AWS CONFIG

·     A fully managed AWS service that provides AWS resource inventory, configuration history, and configuration change notifications to enable security and governance

Features

·     Multi-acount, multi-region data aggregation gives you an enterprise-wide view of your Config rule compliance status, and you can associate your AWS organization to quickly add your accounts

·     Provides pre built rules to evaluate your AWS resource configurations and configuration changes, or create your own custom rules in AWS lambda that define your internal best practices and guidelines for resource configurations

·     Config records details of changes to your AWS resources to provide you with a configuration history and automatically deliver it to an S3 bucket you specify

·     Receive a notification whenever a resource is created, modified or deleted

·     Config enables you to record software configuration changes within your EC2 instances and servers running on-premises, as well as servers and Virtual Machines in environments provided by other cloud providers. You can gain visability into

o  operating system configurations

o  system-level updates

o  installed applications

o  network configuration

·     Config can provide you with a configuration snapshot - a point-in-time capture of all your resources and their configurations

·     Config discovers, maps and tracks AWS  resource relationships in your account. Ex EC2 instances and security groups

Concepts

·    Configuration History

o  A collection of the configuration items for a given resource over any time period, containing information such as when the resource was first created, how the resource has been configured over the last month etc.

o  Config automatically delivers a configuration history file for each resource type that is being recorded to an s3 bucket that you specify.

o  A configuration history file is sent every six hours for each resource type that Config records.

·    Configuration Items

o  A record of the configuration resource in your AWS account. Config creates a configuration item whenever it detects a change to a resource type that it is recording.

o  The components of a configuration item include metadata, attributes, relationships, current configuration, and related events

·    Configuration Recorder

o  Stores the configurations of the supported resources in your account as configuration items.

o  By default, the configuration recorder records all supported resources in the region where Config is running. You can create a customized configuration recorder that records only the resource types that you specify.

o  You can also have Config record supported types of global resources which are IAM users, groups, roles, and customer managed policies.

·    Configuration Snapshot

o  A complete picture of the resources that are being recorded and their configurations.

o  Stored in an S3 bucket that you specify

·    Configuration Stream

o  An automatically updated list of all configuration items for the resources that Config is recording.

o  Helpful for observing configuration changes as they occur so that you can spot potential problems, generating notifications if certain resources are changed, or updating external systems that need to reflect the configuration of your AWS resources.

·    Resource Relationship

o  Config discovers AWS resources in your account and then creates a map of relationships between AWS resources

·    Config rule

o  Represents your desired configuration settings for Specific AWS resources or for an entire AWS account.

o  Provides customizable, predefined rules. If a resource violates a rule, Config flags the resource and the rule as non compliant, and notifies you through SNA

o  Evaluates your resources either in response to configuration changes or periodically

·    Config deletes data older than your specified retention period. The default period is 7 years

·    Multi-Account Multi-Region Data Aggregation

o An aggregator collects Config and compliance  data from the following

§  multi accounts multi regions

§  single account multi regions

§  AWS organizations

 

Monitoring

·     SNS

·     Cloudwatch

·     CloudTrail

Security

·     IAM

Compliance

·     ISO

·     PCI DSS

Pricing

·     charged based on the number of configuration items recoded and the number of active Config rules in your account. You are charged only once for recording the configuration item

Limits

·     max rules per region is 50

·     retention period between 30 days and 7 years