Amazon Web Services: What Is AWS Config?
AWS Config is a managed service which provides auditing and compliance, configuration history, and resources inventory and relationships across your AWS infrastructure. It provides valuable information for auditors and security teams but also help assist in determining why the state of your instance or application recently changed. Config works by creating ‘snapshots’ of configurations using JSON and comparing the original to future ‘snapshots.’ Config also dumps these JSON files to an S3 bucket of your choosing, allowing you to give your auditing team read-only access to ensure changes are audited.
As an example, let’s assume your application running on AWS is suddenly unavailable to your customers. Rather than log into the console and start troubleshooting from scratch, you could use Config to not only help pinpoint the changes to a given moment but also quickly determine what changes were made and who made them. This can assist teams to maintain a much lower MTTR and get your application back online. In this example, it would be easy to see that somebody removed an Elastic IP or modified a security group.
The timeline feature for individual resources is relatively powerful, giving you a breakdown of all changes and when they happened. It even provides you with a direct link to the CloudWatch event to view more information on a change. Let’s take a quick look at an EC2 instance timeline:
The relationship information provides a quick look at what other AWS resources are related to this object, helping ensure an easier path for troubleshooting. As an example, let’s look at the relationships attached to an individual EC2 instance. You can see what other resources are connected to this EC2 instance, including the EIN, SecurityGroup, the subnet it lives in, the EC2 volume(s) attached to the instance, and even what VPC the EC2 instance is assigned.
As you might be aware, Security Groups can be applied to numerous EC2 instances and other AWS resources (such as RDS). Therefore changes to a Security Group can now affect a multitude of resources. In the screenshot below we’re looking at the relationships of a Security Group. In this example, you can easily see that changing the rules within this Security Group will immediately affect two separate instances.
If changes are made to a resource, Config provides easy access to exactly what change was made. Config quickly displays the original and new configuration of the resource, giving you vital information to make an informed decision about your path to remediating an issue. In the example below, you can see that I modified a Security Group that initially allowed inbound SSH from the world (0.0.0.0/0) and restricted it to a particular host (10.10.10.10/32).
Furthermore, AWS Config Rules enable you to create desired configurations for your infrastructure to be evaluated against across a variety of resources. These results can be easily viewed on the Config Rules dashboard and can also be configured to send SNS alerts when resources are out of compliance. For example, if your security team requires that all EBS volumes must be encrypted, you can configure such a rule to evaluate all EBS volumes for this requirement. AWS supplies 19 pre-configured rules to get you started, but you can set up your own custom rules across the majority of AWS resources.
In this example below, I’ve enabled two separate rules:
- Ensure all EBS volumes are encrypted
- Ensure all allocated EIP addresses are attached to an instance/ELB.
Note: EIP addresses allocated but not connected to a resource incur hourly charges, so monitoring this could help keep costs down.
In the screenshot, it’s clear that I have EBS volumes that are not encrypted, therefore violating that AWS Config Rule. On the other hand, it looks like all allocated EIP addresses are attached to a resource. Therefore that rule is compliant.