AWS Config plays a major role while managing the compliance of your cloud infrastructure. It helps you keep track of all the configuration changes your infrastructure goes through over a period of time. AWS Config is capable of representing these changes in the form of a timeline.
Compliance plays a huge role in any organization. Why is it necessary for anything to be compliant? Well, compliance makes sure everything is in place from the point of view of policies, security, administration, and change management. Having such a view in place enables you to understand the vulnerabilities your infrastructure might be exposed to in the future.
With the help of compliance data, it is possible to track down and pinpoint non-compliant resources so that corrective actions can be taken before any unplanned and unwanted activity occurs. AWS Config does just this. In a way, to a certain extent compliance rules also embody the lessons learned by the organizations in the past.
AWS Config helps you evaluate the security posture of your cloud infrastructure against a set of rules set by the security best practices and lessons learned in the past. You can create custom rules as well as use the existing rules provided by AWS for evaluation. Rules are evaluated either periodically or based on events.
Whenever AWS Config enabled resources are modified, corresponding compliance rules are evaluated. Based on the evaluation the resource is then marked as compliant or noncompliant. Every AWS Config rule is associated with a Lambda function that evaluates the resource. As mentioned before, you can use pre-existing rules in AWS Config or you can also develop custom rules and write your Lambda functions for evaluating the resource. These are called managed rules and custom rules.
When AWS Config is enabled for the first time in an AWS account, it discovers and creates the configuration items for all the resources. AWS Config supports a certain set of AWS resources by default. These configuration items help keep track of future changes. After discovering a resource, any change, update, or creation of a new resource is tracked in these configuration items. Any change in the resource creates a new configuration item.
By defining compliance rules, we can also define our baseline for configuration management. This baseline helps us determine the minimum configuration requirements to be achieved so that they are completely compliant. Suppose if a resource is not compliant, it is marked as non-compliant and an appropriate reason is given.
The configuration items are stored in the form of JSON objects which entails all the configuration details of a specific resource. Any modification to this resource is evaluated by Config rules and the results of the evaluation are normalized into similar JSON objects. The decision about any resource being compliant is made after normalization.
If the resource is compliant, it is delivered to the specified S3 bucket. If it is not compliant, various actions can be triggered – non-compliance is highlighted on the Config dashboard or an SNS notification can be triggered.
Along with configuration history and configuration items, the Config recorder also stores the relationships between the configuration items. This helps us map out and understand the potential impact on any deployed service. The relationship changes are also tracked in the change streams which are also delivered to the S3 bucket.
While capturing the latest configuration data of the resource, AWS Config makes use of Describe or List API calls. Whenever modifications are done or the resource is created or deleted, the Config makes a Describe or List API call and captures the latest information to be stored in the configuration item.
A configuration item in AWS Config consists of the below components:
- Metadata – This component stores the information about the configuration item in terms of when the configuration was captured, version id, the status of the capture itself, and the state of the configuration item of a resource.
- Attributes – This component holds the resource attributes like ID, tags, type, ARN, availability zone, and the time of creation.
- Relationships – This component holds the relationships part if the resource is related to any other resources. For example, if an EBS volume is attached to an EC2 instance, then the ID of the EC2 instance can be found in this section.
- Current configuration – Any information returned by DescribAPI call made to it.
Conformance packs can be created in AWS Config. These are a set of Config rules grouped and can be used together. Conformance packs when applied, evaluate the state of the resources based on the rules it encompasses. AWS Config offers predefined conformance packs which can be used readily. We can create our conformance packs as well.
AWS Config also works with infrastructure and repositories which are not part of AWS. For example, on-prem servers and remote Git repositories. AWS Config can access the configuration data for a compliance evaluation. We can create conformance packs that can evaluate the 3rd party resources against the rules.
As we can see, AWS Config can be extended to 3rd party resources. Talking about expansion, by default AWS Config works on the configurations available in the region in which it is enabled. However, it is possible to enable and fetch configuration information from other AWS regions as well. We can essentially apply the same conformance packs in multiple regions and aggregate the results in a single place. In this case, the owner of AWS Config belonging to the region where it was enabled, is known as an aggregator.
Similarly, in case of multiple accounts where AWS Organisations is used, AWS Config can be enabled and aggregated on multiple accounts as well. Multiple AWS accounts which are not related to AWS Organisations can also be used in aggregation. The process involves giving appropriate access to the aggregator account. This helps us have consistent implementation of compliance rules.
Configuration management plays a very important role in managing the infrastructure assets of any organization.
If you like what I write, please subscribe and follow me on social media. I am always open to inputs and suggestions.