Config
Config
Region-scoped service, can be aggregated across regions and accounts
Helps with auditing and recording compliance of AWS resources
It records configuration changes over time
Can receive alerts (SNS notifications) for any changes
Possibility of storing the configuration data into S3 (analyzed by Athena)
Config Rules
Can use AWS managed config rules
Can make custom config rules (must be defined in AWS Lambda) such as:
Check if each EBS disk is of type gp2
Check if each EC2 instance is t2.micro
Rules can be evaluated / triggered:
for each config change (ex. configuration of EBS volume is changed)
at regular time intervals (ex. every 2 hours)
AWS Config Rules does not prevent actions from happening (no deny)
Config Rules - Remediations
Automate remediation of non-compliant resources using SSM Automation Documents
AWS-Managed Automation Documents
Custom Automation Documents
- to invoke a Lambda function for automation
You can set Remediation Retries if the resource is still non-compliant after auto remediation
Ex. if IAM access key expires (non-compliant), trigger an auto-remediation action to revoke unused IAM user credentials
Config Rules – Notifications
Integrates with EventBridge or SNS to trigger notifications when AWS resources are non-compliant
Can be used along with CloudTrail to get a timeline of changes in configuration and compliance overtime.