Config

Config

  • Region-scoped service, can be aggregated across regions and accounts

  • Helps with auditing and recording compliance of AWS resources

  • It records configuration changes over time

  • Can receive alerts (SNS notifications) for any changes

  • Possibility of storing the configuration data into S3 (analyzed by Athena)

Config Rules

  • Can use AWS managed config rules

  • Can make custom config rules (must be defined in AWS Lambda) such as:

    • Check if each EBS disk is of type gp2

    • Check if each EC2 instance is t2.micro

  • Rules can be evaluated / triggered:

    • for each config change (ex. configuration of EBS volume is changed)

    • at regular time intervals (ex. every 2 hours)

  • AWS Config Rules does not prevent actions from happening (no deny)

Config Rules - Remediations

  • Automate remediation of non-compliant resources using SSM Automation Documents

    • AWS-Managed Automation Documents

    • Custom Automation Documents

      • to invoke a Lambda function for automation
  • You can set Remediation Retries if the resource is still non-compliant after auto remediation

  • Ex. if IAM access key expires (non-compliant), trigger an auto-remediation action to revoke unused IAM user credentials

Config Rules – Notifications

  • Integrates with EventBridge or SNS to trigger notifications when AWS resources are non-compliant

  • Can be used along with CloudTrail to get a timeline of changes in configuration and compliance overtime.