2.6.4. AWS Config
š” First Principle: AWS Config continuously monitors and records AWS resource configurations and their changes over time, enabling auditing, compliance assessment, and identification of "configuration drift."
AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. It continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.
Key Characteristics of AWS Config:
- Continuous Monitoring: Tracks changes to resource configurations over time, creating a detailed history.
- Configuration History: Provides a timeline of configuration changes for each resource, useful for auditing and troubleshooting.
- Config Rules: Predefined or custom rules that continuously evaluate whether your AWS resource configurations comply with desired settings.
- Managed Rules: Predefined by AWS for common best practices (e.g.,
s3-bucket-public-read-prohibitedto enforce private S3 buckets). - Custom Rules: Defined using AWS Lambda functions for highly specific or complex compliance requirements.
- Managed Rules: Predefined by AWS for common best practices (e.g.,
- Compliance Assessment: Assesses configurations against Config Rules, alerting you to non-compliant resources.
- Configuration Drift Detection: Identifies when actual resource configurations deviate from an expected (e.g., CloudFormation) state.
Scenario: A company needs to ensure that all its S3 buckets remain encrypted and are not publicly accessible. They also want to track every change made to their EC2 instances over time for auditing.
Reflection Question: How does AWS Config, by continuously monitoring and recording AWS resource configurations and evaluating them against Config Rules, fundamentally enable auditing, compliance assessment, and identification of "configuration drift" in your AWS account?