Amazon Config Features

Amazon Config provides you with pre-built rules for evaluating provisioning and configuring of your Amazon Web Services resources as well as software within managed instances, including Amazon EC2 instances and servers running on-premises. You can customize pre-built rules to evaluate your Amazon Web Services resource configurations and configuration changes, or create your own custom rules in Amazon Lambda that define your internal best practices and guidelines for resource configurations. Using Config, you can assess your resource configurations and resource changes for compliance against the built-in or custom rules.

Amazon Config records details of changes to your Amazon Web Services resources to provide you with a configuration history. You can use the Amazon Management Console, API, or CLI to obtain details of what a resource’s configuration looked like at any point in the past. Config will also automatically deliver a configuration history file to the Amazon S3 bucket you specify.

Amazon Config enables you to record software configuration changes within your Amazon EC2 instances and servers running on-premises, as well as servers and Virtual Machines in environments provided by other cloud providers. With Config, you gain visibility into operating system (OS) configurations, system-level updates, installed applications, network configuration and more. Config also provides a history of OS and system-level configuration changes alongside infrastructure configuration changes recorded for EC2 instances.

Amazon Config can provide you with a configuration snapshot - a point-in-time capture of all your resources and their configurations. Configuration snapshots are generated on demand via the Amazon CLI or API and delivered to the Amazon S3 bucket you specify.

Amazon Config discovers, maps and tracks Amazon Web Services resource relationships in your account. For example, if a new Amazon EC2 security group is associated with an Amazon EC2 instance, Config records the updated configurations of both the Amazon EC2 security group and the Amazon EC2 instance.

Amazon Config provides you a visual dashboard to help you quickly spot non-compliant resources and take appropriate action. IT Administrators, Security Experts, and Compliance Officers can see a shared view of your Amazon Web Services resources compliance posture.

You can choose from numerous Amazon Web Services Partner Network (APN) partners who provide solutions that integrate with Amazon Config for resource discovery, change management, compliance or security.

Multi-account, multi-Region data aggregation is a capability on Amazon Config that enables centralized auditing and governance. It gives you an enterprise-wide view of your Amazon Config rule compliance status, and you can associate your Amazon Organization to quickly add your accounts. The aggregated dashboard on Amazon Config will display the total count of non-compliant rules across your organization, the top five non-compliant rules by number of resources, and the top five accounts that have the highest number of non-compliant rules. You can then drill down to view details about the resources that are violating the rule and the list of rules that are being violated by an account.