AWS Config

Abimuktheeswaran Chidambaram
7 min readSep 19, 2023

--

AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. It helps to track your resource inventory and detects the configuration changes of your AWS resources (entities) in your account. Resources mean AWS services such as EC2 instances, security groups, buckets, VPCs, etc. in your account.

In this article, we are going to see the chapters like

  1. Terminologies in AWS Config
  2. AWS Config Rule
  3. Conformance Packs
  4. Data Aggregation from multi-accounts and multi-regions

1. Terminologies in AWS Config

AWS Config starts to record the configuration item if there are changes in the resource in your account. The components of a configuration item include metadata, attributes, relationships, current configuration, and related events.

The configuration recorder stores the configurations of the supported resources in your account as configuration items. You must first create and then start the configuration recorder before you can start recording. You can stop and restart the configuration recorder at any time. By default, it records all the supported resources in your account. you may also customize the resources. When you start the configuration recorder, AWS Config takes an inventory of all AWS resources in your account.

A drifted configuration recorder indicates that you are not accurately detecting changes to your intended resource types. If you stopped (or) started (or) deleted (or) uninstalled the configuration recorder, then your configuration recorder has drifted, this can result in false negative or false positive compliance results.

A configuration history is a collection of the configuration items for a given resource over any period. It gives the configuration details for the given resource like when the resource was created or changed.

A configuration snapshot is a collection of the configuration items for the supported resources that exist in your account. This configuration snapshot is a complete picture of the resources that are being recorded and their configurations. It is a useful tool for validating your configuration. AWS Config sends the configuration snapshot to your specified S3 bucket.

Delivery of Configuration history file: If any changes in your configuration item, AWS Config sends the configuration details to your specified S3 bucket (to your account or another account both should be in the same region) and sends a configuration history file about resources for every 6 hours through delivery channel. You can have only one delivery channel per region per AWS account. If there are no configuration changes, AWS Config does not send a file. You can get notifications about the configuration changes via Amazon Notification Service. AWS Config supports AWS KMS encryption for Amazon S3 buckets. AWS Config does not support the delivery channel to an Amazon S3 bucket where object lock is enabled with default retention enabled.

A configuration stream is an automatically updated list of all configuration items for the resources. Every time a resource is created, modified, or deleted, AWS Config creates a configuration item and adds it to the configuration stream. Use Amazon Simple Notification Service (Amazon SNS) to get stream notifications.

AWS Config discovers AWS resources in your account and then creates a map of relationships between AWS resources called Resource Relationship.

2. AWS Config Rule

The rule is a condition that is used to match the configuration settings with your AWS resources. The following results are evaluated by AWS Config. If the rule matches with condition, then it is marked as COMPLIANT. If the rule fails to match with condition, then it is marked as NON_COMPLIANT. If the parameter is incorrect, then it is marked as ERROR. If the logic of the rule is not applicable, then it is marked as NOT_APPLICABLE.

After the rule is added to your account, AWS Config compares your resources with the rules. If there is a change in configuration settings, the evaluation mode starts to run. There are two evaluation modes. They are Proactive Evaluation and Detective Evaluation. Proactive Evaluation is used to evaluate resources before they have been deployed. This helps to define the resource whether they are COMPLIANT or NON_COMPLIANT using the set of proactive rules. If the resource is marked as NON_COMPLIANT, It does not improve the resource (or) prevent it from deploying. Detective Evaluation is used to evaluate resources after deployed. This allows you to evaluate the configuration settings of your existing resources.

There are two types of Rules. They are Managed Rules and Custom Rules. Managed Rules are created by AWS and also customizable. Custom Rules are created by us with Lambda functions (AWS Config Custom Lambda Rules) and with Guard (AWS Config Custom Policy Rules).

AWS Config

Service-Linked AWS Config Rule is created by the AWS service team to call other AWS services on your behalf. It is read-only access, so you can’t edit or delete.

3. Conformance Packs

A conformance pack is a collection of AWS Config rules and remediation actions that can be easily deployed as a single entity in an individual account (or) in an organizational account that should be within the region.

Conformance packs are created in the YAML template. You can also use AWS Systems Manager documents (SSM documents) to store your conformance pack templates on AWS and directly deploy conformance packs using SSM document names. Before deploying your conformance pack, turn on AWS Config recording. When deploying a conformance pack with remediation to an organization, specify the management account ID otherwise it is replaced with the member account ID automatically. You can also edit and delete the deployed conformance pack.

You can create a custom conformance pack by customizing the YAML template that contains a collection of config rules and remediate actions. you can deploy in an individual account (or) in an organizational account within the region.

Process checks allow you to track your external and internal tasks that require verification as part of the conformance packs. These checks can be an existing conformance pack or a new conformance pack. You can track all compliance that including AWS Configurations and manual checks in a single location.

The dashboard page for Conformance Packs displays all of the conformance packs that you have in your AWS account. The page also contains the name, deployment status, and compliance score of each conformance pack. You can use this dashboard to understand the level of compliance of your conformance packs and use the compliance score to track remediation progress, perform comparisons across different sets of requirements, and see the impact a specific change or deployment has on a conformance pack.

4. Data Aggregation from multi-accounts and multi-regions

An aggregator is an AWS Config resource that collects information about config rules and compliance information from multiple accounts and regions into a single account. Multi-account multi-region data aggregation is useful for central IT administrators to monitor compliance for multiple AWS accounts in the enterprise.

courtesy: tutorial dojo
courtesy: tutorial dojo
courtesy: tutorial dojo

A source region is the AWS Region from which you want to aggregate AWS Config configuration and compliance data. A source account is the AWS account from which you want to aggregate AWS Config configuration and compliance data. A source account owner is an authorized person who grants permission to collect your AWS Config configuration and compliance data from accounts and regions. Authorization is not required if you are aggregating source accounts that are part of AWS Organizations. With an aggregator, AWS Config can collect configuration data from the following:

  • Multiple accounts and multiple regions.
  • Single account and multiple regions.
  • An organization in AWS Organizations and all the accounts in that organization.

Aggregators provide a read-only view of the source accounts and regions. you cannot deploy rules through an aggregator or pull snapshot files from the source account or region through an aggregator. There are two types of aggregators: Individual accounts aggregator and Organization aggregator. For the individual accounts aggregator, authorization is required for any included source account regions including external account regions or Organization member account regions. For the organization aggregator, authorization is not required for Organization member account regions since authorization is integrated with the organization's service.

Thanks for reading. Have a good day!

Last Updated: 07-Jan-2024

--

--

No responses yet