AWS Config is a fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance.
AWS Config is assistance that empowers you to survey, review, and assess the setups of your AWS resources. Config consistently screens and records your AWS resource designs and permits you to mechanize the assessment of recorded setups against wanted arrangements.
With Config, you can audit changes in setups and connections between AWS resources, jump into nitty-gritty resource design histories, and decide your general consistency against the arrangements determined in your inner rules. This empowers you to streamline consistence inspecting, security examination, change the board, and operational investigating.
AWS Config gives a definite perspective on the setup of AWS resources in your AWS account. This incorporates how the resources are identified with each other and how they were arranged before so you can perceive how the designs and connections change after some time.
With AWS Config, you can do the accompanying:
Assess your AWS resource arrangements for wanted settings.
Get a preview of the current setups of the upheld resources that are related to your AWS account.
Recover setups of at least one resource that exists in your record.
Recover historical arrangements of at least one resource.
Get a warning at whatever point a resource is made, altered, or erased.
View connections between resources. For instance, you should discover all resources that utilization a specific security gathering.
Components of a configuration item (AWS Config):
It gives information about the configuration item. It contains version ID along with the time when the item was captured. It also contains the status of the configuration item indicating whether the item was captured successfully. It also contains state ID.
Tells about the resource attributes of the component. To tell the resource attribute it holds resource ID, list of key-value tags for these resources, resource type, resource name, availability zone of the resource, and time at which the resource was created.
⦁ Configuration History:
A collection of the configuration items for a given resource over any time period, containing information such as when the resource was first created, how the resource has been configured over the last month, etc.
Config automatically delivers a configuration history file for each resource type that is being recorded to an S3 bucket that you specify.
A configuration history file is sent every six hours for each resource type that Config records.
⦁ Configuration item:
A record of the configuration of a resource in your AWS account. Config creates a configuration item whenever it detects a change to a resource type that it is recording. The components of a configuration item include metadata, attributes, relationships, current configuration, and related events.
⦁ Configuration Recorder:
Stores the configurations of the supported resources in your account as configuration items.
By default, the configuration recorder records all supported resources in the region where Config is running. You can create a customized configuration recorder that records only the resource types that you specify.
You can also have Config record supported types of global resources which are IAM users, groups, roles, and customer managed policies.
⦁ Configuration Snapshot:
A complete picture of the resources that are being recorded and their configurations.
Stored in an S3 bucket that you specify.
⦁ Configuration Stream:
An automatically updated list of all configuration items for the resources that Config is recording.
Helpful for observing configuration changes as they occur so that you can spot potential problems, generating notifications if certain resources are changed, or updating external systems that need to reflect the configuration of your AWS resources.
⦁ Resource Relationships:
It depicts how the resource is related to other resources of the account. It gives a description of the relationship.
⦁ Current Configuration:
It returns the information of all the resources through a call to the Describe or List API.
For example, Describe Volumes API returns the following information about the volume:
Availability Zone the volume is in, Time the volume was attached, ID of the EC2 instance it is attached to, Current status of the volume, State of DeleteOnTermination flag, Device the volume is attached to, Type of volumes, such as gp2, io1, or standard
⦁ Config rule:
Represents your desired configuration settings for specific AWS resources or for an entire AWS account.
Provides customizable, predefined rules. If a resource violates a rule, Config flags the resource and the rule as noncompliant, and notifies you through Amazon SNS.
Evaluates your resources either in response to configuration changes or periodically.
AWC Config Benefits:
Amazon Config makes it easy to track your resource’s configuration without the need for up-front investments and avoiding the complexity of installing and updating agents for data collection or maintaining large databases. Once you enable Amazon Config, you can view continuously updated details of all configuration attributes associated with Amazon Web Services resources. You are notified via Amazon Simple Notification Service (SNS) of every configuration change.
1) Continuous monitoring
2) Continuous assessment
3) Operational troubleshooting
4) Change management
AWC Config Use Cases:
⦁ Compliance as code
⦁ Continuous audit and compliance
⦁ Security analysis
⦁ Change management