storing configuration history for individual resources, providing a snapshot in time of current resource configurations, enabling notifications of when a change has occurred on a resource, providing information on who made the change and when through the use of AWS CloudTrail integration, enforcing rules that check the compliancy of your resources against specific controls, allows you to perform security analysis within your AWS environment, and it provides relationship connectivity information between resources.
We also discussed that AWS Config only supports a number of different services and resource types, which can be found here.
Another important point is that AWS Config is configured on a region-by-region basis. As such you can have different resources being monitored and recorded in each region as you'll have a different configuration recorder.
We also looked at how the service itself was constructed with regards to its different components, which were identified as follows, AWS resources, the resources in which you want to monitor and record. Configuration items, a record that contains information about the resource including specific configuration details. Configuration streams, an SNS topic that can be accessed programmatically to extract data. Configuration history. This allows you to view configuration information on a particular resource over a period of time through the timeline within the management console or via the configuration history file held on S3. Configuration snapshot, a complete point-in-time snapshot of all your supported resources, including all configuration information. Configuration recorder, the configuration used by AWS Config to determine what resources to record and to which SNS topic and S3 bucket data should be sent. Config rules, rules that allow AWS Config to check resources compliance against the rule set. Any non-compliant rules are identified and a notification is sent to the stream. Resource relationships. This allows you to clearly identify which resources link to other resources. SNS topic. This is used as the configuration stream. S3 bucket. This is used to store configuration snapshots and configuration history files. And AWS Config permissions. The use of an IAM role is required to perform, describe and list API calls to supported resources, along with right access to your selected SNS topic and S3 bucket.
Next we looked at how AWS Config is integrated with other AWS services, such as SNS, where a topic is used as a configuration stream. SQS. This is an ideal service to allow you to programmatically extract useful information from the configuration stream by using SQS as an endpoint within the SNS topic. S3. This is required to allow you to store configuration snapshots, along with your configuration history files which are stored there every six hours for each resource type. CloudTrail. This is used as a part of the configuration item to allow you to track the API which created the change on the resource. IAM. This used to create the role that allows AWS Config to perform its functions as already discussed.
We then looked at how to best manage compliance within your environment. Using security as an example, we explained that by using AWS Config you can implement specific config rules that monitor all changes within your environment notifying you when a resource becomes non-compliant. This allows you to rectify configuration mistakes ensuring that your AWS environment is not unnecessarily exposed to weak security configurational changes.
Finally, we looked at a number of different use cases of where AWS Config can be used to help support, maintain and optimize your AWS resources. These included security compliance, discovery of resources, audit compliance, resource change management, and troubleshooting and problem management.
That now brings us to the end of this lecture and to the end of the course. I hope it has given you a good understanding of the AWS Config service and has left you confident enough to start using this service as you need within your own organization.
If you have any feedback on this course, positive or negative, please do leave a comment on the course landing page. We do look at these comments and your feedback is greatly appreciated.
Thank you for your time and good luck with your continued learning of cloud computing. Thank you.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.