What is used to assess audit and evaluate the configurations of AWS resources?

When we are working with the AWS architecture we need to get the visibility of resource changes and the relationship between different AWS resources as it helps in tracking compliance in your AWS infrastructure. With that being said, AWS has solved our problem for automatic continuous monitoring and assessment service called the AWS Config which helps to ease the burden of implementing and tracking compliance control.

The AWS Config is a managed service that enables you to assess, audit, and evaluate the configurations which simplifies compliance reporting for your AWS resources. With AWS Config you get accessibility to the inventory of AWS resources, review changes in configurations, discover new resources, track deleted AWS resources, continuously recording of configuration changes, determine your overall compliance against the configurations specified in your internal guidelines, and be notified when those configuration changes occur.

Below is the diagram for AWS Config:

AWS Config continuously monitors and captures the AWS resource configurations which allows you to automate the evaluation of recorded configurations against desired configurations. The AWS Config simplifies compliance auditing, security analysis, change management, and operational troubleshooting.

Listed below are six major benefits that the AWS Config provides to its users and has its wide demand accordingly:

Continuous Assessment

You can define rules for provisioning and configuring AWS resources which can be provisioned independently or even packaged together in addition to the compliance remediation actions inside a pack (also known as a conformance pack). This conformance pack is then deployed across the entire company with a single click. With AWS Config you can have a continuous audit and assess the overall compliance of the AWS resource configurations residing in your organization’s policies and guidelines. By enabling the Amazon Simple Notification Service (SNS), you get the flexibility to get a notification whenever the system detects any resource configurations or configuration changes that deviate from the rules your set. The SNS will automatically trigger notifications and integrate them with the Amazon CloudWatch, the events help to alert continuously. An added advantage in this would be the visual dashboard that gives an overall check for the compliance status and adapts quickly to spot any non-compliant resources.

Continuous Monitoring

We can continuously monitor and record configuration changes by implementing the AWS Config to have a complete monitoring system in place for our AWS resources. Also, at any point in time, you can enable the inventory for our AWS resources, the configurations of the AWS resources, along with software configurations within the EC2 instances. lastly, if any changes in the configuration or inventory are detected, then by enabling the Amazon Simple Notification Service (SNS), a notification will be sent that allows us to review and take action.

Change Management

You can track the relationships among the various AWS resources and also review resource dependencies before making any changes. Once a change has occurred, with AWS Config you get the ability to quickly review the history of the AWS resource's configuration along with determining what the AWS resource’s configuration was like in the past. AWS Config helps to minimize the impact of change-related incidents by providing you with the information that in turn helps to assess how a change to an AWS resource configuration would affect the other AWS resources.

Enterprise-wide Compliance Monitoring

AWS Config helps to view compliance status across your enterprise and identify non-compliant accounts with its multi-account, multi-region data aggregation. We can get a glance to view the status for a specific region or a specific account across the multi-regions. With the AWS Config, this view is much more user-friendly with the AWS Config console in a central account that removes the need to retrieve this information individually from each account, and each region.

Support for Third-party Resources

To perform configuration audit and compliance verification for both the AWS as well as third-party resources, AWS Config comes in handy as it is designed so that it can be utilized as a primary tool. With AWS Config we can view and monitor the resource inventory and configuration history, and publish the configuration of third-party resources (GitHub repositories, Microsoft Active Directory resources, or any on-premises server) into the AWS by using the AWS Config console and APIs. We get the flexibility to create AWS Config rules (conformance packs) that help to evaluate the third-party resources against the best practices, regulatory policies, and internal policies.

Operational Troubleshooting

Operational troubleshooting is also made possible with AWS Config where we can get a comprehensive history of all the AWS resource configuration changes that have taken place which simplifies the troubleshooting of the operational issues if any. With AWS Config you can identify the root cause of the operational issues via its integration with another AWS service called AWS CloudTrail(an AWS service that helps to record events related to API calls for the specific AWS account). By leveraging the AWS CloudTrail records, AWS Config gets the ability to correlate configuration changes with a particular event in your AWS account and this enables you to obtain the details of the event API call that eventually invoked the change with the help of the CloudTrail logs. A simple example could be to get information about who made the request, from which IP address, and at what time.

The below diagram shows the Benefits of AWS Config listed:

Some concepts that we must be well aware of before we start to understand the AWS Config features, pricing and are given below:

The following diagram shows how the AWS Config is contributing to different domains and the concepts related:

• AWS Resources Represents the entities created and managed like EC2 instances, Security groups.

