What is AWS Config?
AWS Config is assistance that empowers you to survey, review, and assess the setups of your AWS resources. Config consistently screens and records your AWS resource designs and permits you to mechanize the assessment of recorded setups against wanted arrangements. With Config, you can audit changes in setups and connections between AWS resources, jump into nitty-gritty resource design histories, and decide your general consistency against the arrangements determined in your inner rules. This empowers you to streamline consistence inspecting, security examination, change the board, and operational investigating.
AWS Config gives a definite perspective on the setup of AWS resources in your AWS account. This incorporates how the resources are identified with each other and how they were arranged before so you can perceive how the designs and connections change after some time.
An AWS resource is an element you can work within an AWS, for example, an Amazon Elastic Compute Cloud (EC2) occasion, an Amazon Elastic Block Store (EBS) volume, a security gathering, or an Amazon Virtual Private Cloud (VPC).
With AWS Config, you can do the accompanying:
- Assess your AWS resource arrangements for wanted settings.
- Get a preview of the current setups of the upheld resources that are related to your AWS account.
- Recover setups of at least one resource that exists in your record.
- Recover historical arrangements of at least one resource.
- Get a warning at whatever point a resource is made, altered, or erased.
- View connections between resources. For instance, you should discover all resources that utilization a specific security gathering.
How AWS Config works:
At the point when you turn on AWS Config, it first finds the upheld AWS resources that exist in your record and produces a setup thing for every resource.
AWS Config likewise creates design things when the setup of resource changes, and it keeps up verifiable records of the arrangement things of your resources from the time you start the setup recorder. As a matter of course, AWS Config makes arrangements things for each supported resource in the region. In the event that you don't need AWS Config to make setup things for every single upheld resource, you can indicate the resource types that you need it to follow.
AWS Config monitors all progressions to your resources by summoning the Describe or the List API requires every resource in your record. The administration utilizes those equivalent API calls to catch design subtleties for every single related resource.
AWS Config likewise tracks the setup changes that were not started by the API. AWS Config looks at the resource arrangements occasionally and creates design things for the setups that have changed.
In the event that you are utilizing AWS Config rules, AWS Config persistently assesses your AWS resource setups for wanted settings. Contingent upon the standard, AWS Config will assess your resources either in light of setup changes or intermittently. Each standard is related to an AWS Lambda work, which contains the assessment rationale for the standard. When AWS Config assesses your resources, it conjures the standard's AWS Lambda work. The capacity restores the consistent status of the assessed resources. On the off chance that a resource disregards the states of a standard, AWS Config banners the resource and the standard as rebellious. At the point when the consistent status of resource changes, AWS Config sends a warning to your Amazon SNS subject.
Deliver Configuration Items
AWS Config can convey arrangement things through one of the accompanying channels:
Amazon S3 Bucket
AWS Config tracks changes in the arrangement of your AWS resources, and it normally sends refreshed setup subtleties to an Amazon S3 bucket that you determine. For every resource type that AWS Config records, it sends a design history document like clockwork. Every design history record contains insights concerning the resources that changed in that six-hour time frame. Each record incorporates resources of one sort, for example, Amazon EC2 cases or Amazon EBS volumes. On the off chance that no design changes happen, AWS Config doesn't send a record.
AWS Config sends an arrangement depiction to your Amazon S3 bucket when you utilize the convey config-preview order with the AWS CLI, or when you utilize the DeliverConfigSnapshot activity with the AWS Config API. A setup depiction contains design subtleties for all resources that AWS Config records in your AWS account. The design history record and setup depiction is in the JSON group.
Amazon SNS Topic
An Amazon Simple Notification Service (Amazon SNS) subject is a correspondence channel that Amazon SNS uses to convey messages (or warnings) to buying in endpoints, for example, an email address or customers. Different sorts of Amazon SNS notices incorporate pop-up message messages to applications on cell phones, Short Message Service (SMS) warnings to SMS-empowered cell phones and cell phones, and HTTP POST demands. For best outcomes, use Amazon SQS as the warning endpoint for the SNS point and afterward process the data in the notice automatically.
Components of a configuration item:
Metadata:
It gives information about the configuration item. It contains version ID along with the time when the item was captured. It also contains the status of the configuration item indicating whether the item was captured successfully. It also contains state ID.
Attributes:
Tells about the resource attributes of the component. To tell the resource attribute it holds resource ID, list of key-value tags for these resources, resource type, resource name, availability zone of the resource, and time at which the resource was created.
Relationships:
It depicts how the resource is related to other resources of the account. It gives a description of the relationship.
Current Configuration:
It returns the information of all the resources through a call to the Describe or List API.
For example, DescribeVolumes API returns the following information about the volume:
Availability Zone the volume is in, Time the volume was attached, ID of the EC2 instance it is attached to, Current status of the volume, State of DeleteOnTermination flag, Device the volume is attached to, Type of volumes, such as gp2, io1, or standard
Notes: A configuration thing relationship does exclude organize stream or information stream conditions. Configuration things can't be custom available to speak to your application design.
AWS Config doesn't record key-value labels for CloudTrail trail, CloudFront distribution, and CloudFront spilling distribution.
As of Version 1.3, the relatedEvents field is vacant. You can get to the LookupEvents API in the AWS CloudTrail API Reference to recover the occasions for the resource. As of Version 1.3, the configurationItemMD5Hash field is vacant. You can utilize the configurationStateId field to guarantee you have the most recent configuration thing.
Evaluating Resources with Rules
Use AWS Config to assess the configuration settings of your AWS resources. One can do this by making AWS Config rules, which speak to your optimal configuration settings. AWS Config gives adjustable, predefined rules called oversaw rules to assist you with the beginning. You can likewise make your own custom standards. While AWS Config consistently tracks the configuration changes that happen among your resources, it checks whether these progressions abuse any of the conditions in your principles. In the event that an asset disregards a standard, AWS Config banners the asset and the standard as resistant.
For instance, when an EC2 volume is made, the AWS Config can assess the volume contrary to a standard that expects volumes to be encoded. On the off chance that the volume isn't scrambled, AWS Config banners the volume and the standard as resistant. AWS Config can likewise check the entirety of your resources for account-wide prerequisites. For instance, AWS Config can check whether the quantity of EC2 volumes in a record remains inside the ideal aggregate, or whether a record utilizes AWS CloudTrail for logging.
The AWS Config comfort shows the consistent status of your guidelines and resources. You can perceive how your AWS resources go along in general with your ideal configurations, and realize which explicit resources are resistant. You can likewise utilize the AWS CLI, the AWS Config API, and AWS SDKs to make solicitations to the AWS Config administration for consistent data.
Security in AWS Configuration:
Cloud security at AWS is the most noteworthy need. As an AWS client, you profit by server farms and system structures that are worked to meet the prerequisites of the most security-sensitive associations.
Security is a mutual duty among AWS and you. The common obligation model portrays this as security of the cloud and security in the cloud:
Security of the cloud – AWS is liable for ensuring the foundation that runs AWS administrations in the AWS Cloud. AWS additionally gives you benefits that you can utilize safely. Outsider reviewers consistently test and check the adequacy of our security as a major aspect of the AWS Compliance Programs. To find out about the consistency programs that apply to AWS Config, see AWS Services in Scope by Compliance Program.
Security in the cloud – Your duty is controlled by the AWS administration that you use. You are additionally answerable for different elements including the affectability of your information, your organization's prerequisites, and appropriate laws and guidelines.