AWS Config Documentation

1. Introduction

Overview

AWS Config is a service that provides AWS resource inventory, configuration history, and configuration change notifications to enable security and governance. It helps you assess, audit, and evaluate the configurations of your AWS resources.

Use Cases

• Compliance Auditing: Ensure that resources comply with corporate policies and regulations.

• Security Analysis: Detect misconfigurations and potential security issues.

• Change Tracking: Track changes in resource configurations and investigate changes over time.

2. AWS Config Overview

Features

• Configuration History: Maintains a history of changes to resource configurations.

• Compliance Checking: Evaluates configurations against predefined rules.

• Automated Remediation: Automatically corrects non-compliant resources.

Components

• AWS Config Rules: Evaluate whether resources comply with specified rules.

• Configuration Items: Records of resource configurations at different points in time.

• Compliance Dashboard: Visual interface for tracking compliance status and configuration history.

• 3. Setting Up AWS Config

  Prerequisites

  • AWS Account

  • IAM Permissions: config:*, s3:*, sns:*, lambda:*, etc.

Configuration Steps

1. Access AWS Config

   • Navigate to the AWS Config console.

   • 

2. Choose Resources to Record

   • Click on "Get Started" or "Record configuration changes."

   • Select the AWS resource types to record (e.g., EC2 instances, S3 buckets).

   • 

3. Set Up Delivery Channel

   • Choose or create an S3 bucket for storing configuration history.

   • Optionally, set up an SNS topic for notifications about configuration changes.

   • 

     

4. Create AWS Config Rules

   • Go to the "Rules" section and click "Add rule."

   • 

   • Choose a managed rule or create a custom rule.

   • 

   • Configure rule parameters and specify actions for non-compliance.

   • 

5. Review and Confirm

   • Review your configuration settings.

   • 

   • Click "Confirm" or "Save" to complete the setup.

   • 

     

     Setting Up AWS Config Aggregator

     1. Create an Aggregator

     1. Access AWS Config Console:

        • Navigate to the AWS Config console.

     2. Open Aggregators:

        • In the AWS Config console, select Aggregators from the navigation pane.

        • 

     3. Create Aggregator:

        • Click on Create aggregator.

        • 

     4. Configure Aggregator Details:

        • Name: Enter a name for the aggregator.

        • 

        • Description: Optionally, provide a description for the aggregator.

     5. Select Source Accounts:

        • Include Accounts: Choose whether to aggregate data from all accounts or specific accounts.

        • 

        • • All Accounts: Aggregate data from all accounts within the organization if using AWS Organizations.

            • 

            • Specific Accounts: Manually specify AWS account IDs from which to aggregate data.

            • 

     6. Select Regions:

        • Choose the regions from which to collect configuration data. You can select all regions or specific regions depending on your needs.

        • 

     7. Review and Create:

        • Review the settings and click Create aggregator to finalize the setup.

        • 

2. Monitor and Manage Aggregator

1. View Aggregator Data:

   • After creating the aggregator, you can view aggregated configuration data and compliance status in the AWS Config console under Aggregators.

   • 

2. Analyze Compliance Data:

   • Use the aggregated data to analyze compliance and configuration trends across your AWS environment. The compliance dashboard will provide insights into the compliance status of your resources.

   • 

Permissions and Access

• • IAM Role: The IAM role used for the aggregator must have the config:DescribeConfigurationAggregators and config:PutConfigurationAggregator permissions.

    • Cross-Account Access: Ensure that the AWS Config role has cross-account access permissions to read configuration data from the source accounts.

      1. Compliance Dashboard

      Overview

      The Compliance Dashboard in AWS Config provides a visual summary of the compliance status of your AWS resources based on the rules you’ve set up. It helps you quickly see which resources are compliant or non-compliant with your organization’s policies.

    • 

    • Features

      • Summary View: Shows an overview of how many resources comply with each rule.

      • Compliance Trends: Visualizes trends over time, helping you track changes in compliance status.

      • 

      • Detailed View: Provides details on which specific resources are non-compliant and why.

      • 

2. Conformance Packs

Overview

Conformance Packs are a collection of AWS Config rules and remediation actions that you can deploy together. They help you enforce best practices and compliance standards across your AWS environment.

• 

• Features

  • Predefined Rules: Comes with a set of rules and configurations that follow industry standards.

  • Easy Deployment: Deploy multiple rules and configurations in a single package.

  • Customizable: You can modify existing packs or create your own based on your needs.

3. Rules

Overview

Rules in AWS Config are the conditions that your resources must meet to be considered compliant. AWS Config evaluates your resources against these rules to ensure they adhere to your defined policies.

• 

• Types of Rules

  • Managed Rules: Predefined rules provided by AWS.

  • Custom Rules: Rules you create using AWS Lambda functions.

How to Use

• Access: Go to the AWS Config console and select Rules from the navigation pane.

• Create or Modify: Add new rules or edit existing ones. Configure the rule’s parameters and actions for non-compliance.

4. Inventory Dashboard

Overview

The Inventory Dashboard provides a comprehensive view of the AWS resources in your account, including details about their configuration and status.

• 

• Features

  • Resource Inventory: Lists all AWS resources being tracked by AWS Config.

  • 

  • Configuration History: Shows historical data about resource configurations.

5. Resources

Overview

Resources refers to the AWS entities (like EC2 instances, S3 buckets) that AWS Config monitors and records. You can view detailed information about these resources, including their configuration and compliance status.

• 

• Features

  • Resource Details: View details of each resource, including configuration data.

  • 

  • Change Tracking: See how configurations have changed over time.

6. Authorizations

Overview

Authorizations in AWS Config relate to permissions and roles needed to access and manage configuration data. AWS Config uses these authorizations to interact with resources and perform compliance checks.

• 

• Features

  • IAM Roles: Configure IAM roles that AWS Config uses to access resources in your account.

  • Permissions: Ensure AWS Config has the necessary permissions to read and write configuration data.

7. Advanced Queries

Overview

Advanced Queries allow you to run custom queries on your AWS Config data to extract specific information or perform detailed analysis.

• 

• Features

  • Custom Queries: Write and run SQL-like queries to get specific data about your resources.

  • Detailed Insights: Obtain insights into configurations and compliance status that are not available through standard views.