3.3.2.2. Configuration Management Services (AWS Config)

3.3.2.2. Configuration Management Services (AWS Config)

AWS Config answers the question: "What is the current configuration of my resources, and how has it changed over time?"

Config resource tracking:

• Records configuration changes for 350+ AWS resource types
• Maintains a timeline of every configuration state
• Stores configuration snapshots in S3 for historical analysis
• Relationships: tracks how resources are connected (EC2 ↔ Security Group ↔ VPC)

Config queries (Advanced Query) let you search across your resource inventory:

-- Find all public-facing EC2 instances
SELECT resourceId, resourceName, configuration.publicIpAddress
WHERE resourceType = 'AWS::EC2::Instance'
  AND configuration.publicIpAddress IS NOT NULL

-- Find all unencrypted S3 buckets
SELECT resourceId, resourceName
WHERE resourceType = 'AWS::S3::Bucket'
  AND configuration.serverSideEncryptionConfiguration IS NULL

Config vs. CloudTrail for investigations:

• Config: "What is the current security group configuration?" / "What was it on January 15?"
• CloudTrail: "Who modified the security group and when?"

Multi-account Config: Deploy Config across all accounts with:

1. Organization aggregator for centralized compliance view
2. Organization Config rules for consistent governance
3. Delegated administrator account to manage Config without the management account

Exam Trap: Config charges per configuration item recorded and per rule evaluation. In a large account with frequent changes, costs can be significant. Use Config recording settings to limit which resource types are recorded — don't record everything if you only need to track security-relevant resources (EC2, Security Groups, IAM, S3).