AWS Config Documentation
1. Introduction
Overview
AWS Config is a service that provides AWS resource inventory, configuration history, and configuration change notifications to enable security and governance. It helps you assess, audit, and evaluate the configurations of your AWS resources.
Use Cases
Compliance Auditing: Ensure that resources comply with corporate policies and regulations.
Security Analysis: Detect misconfigurations and potential security issues.
Change Tracking: Track changes in resource configurations and investigate changes over time.
2. AWS Config Overview
Features
Configuration History: Maintains a history of changes to resource configurations.
Compliance Checking: Evaluates configurations against predefined rules.
Automated Remediation: Automatically corrects non-compliant resources.
Components
AWS Config Rules: Evaluate whether resources comply with specified rules.
Configuration Items: Records of resource configurations at different points in time.
Compliance Dashboard: Visual interface for tracking compliance status and configuration history.
3. Setting Up AWS Config
Prerequisites
AWS Account
IAM Permissions:
config:*
,s3:*
,sns:*
,lambda:*
, etc.
Configuration Steps
Access AWS Config
Navigate to the AWS Config console.
Choose Resources to Record
Click on "Get Started" or "Record configuration changes."
Select the AWS resource types to record (e.g., EC2 instances, S3 buckets).
Set Up Delivery Channel
Choose or create an S3 bucket for storing configuration history.
Optionally, set up an SNS topic for notifications about configuration changes.
-
Create AWS Config Rules
Go to the "Rules" section and click "Add rule."
Choose a managed rule or create a custom rule.
Configure rule parameters and specify actions for non-compliance.
Review and Confirm
Review your configuration settings.
Click "Confirm" or "Save" to complete the setup.
-
Setting Up AWS Config Aggregator
1. Create an Aggregator
Access AWS Config Console:
- Navigate to the AWS Config console.
Open Aggregators:
In the AWS Config console, select Aggregators from the navigation pane.
Create Aggregator:
Configure Aggregator Details:
Name: Enter a name for the aggregator.
Description: Optionally, provide a description for the aggregator.
Select Source Accounts:
Include Accounts: Choose whether to aggregate data from all accounts or specific accounts.
All Accounts: Aggregate data from all accounts within the organization if using AWS Organizations.
Specific Accounts: Manually specify AWS account IDs from which to aggregate data.
Select Regions:
Choose the regions from which to collect configuration data. You can select all regions or specific regions depending on your needs.
Review and Create:
Review the settings and click Create aggregator to finalize the setup.
2. Monitor and Manage Aggregator
View Aggregator Data:
After creating the aggregator, you can view aggregated configuration data and compliance status in the AWS Config console under Aggregators.
Analyze Compliance Data:
Use the aggregated data to analyze compliance and configuration trends across your AWS environment. The compliance dashboard will provide insights into the compliance status of your resources.
Permissions and Access
IAM Role: The IAM role used for the aggregator must have the
config:DescribeConfigurationAggregators
andconfig:PutConfigurationAggregator
permissions.Cross-Account Access: Ensure that the AWS Config role has cross-account access permissions to read configuration data from the source accounts.
1. Compliance Dashboard
Overview
The Compliance Dashboard in AWS Config provides a visual summary of the compliance status of your AWS resources based on the rules you’ve set up. It helps you quickly see which resources are compliant or non-compliant with your organization’s policies.
Features
Summary View: Shows an overview of how many resources comply with each rule.
Compliance Trends: Visualizes trends over time, helping you track changes in compliance status.
Detailed View: Provides details on which specific resources are non-compliant and why.
2. Conformance Packs
Overview
Conformance Packs are a collection of AWS Config rules and remediation actions that you can deploy together. They help you enforce best practices and compliance standards across your AWS environment.
Features
Predefined Rules: Comes with a set of rules and configurations that follow industry standards.
Easy Deployment: Deploy multiple rules and configurations in a single package.
Customizable: You can modify existing packs or create your own based on your needs.
3. Rules
Overview
Rules in AWS Config are the conditions that your resources must meet to be considered compliant. AWS Config evaluates your resources against these rules to ensure they adhere to your defined policies.
Types of Rules
Managed Rules: Predefined rules provided by AWS.
Custom Rules: Rules you create using AWS Lambda functions.
How to Use
Access: Go to the AWS Config console and select Rules from the navigation pane.
Create or Modify: Add new rules or edit existing ones. Configure the rule’s parameters and actions for non-compliance.
4. Inventory Dashboard
Overview
The Inventory Dashboard provides a comprehensive view of the AWS resources in your account, including details about their configuration and status.
Features
Resource Inventory: Lists all AWS resources being tracked by AWS Config.
Configuration History: Shows historical data about resource configurations.
5. Resources
Overview
Resources refers to the AWS entities (like EC2 instances, S3 buckets) that AWS Config monitors and records. You can view detailed information about these resources, including their configuration and compliance status.
Features
Resource Details: View details of each resource, including configuration data.
Change Tracking: See how configurations have changed over time.
6. Authorizations
Overview
Authorizations in AWS Config relate to permissions and roles needed to access and manage configuration data. AWS Config uses these authorizations to interact with resources and perform compliance checks.
Features
IAM Roles: Configure IAM roles that AWS Config uses to access resources in your account.
Permissions: Ensure AWS Config has the necessary permissions to read and write configuration data.
7. Advanced Queries
Overview
Advanced Queries allow you to run custom queries on your AWS Config data to extract specific information or perform detailed analysis.
Features
Custom Queries: Write and run SQL-like queries to get specific data about your resources.
Detailed Insights: Obtain insights into configurations and compliance status that are not available through standard views.