AWS Config

• continuous auditor for the AWS env
• it allows you to assess, audit, and evaluate the configurations of the AWS resources
• it tells you what the resource looks like now, and how it has changed over time

Mechanisms:

• Resource Inventory & History: it maintains a "Configuration Item" for each resource, creates a timeline of every change made to that resource
• Relationship Mapping: it understands how resources are connected, it knows which SG is attached to which EC2 instance
• Compliance Monitoring: you can define "rules", and if a resource violates a rule, AWS Config flags it as non-compliant and can even trigger an autoamted fix

Key Components:

• Configuration Recorder: the engine that detects and records changes in your account
• Config Rules: predefeind or custom (lambda-based) policies that check if your resources are compliant
• Conformance Packs: a collection of rules and remediation actions that you can deploy as a single entity across your entire organization
• Resource Timeline: a visual representation of how a resource's configuration has evolved over days, months, or years

Difference with AWS CloudTrail

• AWS CloudTrail records logs (who/when/how)
• AWS Config focuses on what/state

Common Use Cases:

• Compliance Auditing: automatically prove to auditors that your infrastructure met specific security standards (like PCI-DSS or HIPAA) at any point in the past
• Security Analysis: receive an immediate alert if someone opens a port on a SG that shouldn't be open
• Operational Troubleshooting: if an application stops working, you can check the AWS Config timeline to see if a recent change to a database or network setting caused the issue