© 2020, Amazon Web Services, Inc. or its Affiliates.
Tariq Habib
Solutions Architect
September 11th, 2020
AWS ConfigBuilding an effective governance framework
© 2020, Amazon Web Services, Inc. or its Affiliates.
Inventory and configuration management
• What is currently out there?
• What is the latest configuration state of my resources?
• What relationships exist between my resources?
• What configuration changes occurred in the past?
• Which resources have violated compliance policies?
© 2020, Amazon Web Services, Inc. or its Affiliates.
Governance and compliance management
• Are my resources properly configured?
• Do my resources comply with regulatory requirements
• How do I ensure continuous compliance?
• How can I get notified in near real-time if resource(s) go out of
compliance?
© 2020, Amazon Web Services, Inc. or its Affiliates.
AWS Config
© 2020, Amazon Web Services, Inc. or its Affiliates.
Benefits
Continuous
monitoring
Continuous
assessment
Change
management
Operational
troubleshooting
Enterprise-wide
compliance
monitoring
including third-
party resources
© 2020, Amazon Web Services, Inc. or its Affiliates.
How it works
AWS ConfigAWS Config records and
normalizes the changes
into a consistent format
Access change history and
compliance results using the
console or APIs. CloudWatch
Events or SNS alert you when
changes occur. Deliver change
history and snapshot files to
your S3 bucket for analysis.
Amazon S3
Amazon
CloudWatch
Amazon SNS
AWS Config APIs
& Console
AWS Config automatically
evaluates the recorded
configurations against the
configurations you specify.
Configuration change
occurs in your AWS
resources.
© 2020, Amazon Web Services, Inc. or its Affiliates.
AWS Config features
Configuration history of AWS resources
Records details of changes to your AWS resources to provide you with a configuration history timeline
Obtain details of what a resource’s configuration looked like at any point in the past
Configuration snapshots
Provides a point-in-time capture of all your resources and their configurations
Configuration history of software (requires SSM agent)
Records software configuration changes within your Amazon EC2 instances and servers running on-
premises or other cloud providers
Provides a history of OS and system-level configuration changes alongside infrastructure configuration
changes recorded for EC2 instances
Configurable and customizable rules
Assess your resource configurations and resource changes for compliance against built-in or custom rules
and automate remediation of non-compliant resources
Customize pre-built rules or create your own custom rules in AWS Lambda that define your internal best
practices and guidelines for resource configurations
© 2020, Amazon Web Services, Inc. or its Affiliates.
AWS Config features
Resource relationship tracking
Discovers, maps, and tracks AWS resource relationships in your account
For example, if a new Amazon EC2 security group is associated with an Amazon EC2 instance, Config
records the updated configurations of both the Amazon EC2 security group and the Amazon EC2 instance.
Cloud governance dashboard
Provides a visual dashboard to help you quickly spot non-compliant resources and take appropriate action
Multi-account, multi-region data aggregation
Enables centralized auditing and governance by providing an enterprise-wide view of your resources and
Config rule compliance status
Conformance packs
Packages a collection of AWS Config rules and remediation actions into a single entity and deploy it in a
single account or across an entire organization.
© 2020, Amazon Web Services, Inc. or its Affiliates.
Configuration history
of AWS resources
© 2020, Amazon Web Services, Inc. or its Affiliates.
Basic Components
Configuration Items
Represents a point-in-time view of the various attributes of a supported AWS resource that exists in your
account
Includes metadata, attributes, relationships, current configuration, and related events
AWS Config creates a configuration item whenever it detects a change to a resource type that it is recording
Configuration History
A collection of the configuration items for a given resource over any time period
Determine things like when the resource was first created, how the resource has been configured over the
last month, and what configuration changes were introduced yesterday at 9 AM
Access historical configuration items for a resource from the API or in the console using the timeline
Configuration Recorder
Stores the configurations of the supported resources in your account as configuration items
Records all supported resources in the region where AWS Config is running by default
You can create a customized configuration recorder that records only the resource types that you specify
© 2020, Amazon Web Services, Inc. or its Affiliates.
AWS Resources
© 2020, Amazon Web Services, Inc. or its Affiliates.
AWS Resource
© 2020, Amazon Web Services, Inc. or its Affiliates.
Resource Timeline
© 2020, Amazon Web Services, Inc. or its Affiliates.
Configuration Item
© 2020, Amazon Web Services, Inc. or its Affiliates.
Resource Timeline
© 2020, Amazon Web Services, Inc. or its Affiliates.
Configuration Changes
© 2020, Amazon Web Services, Inc. or its Affiliates.
Resource Relationships
© 2020, Amazon Web Services, Inc. or its Affiliates.
Advanced queries
© 2020, Amazon Web Services, Inc. or its Affiliates.
Query editor
© 2020, Amazon Web Services, Inc. or its Affiliates.
Query output
© 2020, Amazon Web Services, Inc. or its Affiliates.
Configuration
history of software
© 2020, Amazon Web Services, Inc. or its Affiliates.
Prerequisites
AWS Systems Manager
Configure EC2 and on-premises servers as managed instances in AWS Systems Manager
Initiate collection of software inventory from your managed instances using the Systems Manager Inventory
capability
Turn on recording for the managed instance inventory resource type in AWS Config
© 2020, Amazon Web Services, Inc. or its Affiliates.
