Track your resource configuration changes with AWS Config

AWS Config provides the complete visibility over the deployment and tracking of resources. It checks the inventory changes and identifies the deleted resources. It analyses the compliance of the desired rule against the deployed configuration and respond to security incidents without distorting end user. It helps in troubleshooting the misconfigured resources.

AWS Config enables users to get a complete view of the configuration of AWS resources in associated with your AWS account. This enables to understand the relationship among all the resources and their configurations.

AWS Config uses AWS CloudTrail to record configuration changes and interdependencies of resources.

Why AWS Config ?

In AWS Config rules, IT admin provides desired configuration settings for all your resources. These rules are compared with the current deployment to provide an analysis. This result shows how your current deployment is configured and how it should be configured.

Sometimes, conflicts occur between the configurations showing the noncompliance in the configuration. This helps the administrators to figure out the misconfigured resources and fix it.

What is AWS Config Rules?

An AWS Config rule can be explained as the desired configuration setting for specific AWS resources or for an entire AWS account. AWS Config captures configuration changes as configuration items, it checks whether each configuration change complies with desired rules.

There are two kinds of config rules,

• Pre-built rules which are mainly for common use cases
• Custom rules where you can write a lambda function and trigger it. This lambda function contains a logic which evaluates whether your AWS Resources will comply with the rule.

AWS Config records the configuration changes which is happening in your account and can either be configured to send SNS notifications or it can be viewed on AWS Config dashboard for compliance and resource changes.

Capabilities of AWS Config

• You can view how different resources are connected and how a configuration change to one affects other resources.
• Monitor continuous compliance with rules that you have created.

Use Cases

The following explains the use cases on where to apply AWS config rules :

• Security analysis: Are my configurations safe?

AWS Config continuously monitors configuration changes and helps you evaluate these configurations.

• Change management: What will this change affect?

Here you can find out how the changes can affect the other related resources when it is misconfigured in our current deployment.

• Troubleshooting: What has changed?

When changes in the resource configuration show noncompliance, a walk-through of the changes history from AWS Config dashboard will help to fix the misconfiguration.

• Discovery: What resources exist?

Discover resources that exists in your account. A complete inventory of all resources and their configuration attributes is available via API and console.

Checking compliance of instance against VPC

Here we will create Config rule that inspects whether instances are under a particular VPC. If this is the case, the rule shows compliance otherwise, it is not.

1.Login into AWS Console and select Config under the Management Tools section.

2.Select ec2-instances-in-vpc which is existing rule with config(AWS Config rule only available in N.Virginia)

3.Give a name for your config rule and modify the scope of changes to Resources to filter the resources.

4. Select EC2 instance in resources field and give your instance-id in the next field provided , Since you are checking compliance against your VPC you have to give your VPC ID in the Rule parameter for key/value pair.

5.Config rule gets into effect once you click on save. Here you can see rule shows Compliant.

6.We can view the timeline and investigate the changes that have been made to the instance at the resource level.

7. We can view how different resources are related to the EC2-instance.

8. You can also track the changes made to the related resources, in my case I have made changes to the Security Groups and Network Interface.

9. We can also use the Config Console to look at the compliance status of all instances or any particular instance.

10. In settings, you can change the S3 bucket name to store the Config records.

Advantages of AWS Config

• Continuously evaluating all the resources in your AWS account
• Can have custom rule using lambda function for compliance purpose.
• Easily configured to find the misconfiguration done in deployment.
• Can figure out the Security Vulnerabilities when AWS Config reports noncompliance.

Pricing for AWS Config

In AWS Config, you are charged for the number of resources to be tracked and configuration changes recorded for desired resources (denoted as Configuration Items) in AWS. There are no agreements, you can stop recording Configuration items at any time.

Pay once for each Configuration Item record, which is $0.003/Configuration Item.Charges also apply for S3 for the storage of Configuration snapshots, Configuration history files and notifications delivered via SNS.

Hope this blog provides a walk-through of the new service AWS Config which might help you to kick start the tracking process of your Resource Inventories in AWS.

WRITTEN BY CloudThat