Helps with auditing and recording compliance of AWS resources
Helps record configurations and changes over time
Provides the ability of storing the configuration data into S3 where it can be analyzed by Athena
Problems AWS Config Solves:
Check if there is unrestricted SSH access to a security group
Check if buckets have public access
Find out how did an ALB configuration change over time
We can receive alerts (SNS notifications) for any change
AWS Config is a per region service, but it can be aggregated across regions and accounts
AWS Config Resource
Ability to view the compliance of a resource over time
Ability to view configuration of a resource over time
View CloudTrails API calls if enabled
AWS Config Rules
AWS provides a set of managed config rules (over 75) which can be used by the users
Users can also make custom config rules (a rule must be defined using AWS Lambda)
Example of custom rules user can make:
Evaluate if each EBS disk is of type GP2
Evaluate if each EC2 instance is of type t2.micro
Rules can be evaluated/triggered:
For each config change
At regular time intervals
Evaluation of rules can trigger CloudWatch events if the rule is non-compliant
Rules can have auto remediations: if a resource is not compliant, the is an option to trigger auto remediation, example: stop instances with non-approved tags
AWS Config Rules do not prevent actions from happening (no deny)
CloudWatch vs CloudTrail vs Config
CloudWatch
Performance monitoring (metrics, CPU, network, etc.) and dashboards