Managed Instance Information timeline
© 2020, Amazon Web Services, Inc. or its Affiliates.
Manage Instance Information timeline
© 2020, Amazon Web Services, Inc. or its Affiliates.
Managed Instance Information timeline
© 2020, Amazon Web Services, Inc. or its Affiliates.
Configurable and
customizable rules
© 2020, Amazon Web Services, Inc. or its Affiliates.
Basic Components
AWS Config Rule
Represents your desired configuration settings for specific AWS resources or for an entire AWS account
If a resource violates a rule, AWS Config flags the resource and the rule as noncompliant
AWS Config provides customizable, predefined rules to help you get started but you can also create custom
rules
Evaluation Triggers
While AWS Config continuously tracks your resource configuration changes, it checks whether these
changes violate any of the conditions in your rules
After you activate a rule, AWS Config compares your resources to the conditions of the rule. After this initial
evaluation, AWS Config continues to run evaluations each time one is triggered
Evaluation triggers are defined as part of the rule, and they can include the following types:
- Configuration changes: triggers the evaluation when any resource that matches the rule's scope
changes in configuration
- Periodic: runs evaluations for the rule at a frequency that you choose (for example, every 24
hours)
© 2020, Amazon Web Services, Inc. or its Affiliates.
AWS Config rules
Analyze configuration changes
90+ pre-built rules provided by AWS
Custom rules using AWS Lambda
GitHub repo: Community sourced rules
Aggregate compliance into a central account
Compliance history
© 2020, Amazon Web Services, Inc. or its Affiliates.
Managed rules (AWS Security Hub)
© 2020, Amazon Web Services, Inc. or its Affiliates.
Managed rules
© 2020, Amazon Web Services, Inc. or its Affiliates.
Configuring managed rules
© 2020, Amazon Web Services, Inc. or its Affiliates.
Compliance history timeline
© 2020, Amazon Web Services, Inc. or its Affiliates.
Resource timeline
© 2020, Amazon Web Services, Inc. or its Affiliates.
Compliance history timeline
© 2020, Amazon Web Services, Inc. or its Affiliates.
Compliance changes
© 2020, Amazon Web Services, Inc. or its Affiliates.
Configuring remediation actions
© 2020, Amazon Web Services, Inc. or its Affiliates.
Configuring remediation actions
© 2020, Amazon Web Services, Inc. or its Affiliates.
Executing remediation actions
© 2020, Amazon Web Services, Inc. or its Affiliates.
Executing remediation actions
© 2020, Amazon Web Services, Inc. or its Affiliates.
Remediation actions
© 2020, Amazon Web Services, Inc. or its Affiliates.
Advanced compliance query
© 2020, Amazon Web Services, Inc. or its Affiliates.
Conformance Packs
© 2020, Amazon Web Services, Inc. or its Affiliates.
AWS Config Conformance Pack features
Configuration compliance common framework
A collection of AWS Config rules and remediation actions as a single entity
Deploys in a single account and a Region or across organization in AWS Organizations
Immutable
Individual rules cannot be changed outside of the pack, regardless of access or account permission
When deployed by an organization’s master account, it cannot be modified by the organization’s member
accounts.
© 2020, Amazon Web Services, Inc. or its Affiliates.
Conformance Packs
© 2020, Amazon Web Services, Inc. or its Affiliates.
Multi-Account,
multi-Region aggregation
© 2020, Amazon Web Services, Inc. or its Affiliates.
Basic Components
Aggregator
A new resource type in AWS Config that collects AWS Config configuration and compliance data from
multiple source accounts and regions
Aggregator Account
An AWS account that owns one or more aggregators
Source Account
The AWS account from which you want to aggregate AWS Config resource configuration and compliance
data
A source account can be an individual account or an organization in AWS Organizations
You can provide source accounts individually or you can retrieve them through AWS Organizations
Authorization
As a source account owner, authorization refers to the permissions you grant to an aggregator account and
region to collect your AWS Config configuration and compliance data
Authorization is not required if you are aggregating source accounts that are part of AWS Organizations
© 2020, Amazon Web Services, Inc. or its Affiliates.
Multi-account, multi-region data aggregation
Central dashboard
that provides an
aggregated view
Multi-account,
multi-region
Integrates with
AWS Organizations
Available at no
additional charge
© 2020, Amazon Web Services, Inc. or its Affiliates.
Multi-account, multi-region data aggregation feature
Accounts and regions
Select the source accounts and
regions from where you want to
collect AWS Config data
AWS Config data
Collection of AWS Config
data from multiple source
accounts and regions
Aggregator
Contains the resource configuration
information and the compliance
data recorded in AWS Config
Aggregated view
View all compliant and
non-compliant rules and
resources for each aggregator
© 2020, Amazon Web Services, Inc. or its Affiliates.
Aggregated resource search
© 2020, Amazon Web Services, Inc. or its Affiliates.
Aggregated rules view
© 2020, Amazon Web Services, Inc. or its Affiliates.
Advanced query (cross-account)
© 2020, Amazon Web Services, Inc. or its Affiliates.
Advanced query (cross-account)
© 2020, Amazon Web Services, Inc. or its Affiliates.
Q&AName of presenter
© 2020, Amazon Web Services, Inc. or its Affiliates.
Thank You!