Amazon Config Documentation

Amazon Config is designed to record details of changes to your Amazon Web Services resources to provide you with a configuration history. You can use the Amazon Web Services Management Console, API, or CLI to obtain details of what a resource’s configuration looked like in the past. Amazon Config will also deliver a configuration history file to the Amazon S3 bucket you specify.

Amazon Config is designed to help you to record software configuration changes within your Amazon EC2 instances and servers running on-premises, as well as servers and Virtual Machines in environments provided by other cloud providers. With Amazon Config, you gain visibility into operating system (OS) configurations, system-level updates, installed applications, network configuration and more. Amazon Config is also designed to provide a history of OS and system-level configuration changes alongside infrastructure configuration changes recorded for EC2 instances.

Amazon Config is designed to discover, map and track Amazon Web Services resource relationships in your account. For example, if a new Amazon EC2 security group is associated with an Amazon EC2 instance, Amazon Config is designed to record the updated configurations of both the Amazon EC2 security group and the Amazon EC2 instance.

Amazon Config provides you with pre-built rules designed to evaluate provisioning and configuring of your Amazon Web Services resources as well as software within managed instances, including Amazon EC2 instances and servers running on-premises. You can customize pre-built rules to evaluate your Amazon Web Services resource configurations and configuration changes, or create your own custom rules in Amazon Lambda that define your internal best practices and guidelines for resource configurations. Using Amazon Config, you can assess your resource configurations and resource changes for compliance against the built-in or custom rules.

Conformance packs help you manage compliance of your Amazon Web Services resource configuration at scale—from policy definition to auditing and aggregated reporting—using a common framework and packaging model. Conformance packs are integrated with Amazon Organizations. Using conformance packs as your compliance framework, you can package a collection of Amazon Config rules and remediation actions into a single entity (known as a conformance pack) and deploy it across an entire organization. This is particularly useful if you need to quickly establish a common baseline for resource configuration policies and best practices across multiple accounts in your organization in a scalable and efficient way.

Conformance packs also provide compliance scores. A compliance score is a percentage-based score that helps you discern the level to which your resources are compliant for a set of requirements that are captured within the scope of a conformance pack. A compliance score is calculated based on the number of rule-to-resource combinations that are compliant within the scope of a conformance pack. For example, a conformance pack with 5 rules applying to 5 resources has 25 (5x5) possible rule-resource combinations. If 2 resources are not compliant with 2 rules, the compliance score would be 84%, indicating that 21 out of 25 rule-resource combinations are currently in compliance. Further, compliance scores are emitted to Amazon CloudWatch metrics, which allows for tracking over time. Compliance scores offer a measurement to track remediation progress, perform comparisons across different sets of requirements, and see the impact a specific change or deployment has on your compliance posture. 

Multi-account, multi-region data aggregation is a capability in Amazon Config that enables centralized auditing and governance. It is designed to provide you an enterprise-wide view of your Amazon Config rule compliance status, and you can associate your Amazon Organization to quickly add your accounts. The aggregated dashboard in Amazon Config is designed to display the total count of non-compliant rules across your organization, the top five non-compliant rules by number of resources, and the top five Amazon Web Services accounts that have the greatest number of non-compliant rules. You can then drill down to view details about the resources that are violating the rule, and the list of rules that are being violated by an account.

Amazon Config supports extensibility by allowing you to publish the configuration of third-party resources into Amazon Config using our public APIs. Examples of third-party resources include version control systems such as GitHub, Microsoft Active Directory resources or any on-premises server. Amazon Config enables you to view and monitor the resource inventory and configuration history of these third-party resources using the Amazon Config console and APIs, like you do for Amazon Web Services resources. You can also create Amazon Config rules or conformance packs to help you evaluate these third-party resources against best practices, internal policies, and regulatory policies.

Amazon Config is designed to provide you with a configuration snapshot—a point-in-time capture of your resources and their configurations. Configuration snapshots are generated on demand via the Amazon CLI or API and delivered to the Amazon S3 bucket you specify.

Amazon Config provides you a visual dashboard to help you quickly spot non-compliant resources and take appropriate action. IT Administrators, Security Experts, and Compliance Officers can see a shared view of your Amazon Web Services resources compliance posture.

You can choose from numerous Amazon Partner Network (APN) partners who provide solutions that integrate with Amazon Config for resource discovery, change management, compliance, or security.

IT Service Management (ITSM) tools, such as Jira Service Desk, can connect with Amazon Config to make it easier for ITSM platform users to request and manage services of Amazon Web Services and resources. The Amazon Service Management Connector for Jira Service Desk provides Jira Service Desk administrators governance and oversight over their Amazon Web Services products.

Amazon Config integrates with Amazon CloudTrail to help you correlate configuration changes to particular events in your account. You can use the CloudTrail logs to obtain the details of the event that invoked the change, including who made the request, at what time, and from which IP address. You can navigate to the Amazon Config timeline from the Amazon CloudTrail console to view the configuration changes related to your Amazon API activities.

Amazon Security Hub is designed to centralize security checks from other services of Amazon Web Services, including Amazon Config rules. Security Hub enables and controls Config rules to help ensure your resource configurations are aligned to best practices. Enable Config on all  accounts in all China Regions where Security Hub is in order to run security checks on your environment’s resources.

Amazon Audit Manager helps you continuously audit your Amazon Web Services usage to simplify how you assess risk and compliance with regulations and industry standards. Audit Manager provides evidence collection, so you can configure a control data source, such as Amazon Config, to collect evidence.

Amazon Config integrates with Amazon Systems Manager to help you record configuration changes to software on your Amazon EC2 instances and servers in your on-premises environment. With this integration, you can gain visibility into operating system (OS) configurations, system-level updates, installed applications, network configuration, and more. Amazon Config is also designed to provide a history of OS and system-level configuration changes alongside infrastructure configuration changes recorded for EC2 instances. You can navigate to the Amazon Config timeline from the Systems Manager console to view the configuration changes of your managed EC2 instances. 

Amazon Config integrates with Amazon EC2 Dedicated Hosts to help you assess license compliance. Amazon Config records when instances are launched, stopped, or terminated on a Dedicated Host, and pairs this information with host and instance level information relevant to software licensing, such as Host ID, Amazon Machine Image (AMI) IDs, number of sockets and physical cores. This enables you to use Amazon Config as a data source for your license reporting. You can navigate to the Amazon Config timeline from the Amazon EC2 Dedicated Hosts console to view the configuration changes of your Amazon EC2 Dedicated Hosts.

Amazon Config integrates with Elastic Load Balancing (ELB) service to help you record configuration changes to Application Load Balancers. Amazon Config also includes relationships with associated EC2 security groups, VPCs, and subnets. You can use this information for security analysis and troubleshooting. For example, you can check which security groups are associated with your application load balancer at any point in time. You can navigate to the Amazon Config timeline from the ELB console to view the configuration changes of your Application Load Balancers.

You can use Amazon Organizations to help you define the accounts to use for Amazon Config’s multi-account, multi-region data aggregation capability. By providing your Amazon Organizations details, the service is designed to help you monitor the compliance status across your organization.

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.amazonaws.cn/en_us. This additional information does not form part of the Documentation for purposes of the Sinnet Customer Agreement for Amazon Web Services (Beijing Region), Western Cloud Data Customer Agreement for Amazon Web Services (Ningxia Region) or other agreement between you and Sinnet or NWCD governing your use of services of Amazon Web Services China Regions.