Config

Rohit PagoteRohit Pagote
2 min read

Table of contents

Config

  • Region-scoped service, can be aggregated across regions and accounts

  • Helps with auditing and recording compliance of AWS resources

  • It records configuration changes over time

  • Can receive alerts (SNS notifications) for any changes

  • Possibility of storing the configuration data into S3 (analyzed by Athena)

Config Rules

  • Can use AWS managed config rules

  • Can make custom config rules (must be defined in AWS Lambda) such as:

    • Check if each EBS disk is of type gp2

    • Check if each EC2 instance is t2.micro

  • Rules can be evaluated / triggered:

    • for each config change (ex. configuration of EBS volume is changed)

    • at regular time intervals (ex. every 2 hours)

  • AWS Config Rules does not prevent actions from happening (no deny)

Config Rules - Remediations

  • Automate remediation of non-compliant resources using SSM Automation Documents

    • AWS-Managed Automation Documents

    • Custom Automation Documents

      • to invoke a Lambda function for automation
  • You can set Remediation Retries if the resource is still non-compliant after auto remediation

  • Ex. if IAM access key expires (non-compliant), trigger an auto-remediation action to revoke unused IAM user credentials

Config Rules – Notifications

  • Integrates with EventBridge or SNS to trigger notifications when AWS resources are non-compliant

  • Can be used along with CloudTrail to get a timeline of changes in configuration and compliance overtime.

0
Subscribe to my newsletter

Read articles from Rohit Pagote directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Rohit Pagote
Rohit Pagote

I am an aspiring DevOps Engineer proficient with containers and container orchestration tools like Docker, Kubernetes along with experienced in Infrastructure as code tools and Configuration as code tools, Terraform, Ansible. Well-versed in CICD tool - Jenkins. Have hands-on experience with various AWS and Azure services. I really enjoy learning new things and connecting with people across a range of industries, so don't hesitate to reach out if you'd like to get in touch.