AWS Config is a fully managed service that provides you with resource inventory, configuration history, and configuration change notifications for security and governance.
AWS Config is an auditing service that keeps track of changes made to your AWS resources and allows you to monitor configuration data over time for detecting potential security and operational issues.
This post focuses on some introductory concepts for AWS Config that are not always kept in mind when inspecting the AWS Console for Config, which performs many operations under the surface for us, but in case you want to use another way for setting up your AWS Config these concepts will be very important.
1. AWS Config
AWS Config is a fully managed service that provides you with resource inventory, configuration history, and configuration change notifications for security and governance.
AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.
AWS Config tracks changes made to these supported AWS resources and records their changes as configuration items (CIs), which are JSON files delivered to an Amazon Simple Storage Service (Amazon S3) bucket. These files are accessed through AWS Config APIs and optionally sent through Amazon Simple Notification Service (Amazon SNS).
2. Configuration Items (CI)
A configuration item represents a point-in-time view of the various attributes of a supported AWS resource that exists in your account. The components of a configuration item include metadata, attributes, relationships, current configuration, and related events.
AWS Config creates a configuration item whenever it detects a change to a resource type that it is recording. You can select AWS Config to create a configuration item at the recording frequency that you set: Continuous recording which records configuration changes continuously whenever a change occurs, and Daily recording which creates a configuration item (CI) representing the most recent state of your resources over the last 24-hour period (only if it’s different from the previous CI recorded).
Here is an example of a Configuration Item for a Resource Group:
{
"relatedEvents": [],
"relationships": [
{
"resourceId": "vpc-XXXXXXXXXXXX",
"resourceType": "AWS::EC2::VPC",
"name": "Is contained in Vpc"
}
],
"configuration": {
"description": "default VPC security group",
"groupName": "default",
"ipPermissions": [
{
"ipProtocol": "-1",
"ipv6Ranges": [],
"prefixListIds": [],
"userIdGroupPairs": [
{
"groupId": "sg-YYYYYYYYYYYY",
"userId": "0000000000"
}
],
"ipv4Ranges": [],
"ipRanges": []
}
],
"ownerId": "0000000000",
"groupId": "sg-YYYYYYYYYYYY",
"ipPermissionsEgress": [
{
"ipProtocol": "-1",
"ipv6Ranges": [],
"prefixListIds": [],
"userIdGroupPairs": [],
"ipv4Ranges": [
{
"cidrIp": "0.0.0.0/0"
}
],
"ipRanges": [
"0.0.0.0/0"
]
}
],
"tags": [],
"vpcId": "vpc-XXXXXXXXXXXX"
},
"supplementaryConfiguration": {},
"tags": {},
"configurationItemVersion": "1.3",
"configurationItemCaptureTime": "YYYY-MM-DDTHH:MM:SS.000Z",
"configurationStateId": 0000000000,
"awsAccountId": "0000000000",
"configurationItemStatus": "ResourceDiscovered",
"resourceType": "AWS::EC2::SecurityGroup",
"resourceId": "sg-YYYYYYYYYYYY",
"resourceName": "default",
"ARN": "arn:aws:ec2:us-east-1:0000000000:security-group/sg-YYYYYYYYYYYY",
"awsRegion": "us-east-1",
"availabilityZone": "Not Applicable",
"configurationStateMd5Hash": ""
}
3. Configuration History
A configuration history is a collection of the configuration items for a specific resource type over any time period. Each file includes resources of only one type, such as Amazon EC2 instances or Amazon EBS volumes. If no configuration changes occur, AWS Config does not send a file.
Configuration History Files are useful when you’re looking for the historical configuration state for a specific resource type.
AWS Config delivers configuration history files automatically after enabling the Configuration Recorder and Delivery Channel to an Amazon S3 bucket that you specify. AWS Config sends a configuration history file every six hours, and each file contains details about the resources that changed in that six-hour period.
You can select a given resource in the AWS Config console and navigate to all previous configuration items for that resource using the timeline.
Here is an example of a Configuration History File, with a name in the format {accountId}_Config_{region}_ConfigHistory_{resourceType}_{time}:
{ // Configuration File for AWS::S3::Bucket Resource Type
"fileVersion": "1.0",
"configurationItems": [
{
// CI S3 Bucket "A"
},
{
// CI S3 Bucket "B"
},
// Additional S3 Buckets
]
}
4. Configuration Snapshot
A configuration snapshot is a collection of the configuration items for the supported resources that exist in your account. This configuration snapshot is a point-in-time capture of the resources that are being recorded and their configurations.
Configuration Snapshot Files are useful when you’re looking for the current configuration state for all supported resources in an account.
By default Configuration Snapshots are not automatically enabled just by enabling the Configuration Recorder and Delivery Channel, you must configure the Delivery Channel with a specific snapshot delivery frequency of 1, 3, 6, 12, or 24 hours. You can have the configuration snapshots delivered to an Amazon Simple Storage Service (Amazon S3) bucket that you specify.
Here is an example of a Configuration History File, with a name in the format {accountId}_Config_{region}_ConfigSnapshot_{time}:
{
"fileVersion": "1.0",
"configSnapshotId": "677bc092-27a0-4831-9c08-012eed635738",
"configurationItems": [
{
// CI CloudFormation Stack "A"
},
{
// CI S3 Bucket "B"
},
{
// CI S3 Bucket "C"
},
{
// CI SNS Topic "D"
},
// Additional Resources
]
}
5. Configuration Recorder
The configuration recorder stores the configurations of the supported resources in your account as configuration items. You must first create and then start the configuration recorder before you can start recording. You can stop and restart the configuration recorder at any time.
By default, the configuration recorder records all supported resources in the region where AWS Config is running. You can create a customized configuration recorder that records only the resource types that you specify.
