Skip to main content

AWS Config

  • continuous auditor for the AWS env
  • it allows you to assess, audit, and evaluate the configurations of the AWS resources
  • it tells you what the resource looks like now, and how it has changed over time

Mechanisms:

  • Resource Inventory & History:History: it maintains a "Configuration Item" for each resource, creates a timeline of every change made to that resource
  • Relationship Mapping:Mapping: it understands how resources are connected, it knows which SG is attached to which EC2 instance
  • Compliance Monitoring:Monitoring: you can define "rules", and if a resource violates a rule, AWS Config flags it as non-compliant and can even trigger an autoamtedautomated fix

Key Components:

  • Configuration Recorder:Recorder: the engine that detects and records changes in your account
  • Config Rules:Rules: predefeind or custom (lambda-based) policies that check if your resources are compliant
  • Conformance Packs:Packs: a collection of rules and remediation actions that you can deploy as a single entity across your entire organization
  • Resource Timeline:Timeline: a visual representation of how a resource's configuration has evolved over days, months, or years

Difference with AWS CloudTrail

  • AWS CloudTrail records logs (who/when/how)
  • AWS Config focuses on what/state

Common Use Cases:

  • Compliance Auditing:Auditing: automatically prove to auditors that your infrastructure met specific security standards (like PCI-DSS or HIPAA) at any point in the past
  • Security Analysis:Analysis: receive an immediate alert if someone opens a port on a SG that shouldn't be open
  • Operational Troubleshooting:Troubleshooting: if an application stops working, you can check the AWS Config timeline to see if a recent change to a database or network setting caused the issue
Back to top