Config

• Region-scoped service, can be aggregated across regions and accounts

• Helps with auditing and recording compliance of AWS resources

• It records configuration changes over time

• Can receive alerts (SNS notifications) for any changes

• Possibility of storing the configuration data into S3 (analyzed by Athena)

Config Rules

• Can use AWS managed config rules

• Can make custom config rules (must be defined in AWS Lambda) such as:

  • Check if each EBS disk is of type gp2

  • Check if each EC2 instance is t2.micro

• Rules can be evaluated / triggered:

  • for each config change (ex. configuration of EBS volume is changed)

  • at regular time intervals (ex. every 2 hours)

• AWS Config Rules does not prevent actions from happening (no deny)

Config Rules - Remediations

• Automate remediation of non-compliant resources using SSM Automation Documents

  • AWS-Managed Automation Documents

  • Custom Automation Documents

    • to invoke a Lambda function for automation

• You can set Remediation Retries if the resource is still non-compliant after auto remediation

• Ex. if IAM access key expires (non-compliant), trigger an auto-remediation action to revoke unused IAM user credentials

Config Rules – Notifications

• Integrates with EventBridge or SNS to trigger notifications when AWS resources are non-compliant

• Can be used along with CloudTrail to get a timeline of changes in configuration and compliance overtime.