Amazon Config is a fully managed service that provides you with an Amazon Web Services resource inventory, configuration history, and configuration change notifications to enable security and governance. With Amazon Config you can discover existing Amazon Web Services resources, export a complete inventory of your Amazon Web Services resources with all configuration details, and determine how a resource was configured at any point in time. These capabilities enable compliance auditing, security analysis, resource change tracking, and troubleshooting.
Amazon Config makes it easy to track your resource’s configuration without the need for up-front investments and avoiding the complexity of installing and updating agents for data collection or maintaining large databases. Once you enable Amazon Config, you can view continuously updated details of all configuration attributes associated with Amazon Web Services resources. You are notified via Amazon Simple Notification Service (SNS) of every configuration change.
Amazon Config gives you access to resource configuration history. You can relate configuration changes with Amazon CloudTrail events that possibly contributed to the change in configuration. This information provides you full visibility, right from details, such as “Who made the change?”, “From what IP address?” to the effect of this change on Amazon Web Services resources and related resources. You can use this information to generate reports to aid auditing and assessing compliance over a period of time.
Amazon Config gives you access to resource configuration history. You can relate configuration changes with Amazon CloudTrail events that possibly contributed to the change in configuration. This information provides you full visibility, right from details, such as “Who made the change?”, “From what IP address?” to the effect of this change on Amazon Web Services resources and related resources. You can use this information to generate reports to aid auditing and assessing compliance over a period of time.
Q: Can I monitor compliance information of multiple accounts and Regions through a central account?
Amazon Config makes it easier to monitor compliance status across multiple accounts and Regions using the multi-account, multi-Region data aggregation capability. You can create a configuration aggregator in any account and aggregate the compliance details from other accounts. This capability is also leveraged on Amazon Organizations, so you can aggregate data from all accounts within your organization.
Q: How does Amazon Config work with Amazon CloudTrail?
Amazon CloudTrail records user API activity on your account and allows you to access information about this activity. You get full details about API actions, such as identity of the caller, the time of the API call, the request parameters, and the response elements returned by the Amazon Web Services service. Amazon Config records point-in-time configuration details for your Amazon Web Services resources as Configuration Items (CIs). You can use a CI to answer “What did my Amazon Web Services resource look like?” at a point in time. You can use Amazon CloudTrail to answer “Who made an API call to modify this resource?” For example, you can use the Amazon Management Console for Amazon Config to detect security group “Production-DB” was incorrectly configured in the past. Using the integrated Amazon CloudTrail information, you can pinpoint which user misconfigured “Production-DB” security group.
The quickest way to get started with Amazon Config is to use the Amazon Management Console. You can turn on Amazon Config in a few clicks. For additional details, see the Getting Started documentation.
Q: Can Amazon Config aggregate data across different Amazon Web Services accounts?
Yes, you can set up Amazon Config to deliver configuration updates from different accounts to one S3 bucket, once the appropriate IAM policies are applied to the S3 bucket. You can also publish notifications to the one SNS Topic, within the same region, once appropriate IAM policies are applied to the SNS Topic.
Q: What time and timezones are displayed in the timeline view of a resource? What about daylight savings?
Amazon Config displays the time at which Configuration Items (CIs) were recorded for a resource on a timeline. All times are captured in Coordinated Universal Time (UTC). When the timeline is visualized on the management console, the services uses the current time zone (adjusted for daylight savings, if relevant) to display all times in the timeline view.
Q: What are Amazon Config relationships and how are they used?
Amazon Config takes the relationships among resources into account when recording changes. For example, if a new Amazon EC2 Security Group is associated with an Amazon EC2 Instance, Amazon Config records the updated configurations of both the primary resource, the Amazon EC2 Security Group, and related resources, such as the Amazon EC2 Instance, if these resources actually changed.
Q: Does Amazon Config record every state a resource has been in?
Amazon Config detects change to resource's configuration and records the configuration state that resulted from that change. In cases where several configuration changes are made to a resource in quick succession (e.g. within a span of few minutes), Config will only record the latest configuration of that resource that represents cumulative impact of the set of changes. In these situations, Config will only list the latest change in the relatedEvents field of the Configuration Item.This allows users and programs to continue to change infrastructure configurations without having to wait for Config to record intermediate transient states.
Q: Does Amazon Config record configuration changes that did not result from API activity on that resource?
Yes, Amazon Config will regularly scan configuration of resources for changes that haven't yet been recorded and record these changes. CIs recorded from these scans will not have a relatedEvent field in the payload, and only the latest state that is different from the state already recorded is picked up.
Configuration of a resource is defined by the data included in the Configuration Item (CI) of Amazon Config. The initial release of Config Rules makes the CI for a resource available to relevant rules. Config Rules can use this information along with any other relevant information such as other attached resource, business hours, etc. to evaluate compliance of a resource’s configuration.
A rule represents desired Configuration Item (CI) attribute values for resources and are evaluated by comparing those attribute values with CIs recorded by Amazon Config. There are two types of rules:
Amazon Web Services managed rules: Amazon Web Services managed rules are pre-built and managed by Amazon Web Services. You simply choose the rule you want to enable, then supply a few configuration parameters to get started.
