AWS Config & Configuration
The course is part of these learning paths
With the ever-changing nature of Cloud Computing in AWS, through the use of Auto Scaling, and self-healing architecture mechanisms, having visibility and awareness of your AWS resources is invaluable. It can be difficult to understand what your resources within your infrastructure looks like, for example:
• Understanding what resources you have
• Having an awareness of the status of resource configurations
• Knowledge of resource relationships and connectivity within your environment
• Having a clear resource history, including all previous changes
• Understanding if your resources are compliant with specific governance controls
• Having up to date and accurate auditing information that can be passed to external auditors
Depending on the size of your deployment within AWS, obtaining this information can become both a time and resource intensive exercise, unless you use AWS Config.
This course is an introduction to AWS Config and will explain how AWS Config allows you have visibility of your entire AWS infrastructure from a configuration perspective. As well as how to use the service to act as a resource inventory, compliance checker and manage configuration changes of your resources. Also discussed, we look at how AWS Config be used as a part of your security analysis procedure.
This course is designed to take you from a beginner of AWS Config to being able to implement the service within your environment.
The topics covered within this course are as follows:
• What is AWS Config? Within this lecture, you will understand exactly what the Service is and what function it provides
• Key Components: This lecture breaks down the service looking at all the components and their relationships to each other and the role they play as a part of the AWS Config service
• Service Integration: This lecture will look at how the AWS Config service integrates with other AWS Services, such as SNS, S3, CloudTrail etc
• Managing compliance with AWS Config: Here we focus on how to maintain compliance using AWS Config, whether these be internal or external requirements or standards
• Use cases and Best Practices: This lecture will focus on some of the use cases of when is best to use AWS Config to help you maintain, support and operate your AWS environment
If you have thoughts or suggestions for this course, please contact Cloud Academy at firstname.lastname@example.org.
Hello, and welcome to this lecture, where we will talk about the AWS Config service itself, what it is, and what it does. So let's get started.
As many of you will be aware, one of the biggest headaches in any organization when it comes to resource management of IT infrastructure is understanding the following. What resources do we have? What devices are out there within our infrastructure performing functions?
Do we have resources that are no longer needed, and therefore, can we be saving money by switching them off?
What is status of their configuration? Are there any security vulnerabilities we need to worry about?
How are our resources linked within the environment? What relationships are there, and are there any dependencies? If we make a change to one resource, will this affect another?
What changes have occurred on the resources, and by whom? Do we have a history of changes for this resource that shows us how the resourced changed over time?
Is the infrastructure compliant with specific governance controls, and how can we check to ensure that this configuration is meeting specific internal and external requirements?
And, do we have accurate auditing information that can be passed to external auditors for compliance checks?
Depending on the size of your deployment with AWS, trying to answer some of these questions can be very time consuming and laborious. Some of this information can be captured via the AWS CLI by performing a 'describe', or 'list', against the specific resource. But implementing a system to capture those results and output them into a readable format could be very resource intensive. And of course, this will only help you with a small piece of the puzzle.
AWS is aware that, due to the very nature of the cloud and its benefits, the resources within an AWS environment are likely to fluctuate frequently, along with the configurations of the resources. The cloud, by its very nature, is designed to do so, and so trying to keep up with the resource management can be a struggle. Because of this, AWS released AWS Config to help with this very task. The service has been designed to record and capture resource changes within your environment, allowing you to perform a number of actions against the data that helps to find answers to the questions that we highlighted previously.
So what did AWS design AWS Config to do? Well, in a nutshell, AWS Config can capture resource changes, so any change to a resource supported by Config can be recorded, which will record what changed along with other useful metadata, all held within a file known as a configuration item, a CI.
It can act as resource inventory. AWS Config can discover supported resources running within your environment, allowing you to see data about that resource type.
It can store configuration history for individual resources. The service will record and hold all existing changes that have happened against the resource, providing a useful history record of changes.
It can provide a snapshot in time of current resource configurations. An entire snapshot of all supported resources within a region can be captured that will detail their current configurations with all related metadata.
Enable notifications of when a change has occurred on a resource. The Simple Notification Service, SNS, is used with AWS Config to capture a configuration stream of changes, enabling you to process and analyze to changes to resources.
It can provide information on who made the change and when through AWS CloudTrail Integration. AWS CloudTrail is used with AWS Config to help you identify who made the change and when, and with which API.
You can enforce rules that check the compliancy of your resource against specific controls. Pre-defined and custom rules can be configured with AWS Config, allowing you to check resources' compliance against these rules.
You can perform security analysis within your AWS environment. A number of security resources can be recorded, and when this is coupled with rules relating to security, such as encryption checks, this can become a powerful analysis tool, and it can provide relationship connectivity information between resources. The AWS Management Console provides a great relationship query, allowing you to quickly see and identify which resources are related to any other resource. For example, when looking at an EBS volume, you will able to see which EC2 instance it is connected to, and it does all of this and presents the data in a friendly format.
This is a lot of incredibly useful data that can be used across a range of different scenarios, some of which we will cover later in this course. Now unfortunately, at the time of writing this course, the AWS Config service does not capture this information for all services, but it certainly captures data from the most common services and resources, which you would want to hold information for, services such as EC2, RDS, IAM, and VPC. And it's great to see that within each of these, there are specific security resources that are covered, such as security groups and custom IAM policies.
This makes AWS Config very useful when it comes to carrying out a security analysis, which we will cover in a later lecture. For more information on the latest resources that AWS Config supports, please see the link on screen. AWS Config is region specific, meaning that if you have resources in multiple regions, then you will have to configure AWS Config for each region you want to record resource changes for. When doing so, you are able to specify different options for each region. For example, you could configure Config in one region to record all supported resources across all services within that region, and then add a pre-defined AWS-managed config rule that will check if EBS volumes are encrypted. In another region, you could select to only record a specific type of resource, such as security groups, with no pre-defined rules allocated.
Some of you may be wondering, what if the service you want to monitor is not region specific, such as IAM? Well in this case, there is a separate option to include global services, which IAM falls under.
Now we have an understanding of what AWS Config is used for, and what it does. In the next lecture, we will introduce the different components that make up the service, showing what each of them do and how these come together to deliver the service features.
About the Author
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data centre and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 50+ courses relating to Cloud, most within the AWS category with a heavy focus on security and compliance
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.