If you use the AWS Management Console or the CLI to turn on the service, AWS Config automatically creates and starts a configuration recorder for you.
6. Delivery Channel
As AWS Config continually records the changes that occur to your AWS resources, it sends notifications and updated configuration states through the delivery channel. You can manage the delivery channel to control where AWS Config sends configuration updates.
Before you can create a delivery channel, you must create a configuration recorder. You can have only one delivery channel per AWS Region per AWS account, and the delivery channel is required to use AWS Config.
7. Delivery of CIs to Amazon S3
As mentioned above AWS Config sends Configuration History Files every six hours to S3, after enabling the configuration recorder.
In the case of Configuration Snapshots, they are sent when a user manually performs the DeliverConfigSnapshot API call or the API is invoked according to a periodic setting for the snapshot every 1, 3, 6, 12, or 24 hours, according to the Delivery Channel setting.
Snapshots and History files use the same format to be stored in S3 and are sent to the same Bucket in two different folders ConfigHistory _and _ConfigSnapshot.
8. Config Notifications and Amazon SNS
AWS Config uses the Amazon SNS topic that you optionally specify in the Delivery Channel.
AWS Config sends notifications for the following events:
- Configuration item change for a resource.
- Configuration history for a resource was delivered for your account.
- Configuration snapshot for recorded resources was started and delivered for your account.
- Compliance state of your resources and whether they are compliant with your rules.
- Evaluation started for a rule against your resources.
- AWS Config failed to deliver the notification to your account.
9. Config Rules
An AWS Config rule represents desired configurations for a resource and is evaluated against configuration changes on the relevant resources, as recorded by AWS Config. If a resource does not comply with the rule, AWS Config flags the resource and the rule as noncompliant.
There are two types of rules: AWS Config Managed Rules (predefined) and AWS Config Custom Rules (created using Lambda Functions or using Guard language).
When creating a Config Rule you can choose the trigger type to specify how often your AWS Config rules evaluate your resources: Resources can be evaluated when there are configuration changes, on a periodic schedule, or both.
10. AWS Config for AWS Organizations
AWS Config helps you centrally manage your Config Rules and data visualization (CIs, queries, reports, etc.) for all your Member accounts using different features of AWS Config
For using AWS Config services with AWS Organizations you'll need to use the
EnableAWSServiceAccess action (using the API, CLI or Console), which enables the integration and allows AWS Config to create a Service-Linked Role in all accounts in your organization. This allows the AWS Config service to perform operations on your behalf in your organization and its accounts.
AWS Documentation indicates to enable the principals config.amazonaws.com (for AWS Config) and config-multiaccountsetup.amazonaws.com (for managing multi-account AWS Config Rules).
Delegated Administrator for AWS Config
AWS Organizations allows you to delegate tasks or responsibilities to member accounts. The designated member account then becomes delegated administrators, meaning that they can perform a specific activity or manage a specific AWS service across accounts, on behalf of the organization.
AWS Config is one of the AWS services operating across accounts and supporting delegation in AWS Organizations. The Delegated Administrator supports using Aggregators for multi-account, multi-region resource data aggregation.
If you are using an organization management account and intend to use a delegated administrator for organizational deployment, be aware that AWS Config won't automatically create the service-linked role (SLR). You must manually create the service-linked role (SLR) separately using IAM, or using the EnableAWSServiceAccess API as mentioned above.
11. Organizational Rules
AWS Config supports Organizational Rules, which allows you to manage AWS Config rules across all AWS accounts within an organization. You can:
- Centrally create, update, and delete AWS Config rules across all accounts in your organization.
- Deploy a common set of AWS Config rules across all accounts and specify accounts where AWS Config rules should not be created.
- Use the APIs from the management account in AWS Organizations to enforce governance by ensuring that the underlying AWS Config rules are not modifiable by your organization’s member accounts.
Remember that Organizational Rules can only be created using the API or CLI. This operation is not supported in the AWS Config console. In addition, when configuring Organizational Rules, each one can only include one AWS Config Rule, so in case you want to use many Config Rules for your Organization Accounts you will have to manage many separate Organizational Rules.
12. Conformance Packs
A conformance pack is a collection of AWS Config rules and remediation actions that can be easily deployed as a single entity in an account and a Region or across an organization in AWS Organizations.
Conformance packs are created by authoring a YAML template that contains the list of AWS Config managed or custom rules and remediation actions. You can also use AWS Systems Manager documents (SSM documents) to store your conformance pack templates on AWS and directly deploy conformance packs using SSM document names. You can deploy the template by using the AWS Config console or the AWS CLI.
13. Aggregators
An aggregator is an AWS Config resource type that collects AWS Config configuration and compliance data from the following:
- Multiple accounts and multiple AWS Regions.
- Single account and multiple AWS Regions.
- An organization in AWS Organizations and all the accounts in that organization which have AWS Config enabled. Use an aggregator to view the resource configuration and compliance data recorded in AWS Config. An aggregator uses an Amazon S3 bucket to store aggregated data. It periodically retrieves configuration snapshots from the source accounts and stores them in the designated S3 bucket.
When setting up an Aggregator, you must use the Management Account or a registered Delegated Administrator.
Resources
- Amazon Config FAQs
- AWS Config: How AWS Config Works
- AWS Config: Concepts
- AWS Config: Managing the Delivery Channel
- AWS Config: Managing AWS Config Rules Across All Accounts in Your Organization
- AWS Config: Conformance Packs
- AWS Config: Multi-Account Multi-Region Data Aggregation
- AWS Config - AggregatoSetting Up an Aggregator Using the AWS Command Line Interface
- Understanding the differences between configuration history and configuration snapshot files in AWS Config
- Using delegated admin for AWS Config operations and aggregation
Top comments (0)