AWS Config evaluates the configuration of your AWS services against the desired configuration. You create rules that specify the desired configurations of your AWS resources, and then Config uses them to assess, audit, and evaluate resource configurations.
As soon as the checks of configuration data are completed, Config can put results in the Amazon S3 bucket or trigger Amazon SNS to send a notification or trigger a problem auto-remediation task.
This article provides all the required information you need to know about AWS Config. Let’s get started!
Table of contents
What is AWS Config
AWS Config is a service that enables you to track configurations of your AWS resources. With AWS Config, you can detect changes in your resources, review your configuration history, and receive alerts when changes occur.
AWS Config helps you get auditing through detailed resource configuration histories and get the compliance status of your AWS resources based on the defined rules. As soon as rules are defined, Config records AWS resource configurations and changes over time to allow you to review them and roll back them if needed.
Here are some examples of rules managed by AWS for the AWS Config:
- Check whether running instances are using prescribed AMIs.
- Check whether security groups that are in use disallow unrestricted incoming SSH traffic.
- Check if Amazon S3 buckets are publicly accessible.
- Check whether AWS CloudTrail is enabled in your AWS account.
Of course, you can define your own AWS Config rules using AWS Lambda.
If the rule check result returns a “NON_COMPLIANT” result, you can receive alerts via SNS notifications for any changes.
AWS Config is a regional service (AWS Global Infrastructure: Regions and Availability Zones), so you need to configure it for all AWS regions you use. Also, you can aggregate AWS Config logs in a central Logging account (AWS Logging – Centralized Logging Best Practices) and analyze logs stored in the S3 bucket using Athena (A Quick Introduction To AWS Athena – Getting Started Guide).
AWS Config pricing
AWS Config does not have a free tier, you pay $0.003 per configuration item recorded in your AWS account per AWS Region (Ohio) and starting from $0.001 Config Rule evaluation per AWS Region.
Be careful: Although AWS Config allows you to simplify compliance auditing according to external or internal guidelines, and it is an excellent service for operational troubleshooting, it might quickly become expensive!
AWS Config Rules
AWS Config Rules allow you to specify how your resources should be configured. You can use Rules to ensure that your resources are configured according to your organization’s security and compliance policies.
Types of AWS Config Rules
- AWS managed Config rules (300+ pre-defined rules)
- Custom Lambda rule (you can write your validation rule code using AWS Lambda)
- Custom Guard rule – you can define custom AWS Config Custom Rules using the Guard Custom policy
Here are some of the custom rule examples:
- Check that launched EC2 instances are not oversized
- Check that all S3 buckets have required Tags (follow Tagging Best Practices) or desired configurations
Config Rules can evaluate each AWS infrastructure configuration change. Additionally, Rules can be executed periodically at regular time intervals, for example, every hour.
AWS Config can only validate your AWS resources’ changes and provide you with a holistic view of the current compliance status of your AWS infrastructure. It does not prevent actions from happening, and it does not replace any security mechanisms already existing in AWS, such as Service Control Policies or IAM Policies.
If you need to react to certain configuration changes and automatically remediate them, for example, close opened ports in Security Groups or monitor for and respond to Amazon S3 Buckets allowing public access, you need to use AWS Config in combination with CloudWatch, Lambda, and SNS services.
AWS Config rules auto-remediation actions include using SNS topic (for Lambda integration), SSM Document execution, creating Jira tickets, and many others.
Note: you can set remediation retries for resources that are still non-compliant after auto-remediation action.
Config rules conformance packs
AWS Config conformance pack is a collection of Config Rules and remediation actions that can be easily deployed as a single entity in an AWS Account in a specific region or across an organization in AWS Organizations.
A comprehensive list of best practice checks for resource configuration changes is grouped by conformance packs.
You can and should use EventBridge to act on non-compliant resources. For example, EventBridge rules allow filtering Config events and sending them to AWS Lambda, Step Functions, Amazon Simple Notification Service, Simple Queue Service, or even triggering EventBridge partners’ integrations.
AWS Config Resources
AWS Config continuously monitors AWS resources configuration history and allows you to track any AWS resources using CLI, API, and AWS Management Console (AWS Config Console interface) to get information about:
- Resource compliance over time
- Resource configuration over time
- Resource CloudTrail API calls over time
AWS Config is a service that can help you to assess, audit, and evaluate your AWS resources for configuration changes. It can be integrated with various AWS and third-party services and APIs for manual or automatic remediation actions in the AWS cloud. Although its costs, AWS Config is a great service for enterprise-wide compliance monitoring and security analysis.