What is it?
Flow
fully managed service
provides
resource
inventory
configuration history
configuration change notifications
enable
compliance
governance
security
detailed view of the configuration of AWS resources in the AWS account
point in time and historical states
changes visually in a timeline
does not cover all AWS services
is a regional service
solution
API and code and used to compare current and past data.
provides customizable, predefined rules
Receive a notification whenever a resource is created, modified, or deleted.
Use Cases
Concepts
Security Analysis & Resource Administration
evaluate resource for any misconfigurations leading to security gaps or weaknesses
Auditing & Compliance
Change Management
retrieve historical configurations
maintain a complete inventory of all resources and their configurations
ensure compliance and audits with internal policies and best practices
Troubleshooting
Discovery
understand relationships between resources
notify whenever resources are created, modified, or deleted
quickly identify and troubleshoot issues
helps discover resources that exist within an account
better inventory and asset management.
snapshot of the current configurations of the supported resources that are associated with the AWS account
Resources
entities created and managed
Resource Relationship
the service discover resources and create a map of relationship between resources
Configuration Items
is a point in time view of the supported AWS resource
Components
metadata
attributes
relationship
current configuration
related events
Configuration Snapshot
collection of configuration items that exits int the account
Configuration History
collection of the configuration items for a given resource over any time period.
Configuration Streams
an automatically updated list of all configuration items for the resources that AWS Config is recording.
Configuration Recorder
stores the configurations as configuration items
AWS Config Rules
needs to be created and started for recording
define desired configuration settings for specific resources or for the entire account
tracks the resource configuration changes against the rules
and if violated marks the resource as non-compliant
rules
evaluation modes
Managed
Custom
Proactive
Detective
triggered
periodically
configuration changes
Remediation
use Systems Manager Automation documents
define the actions to be performed on noncompliant resources
can be
provided by the service
custom automation documents
Aggregator
collect
AWS Config configuration
AWS Config compliance data
from
Single account and multiple regions
Multiple account and multiple regions
An organization in AWS Organizations and all the accounts in that organization that has AWS Config enabled.