Customer managed rules: Customer managed rules are custom rules, defined and built by you. You can create a function in Amazon Lambda that can be invoked as part of a custom rule and these functions execute in your account.
The quickest way to get started with Amazon Config is to use the Amazon Management Console. You can turn on Amazon Config in a few clicks. For additional details, see the documentation.
Rules are typically set up by the Amazon Web Services account administrator. They can be created by leveraging Amazon Web Services managed rules – a predefined set of rules provided by Amazon Web Services or through customer managed rules. With Amazon Web Services managed rules updates to the rule are automatically applied to any account using that rule. In the customer-managed model, the customer has a full copy of the rule, and executes the rule within his/her own account. These rules are maintained by the customer.
You can create up to 50 rules in your Amazon Web Services account by default. Additionally, you can request an increase for the limit on the number of rules in your account by visiting the Amazon Web Services Service Limits page.
Any rule can be setup as a change-triggered rule or as a periodic rule. A change-triggered rule is executed when Amazon Config records a configuration change for any of the resources specified. Additionally, one of the following must be specified:
Tag Key:(optional Value): A tag key:value implies any configuration changes recorded for resources with the specified tag key:value will trigger an evaluation of the rule.
Resource type(s): Any configuration changes recorded for any resource within the specified resource type(s) will trigger an evaluation the rule.
Resource ID: Any changes recorded to the resource specified by the resource type and resource ID will trigger an evaluation of the rule.
A periodic rule is triggered at a specified frequency. Available frequencies are 1hr, 3hr, 6hr, 12hr or 24hrs. A periodic rule has a full snapshot of current Configuration Items (CIs) for all resources available to the rule.
Evaluation of a rule determines whether a rule is compliant with a resource at a particular point in time. It is the result of evaluating a rule against the configuration of a resource. Config Rules will capture and store the result of each evaluation. This result will include the resource, rule, time of evaluation and a link to Configuration Item (CI) that caused non-compliance.
A resource is compliant if complies with all rules that apply to it. Otherwise it is noncompliant. Similarly, a rule is compliant if all resources evaluated by the rule comply with the rule. Otherwise it is noncompliant. In some cases, such as when inadequate permissions are available to the rule, an evaluation may not exist for the resource, leading to a state of insufficient data. This state is excluded from determining the compliance status of a resource or rule.
Q: What information does the Config Rules dashboard provide?
The Config Rules dashboard gives you an overview of resources tracked by Amazon Config, and a summary of current compliance by resource and by rule. When you view compliance by resource, you can determine if any rule that applies to the resource is currently not compliant. You can view compliance by rule, which tells you if any resource under the purview of the rule is currently non-compliant. Using these summary views, you can dive deeper into the Config timeline view of resources, to determine which configuration parameters changed. Using this dashboard, you can start with an overview and drill into fine-grained views that give you full information about changes in compliance status, and which changes caused non-compliance.
Q: What is multi-account, multi-Region data aggregation?
Data aggregation on Amazon Config helps you aggregate Amazon Config data from multiple accounts and Regions into a single account and a single Region. Multi-account data aggregation is useful for central IT administrators to monitor compliance for multiple accounts in the enterprise.
Q: Can I use the data aggregation capability to centrally provision Amazon Config rules across multiple accounts?
The data aggregation capability cannot be used for provisioning rules across multiple accounts. It is purely a reporting capability that provides visibility into your compliance. You can use Amazon CloudFormation StackSets to provision rules across accounts and Regions. Learn more in this blog link.
Q: How do I enable data aggregation in my account?
Once Amazon Config and Amazon Config rules are enabled in your account, and the accounts being aggregated, you can enable data aggregation by creating an aggregator in your account. Learn more.
An aggregator is an Amazon Config resource type that collects Amazon Config data from multiple accounts and Regions. Use an aggregator to view the resource configuration and compliance data recorded on Amazon Config for multiple accounts and Regions.
Q: What information does the aggregated view provide?
The aggregated view displays the total count of non-compliant rules across the organization, the top five non-compliant rules by number of resources, and the top five accounts that have the highest number of non-compliant rules. You can then drill down to view more details about the resources that are violating the rule and the list of rules that are being violated by an account.
Q: I am not an Amazon Organizations customer. Can I still use the data aggregation capability?
You can specify the accounts to aggregate the Amazon Config data from by uploading a file or by individually entering accounts. Note that since these accounts are not part of any Amazon organization, you will need each account to explicitly authorize the aggregator account. Learn more.
Q: I have only a single account, can I still take advantage of the data aggregation capability?
The data aggregation capability is useful for multi-Region aggregation as well. Thus, you can aggregate the Amazon Config data for your account across multiple Regions using this capability.
Q: In what Regions is the multi-account, multi-Region data aggregation capability available?
For details on the Regions where multi-account, multi-Region data aggregation is available, visit the Amazon Config Developer Guide: Multi-Account Multi-Region Data Aggregation.
Q: What if I have an account that includes a Region not supported by this feature?
When you create an aggregator, you specify the Regions from where you can aggregate data. This list shows only Regions where this feature is available. You can also select “all Regions,” in which case as soon as support is added in other Regions, it will automatically aggregate the data.
