AWS Config

What is it?

Flow

fully managed service

provides

resource

inventory

configuration history

configuration change notifications

enable

compliance

governance

security

detailed view of the configuration of AWS resources in the AWS account

point in time and historical states

changes visually in a timeline

does not cover all AWS services

is a regional service

solution

API and code and used to compare current and past data.

provides customizable, predefined rules

Receive a notification whenever a resource is created, modified, or deleted.

Use Cases

Concepts

Security Analysis & Resource Administration

evaluate resource for any misconfigurations leading to security gaps or weaknesses

Auditing & Compliance

Change Management

retrieve historical configurations

maintain a complete inventory of all resources and their configurations

ensure compliance and audits with internal policies and best practices

Troubleshooting

Discovery

understand relationships between resources

notify whenever resources are created, modified, or deleted

quickly identify and troubleshoot issues

helps discover resources that exist within an account

better inventory and asset management.

snapshot of the current configurations of the supported resources that are associated with the AWS account

Resources

entities created and managed

Resource Relationship

the service discover resources and create a map of relationship between resources

Configuration Items

is a point in time view of the supported AWS resource

Components

metadata

attributes

relationship

current configuration

related events

Configuration Snapshot

collection of configuration items that exits int the account

Configuration History

collection of the configuration items for a given resource over any time period.

Configuration Streams

an automatically updated list of all configuration items for the resources that AWS Config is recording.

Configuration Recorder

stores the configurations as configuration items

AWS Config Rules

needs to be created and started for recording

define desired configuration settings for specific resources or for the entire account

tracks the resource configuration changes against the rules

and if violated marks the resource as non-compliant

rules

evaluation modes

Managed

Custom

Proactive

Detective

triggered

periodically

configuration changes

Remediation

use Systems Manager Automation documents

define the actions to be performed on noncompliant resources

can be

provided by the service

custom automation documents

Aggregator

collect

AWS Config configuration

AWS Config compliance data

from

Single account and multiple regions

Multiple account and multiple regions

An organization in AWS Organizations and all the accounts in that organization that has AWS Config enabled.

image

image