Hello and welcome to this lecture where we will talk about the AWS Config service, itself, what it is, and what it does. So let's get started. As many of you will be aware, one of the biggest headaches in any organization when it comes to resource management of IT infrastructure is understanding the following: What resources do we have? What devices are out there within our infrastructure performing functions? Do we have resources that are no longer needed and therefore can we be saving money by switching them off? What is the status of their current configuration?

Are there any security vulnerabilities we need to worry about? How are our resources linked within the environment? What relationships are there and are there any dependencies? If we make a change to one resource, will this effect another? What changes have occurred on the resources and by whom? Do we have a history of changes for this resource that shows us how the resource has changed over time? Is the infrastructure compliant with specific governance controls and how can we check to ensure that this configuration is meeting specific internal and external requirements?

And do we have accurate auditing information that can be passed to external auditors for compliance checks? Depending on the size of your deployment with AWS, trying to answer some of these questions can be very time-consuming and laborious. Some of this information can be captured by the AWS CLI by performing a describe, or list, against the specific resource. But implementing a system to capture those results and output them into a readable format could be very resource-intensive.

And of course, this will only help you with a small piece of the puzzle. AWS is aware that due to the very nature of the cloud and its benefits, the resources within an AWS environment are likely to fluctuate frequently, along with the configurations of the resources. The cloud by its very nature is designed to do so, and so trying to keep up with the resource management can be a struggle. Because of this, AWS released AWS Config to help with this very task.

The service has been designed to record and capture resource changes within your environment, allowing you to perform a number of actions against the data that helps to find answers to the questions that we highlighted previously. So what did AWS design AWS Config to do? Well, in a nutshell, AWS Config can capture resource changes. So any change to a resource supported by Config can be recorded, which will record what change along with other useful metadata all held within a file known as a configuration item, a CI.

It can act as a resource inventory. AWS Config can discover supported resources running within your environment, allowing you to see data about that resource type. You can store configuration history for individual resources. The service will record and hold all existing changes that have happened against the resource, providing a useful history record of changes. It can provide a snapshot in time of current resource configurations. An entire snapshot of all supported resources within a region can be captured that will detail their current configurations with all related metadata.

Enable notifications of when a change has occurred on a resource. The Simple Notification Service, SNS, is used with AWS Config to capture a configuration stream of changes, enabling you to process and analyze the changes to resources. It can provide the information on who made the change and when, through AWS CloudTrail integration. AWS CloudTrail is used with AWS Config to help you identify who made the change and when, and with which API. You can enforce rules that check the compliancy of your resource against specific controls. Predefined and custom rules and be configured with AWS Config, allowing you to check resources' compliance against these rules. You can perform security analysis within your AWS environment.

A number of security resources can be recorded and when this is coupled with rules relating to security, such as encryption checks, this can become a powerful analysis tool. And it can provide relationship connectivity information between resources. The AWS management console provides a great relationship query, allowing you to quickly see and identify which resources are related to any other resource. For example, when looking at an EBS volume, you'll be able to see which EC2 instance it is connected to.

And it does all of this and presents the data in a friendly format. This is a lot of incredibly useful data that can be used across a range of different scenarios, some of which we will cover later in this course. Now unfortunately at the time we're writing this course, the AWS Config service does not capture this information for all services. But it certainly captures data for the most common services and resources, which you would want to hold information for.

Services such as: EC2, RDS, IAM, and VPC. And it's great to see that within each of these, there are specific security resources that are covered, such as security groups and custom IAM policies. This makes AWS Config very useful when it comes to carrying out a security analysis, which we will cover in a later lecture. For more information on the latest resources that AWS Config supports, please see the link on-screen.

AWS Config is region-specific, meaning that if you have resources in multiple regions, then you will have to configure AWS Config for each region you want to record resource changes for. When doing so, you are able to specify different options for each region. For example, you could configure Config in one region to record all supported resources across all services within that region and add a pre-defined AWS manage config rule that would check if EBS volumes are encrypted.

In another region, you could select to only record a specific type of resource, such as security groups, with no pre-defined rules allocated. Some of you may be wondering, what if the service you want to monitor is not region-specific, such as IAM? Well in this case, there is a separate option to include global services, which IAM falls under.

Lectures:

• Management fundamentals for AWS
• AWS Config
• AWS CloudTrail
• Amazon Trusted Advisor
• Amazon CloudWatch
• AWS Personal Health Dashboard
• Summary