8 AUG, 2017
Abstract:
One can find flavors of posts on AWS Config over the internet. This post in intended to learn what is AWS Config Service, its use cases, key concepts, pricing module and getting started.
When we manage our infrastructure through AWS, we create/modify/destroy various types of resources like Elastic Compound Cloud (EC2) instance, Virtual Private Cloud (VPC), Identity and Access Management (IAM) User, Elastic Book Store (EBS) volumes etc. With large infrastructures it is hard to track the change management with respect to resource status over time and auditing, relationships between various types of resources. All these needs can be achieved by AWS Config.
AWS Config is a service, which provides a detailed inventory of the AWS resources and their current configuration while continuously recording changes. This helps in evaluating these configurations and changes for compliance with ideal configurations defined by AWS Config Rules.
Resources: EC2- Instance/SG, VPC – Gateway/Subnet/ Network Access Control Lists (NACL), EBS, IAM – User/Group/Role
Recording: Record changes to configurations
Normalization: Normalizes these resource changes in a consistent format as a Configuration Item
Consuming Configuration Items: History per resource, Stream–SNS, Snapshot of all the configuration items captured for resources in an account.
Use Cases:
Security Analysis: AWS Config enables us to monitor the resource configurations and evaluate these for potential configurations
For Security management, we need detailed historical information about our AWS resource configurations, such as the AWS Identity and IAM permissions that are granted to our users, or the Amazon EC2 security group rules that control access to your resources. Also we can use it to view the configuration of EC2 security groups, port rules that were open at a specific time.
With these details we can determine the permissions that belonged to a user at a specific time: for example, can view whether a particular user had permission to create/modify bucket in S3 on a particular day.
Audit Compliance:
Many compliance audits require access to state of our systems (Payment Card Industry or PCI-compliance), Security Groups, Port rules. AWS Config delivers a complete inventory of configuration from history against any point of time as a combination of attributes and their relationships.
Troubleshooting:
In case of an issue like when a resource is down, it is critical to be able to answer what has changed in current architecture with in a time frame.
Discovery:
Inventory of all resources and their configuration is maintained, and is available via console or can be exported as JSON to S3.
Concepts:
Resources:
A resource is an AWS object that one can create, modify and delete on AWS. Resources like Amazon EC2 instances, Security Groups, Network ACLs, VPCs, Subnets etc.
Configuration Items:
It is the information set in terms of attributes of a supported AWS resource such as metadata, attributes, relationships, current configuration and related events at a certain point in time. If you don’t want AWS Config to create configuration items for all supported resources, you can specify the resource types that you want it to track.
Source: https://www.slideshare.net/AmazonWebServices/transparency-and-auditing-on-aws
Configuration Item – Metadata: Sample JSON object of configuration Item
Configuration Item – Common Attributes: Sample JSON object containing attributes which are common across multiple config-items such as awsRegions, resourceType.
Configuration Item – Relationships: Sample JSON object representing relationship details between different AWS resources
Relationships:
Relationships are an association between two entities of supported AWS resources. Bi-Directional map of dependencies is automatically assigned. Change to a resource propagates to create Configuration Items for related resources.
Source: https://www.slideshare.net/AmazonWebServices/transparency-and-auditing-on-aws
Configuration Stream:
Stream of configuration items for all infrastructural changes in an account, is the configuration stream. It contains configuration attributes that changed.
Configuration Snapshot:
It is a collection of configuration items for all resources at a given point of time, which can be viewed on console or fetched through CLI at once with their relative resources. These snapshots can be generated on demand and exported to S3.
Configuration History:
Collection of collection items for a given resource over a period of time is the configuration history. It is available on console and s3, which can be further used for programmatic processing.
AWS Config Service Command Line Interface (CLI) sample:
About the Author: This post is made by Pramod Pawar, He is a passionate techie at Tavisca Solutions, whose passion for technology enables him to come up with the most creative technology solutions. He pens his technical knowledge via blogs, and loves to explore new facets of technology.
