Skip to the content.
AWS Devops Engineer Professional
AWS Config
- Helps with auditing and recording compliance of AWS resources
- Helps record configurations and changes over time
- Provides the ability of storing the configuration data into S3 where it can be analyzed by Athena
- Problems AWS Config Solves:
- Check if there is unrestricted SSH access to a security group
- Check if buckets have public access
- Find out how did an ALB configuration change over time
- We can receive alerts (SNS notifications) for any change
- AWS Config is a per region service, but it can be aggregated across regions and accounts
AWS Config Resource
- Ability to view the compliance of a resource over time
- Ability to view configuration of a resource over time
- View CloudTrails API calls if enabled
AWS Config Rules
- AWS provides a set of managed config rules (over 75) which can be used by the users
- Users can also make custom config rules (a rule must be defined using AWS Lambda)
- Example of custom rules user can make:
- Evaluate if each EBS disk is of type GP2
- Evaluate if each EC2 instance is of type t2.micro
- Rules can be evaluated/triggered:
- For each config change (Configuration change)
- At regular time intervals (Periodic)
- Evaluation of rules can trigger CloudWatch events if the rule is non-compliant
- Rules can have auto remediations: if a resource is not compliant, the is an option to trigger auto remediation, example: stop instances with non-approved tags
- AWS Config Rules do not prevent actions from happening (no deny)
- Custom rules:
- We can create custom rules which will be managed by us
- In order to create a custom rule, we have to create a Lambda function which will check if a resource is compliant or not
- Trigger types for custom rules are same as for managed rules:
- Configuration change
- Periodic
- Scope of the trigger: we can define for which resource does the rule apply, example database instance, EC2 instance, etc. We can use tags as well instead of resource types
AWS Config Automation
- We can configure config to stream configuration changes and notifications to an SNS topic
- AWS Config sends notifications for the following events:
- Configuration item change for resource
- Configuration history delivered for an account
- Configuration snapshot was started and delivered for an account
- Compliance state of resources
- Evaluation started for a rule
- Config failed to deliver the notification for an account
- Config rules have integration with CloudWatch Events
- Remediation capability in Config Rules: rules have a remediation action option, where we can run a SSM document to address a non-compliant warning
AWS Config Multi-Account Multi-Region Data Aggregation
- A aggregator is an AWS Config resource type that collects AWS Config configuration and compliance data from the following:
- Multiple accounts and multiple regions
- Single account and multiple regions
- An organization in AWS Organizations and all the accounts in that organization
CloudWatch vs CloudTrail vs Config
- CloudWatch
- Performance monitoring (metrics, CPU, network, etc.) and dashboards
- Events and alerting
- Log aggregation and analysis
- CloudTrail
- Record API calls made within an account
- Define trails for specific resources
- It is a global service
- Config
- Record configuration changes
- Evaluate resources against compliance rules
- Get timeline of changes and compliance