Key Concepts Of AWS Config Service
In today’s blog post, we will discuss key concepts of AWS Config service and how AWS Config service works. AWS Config gives you a complete picture of how your AWS resources are configured in your account. This covers how the resources are linked to one another and how they were historically configured, makes it easy to track how the configurations and relationships change over time.
AWS Config is a regional service that can be used to review your current configuration of resources against some set of rules, view the relation between different resources, get current and historical configuration changes and alerted when a configuration is changed.
Key Concepts Of AWS Config Service:
AWS Config gives you a full picture of your AWS account’s resources, including how they’re configured, how they’re related to one another, and how those configurations and relationships have changed over time. Let’s take a closer look at the AWS Config fundamentals.
AWS resources are entities created and managed by the AWS Management Console, AWS Command Line Interface (CLI), AWS SDKs, and AWS partner tools. Amazon EC2 instances, security groups, Amazon VPCs, and Amazon Elastic Block Store are examples of AWS resources.
A configuration item is a snapshot of the different attributes of a supported AWS resource in your account at a specific moment in time. Metadata, attributes, relationships, current configuration, and related events are all components of a configuration item. When AWS Config detects a change to a resource type that it is recording, it creates a configuration item.
The configuration recorder stores the configurations of the supported resources in your account as configuration items. You must first create and then start the configuration recorder before you can start recording. You can stop and restart the configuration recorder at any time. By default, the configuration recorder records all supported resources in the region where AWS Config is running. You can create a customized configuration recorder that records only the resource types that you specify.
A configuration snapshot is a collection of the configuration items for your account’s supported resources. This configuration snapshot is a complete representation of the resources and their configurations that are being recorded. The configuration snapshot can be a useful tool for validating your configuration.
A configuration stream is a collection of all configuration elements for the resources that AWS Config is capturing that is automatically updated. AWS Config creates a configuration item and adds it to the configuration stream whenever a resource is created, changed, or destroyed. The configuration stream works by using an Amazon Simple Notification Service (Amazon SNS) topic of your choice. The configuration stream is helpful for observing configuration changes as they occur so that you can spot potential problems, generating notifications if certain resources are changed, or updating external systems that need to reflect the configuration of your AWS resources.
AWS Config discovers AWS resources in your account and then creates a map of relationships between AWS resources. For example, a relationship might include an Amazon EBS volume vol-123ab45d attached to an Amazon EC2 instance i-a1b2c3d4 that is associated with security group sg-ef678hk.
AWS Config Rules:
An AWS Config rule represents your desired configuration settings for specific AWS resources or for an entire AWS account. AWS Config provides customizable, predefined rules to help you get started. If a resource violates a rule, AWS Config flags the resource and the rule as noncompliant, and AWS Config notifies you through Amazon SNS.
AWS Config Aggregator:
An aggregator is a new resource type in AWS Config that collects AWS Config configuration and compliance data from multiple source accounts and regions. Create an aggregator in the region where you want to see the aggregated AWS Config configuration and compliance data.
How AWS Config Works:
When you turn on AWS Config, it first discovers the supported AWS resources that exist in your account and generates a configuration item for each resource. AWS Config also generates configuration items when the configuration of a resource changes, and it maintains historical records of the configuration items of your resources from the time you start the configuration recorder. By default, AWS Config creates configuration items for every supported resource in the region. If you don’t want AWS Config to create configuration items for all supported resources, you can specify the resource types that you want it to track.
AWS Config keeps track of all changes to your resources by invoking the Describe or the List API call for each resource in your account. The service uses those same API calls to capture configuration details for all related resources. AWS Config also tracks the configuration changes that were not initiated by the API. AWS Config examines the resource configurations periodically and generates configuration items for the configurations that have changed.
If you are using AWS Config rules, AWS Config continuously evaluates your AWS resource configurations for desired settings. Depending on the rule, AWS Config will evaluate your resources either in response to configuration changes or periodically. Each rule is associated with an AWS Lambda function, which contains the evaluation logic for the rule. When AWS Config evaluates your resources, it invokes the rule’s AWS Lambda function. The function returns the compliance status of the evaluated resources. If a resource violates the conditions of a rule, AWS Config flags the resource and the rule as noncompliant. When the compliance status of a resource changes, AWS Config sends a notification to your Amazon SNS topic.
Hope you have enjoyed this article. To know more about AWS Config, please refer below official documentation