• AWS Config Rules The most important concept when we talk about the AWS Config is the AWS Config rules which help in proper monitoring of the compliance of the AWS resources. The AWS Config Rule explores the desired configurations for any resource which is then evaluated against the configuration changes for that relevant AWS resource. The results after evaluation of the rule against the configuration of a resource are made visible on the dashboard. Using the AWS Config Rules, we can assess the overall compliance and risk status, view compliance trends over time from a configuration perspective, and understand which configuration change caused a resource to drift out of compliance with a rule.

• Resource Relationship Represents the relationship that exists between two AWS resources which helps to obtain insights and take action if required. It finds the account’s AWS resources and then produces a map of the relationships between them. Like when an EC2 instance is linked to an EBS volume.

• Configuration Items Represents a point-in-time view of the supported AWS resource. The components of a configuration item include metadata, attributes, relationships, current configuration, and related events.

• Configuration Snapshot The AWS Config's Configuration Snapshot is a collection of the configuration items for the AWS account’s supported resources.

• Configuration History The AWS Config's Configuration history is a collection of the configuration items for a given resource over any period.

• Configuration Stream The AWS Config's Configuration Stream is a collection of all configuration items for the resources recorded and updated by AWS Config automatically.

• Configuration Recorder The AWS Config's Configuration Recorder records the configurations of the supported resources in the AWS account which are saved as configuration items. This configuration recorder has to be first created and then only it gets started for recording.

After refreshing your knowledge about AWS Config, let us start learning about how AWS Config works. As seen in the image above, we have a few steps by which AWS Config enables you to assess, audit, and evaluate the configurations of your AWS resources with its continuous monitoring.

Once you turn on the AWS Config, it first locates the supported AWS resources (existing in your AWS account) and generates a configuration item for each of the AWS resources. In addition, AWS Config also generates the configuration items when the configuration of the AWS resource changes, and keeps the historical records (for the configuration items of your AWS resources) from the time you started the configuration recorder.

An important point to note, is AWS Config creates configuration items for each supported AWS resource in the region by default. You also get the option to specify the resource types that you want it to track by adding those to the list and allowing the AWS Config to create configuration items for these supported resources.

Below diagram show how the AWS Config works:

With the Describe or the List API call, AWS Config keeps a record of all the changes made to the AWS resources of your account. The same API calls (Describe or the List API) are used to capture the configuration details for all related resources. AWS Config also tracks the configuration changes which are not initiated by the API. Now and then, AWS Config examines the resource configurations and generates configuration items for only the changed configurations.

By adjusting the AWS Config rules ( as per your desired settings), you can continuously evaluate your AWS resource configurations. This AWS Config rule can also be linked with an AWS Lambda function (containing the evaluation logic for the rule) which invokes the rule's AWS Lambda function and returns the compliance status of the evaluated resources. When any resource is observed to violate the conditions of a rule, then the AWS Config flags that resource and marks that rule as non-compliant. By enabling the Amazon SNS, the AWS Config will also send a notification when any compliance status of resource changes.

Now that we have talked about what is AWS Config and explored its features and added benefits that it offers to its customer by assessing, auditing, and evaluating the configurations of your AWS resources, this section would learn how AWS Config can be set up from the AWS management console.

As we know that the AWS Config helps to provide a detailed view of the AWS resources associated with the AWS account, like how they are related to one another, how they are configured, and how the configurations and their relationships have changed over time. The below steps will help you to set up the AWS Config on your AWS Management Console and you can quickly get started with it to capture all the benefits that it offers:

Step 1: Login to your AWS account and open your AWS Management Console as shown below:

Step 2: Now head to the search option and select the AWS Config from the panel as shown below:

Step 3: Click on Get Started as shown below:

Step 4: When you create the AWS Config for the first time you need to follow the steps mentioned below, otherwise you can simply click on settings (from the left-hand side navigation panel) and then proceed with the below steps.

Now as shown below click on the record-specific resource types if you wish to get the records of the resources running in the AWS account.

Step 5: Under the Resource Category option, Select AWS resources than on the right side under the Resource Type option you will need to search for the EC2 Instance. Also, select Create AWS Config service-linked role as shown below:

Step 6: Now under the Delivery Method, you get the Amazon S3 Bucket option where you get three options: Create a Bucket / choose a bucket for your account or choose a bucket for another account. For this setup, we are selecting the first option which is, Create an S3 bucket. This will enable the AWS Config to send configuration history and configuration snapshot files. For Bucket Name, type any name for that Amazon S3 bucket. Example – k212021demo in our case Click on Next as shown below.

With AWS Config you can maintain the configuration history of your AWS resources along with an evaluation of the configuration against the best practices for AWS Config. Below are a few best practice rules for AWS Config that act as a tool for enabling governance across your enterprise and can help you with your auditing, operational troubleshooting, and compliance use cases.

1. The most important best practice recommended by CIS(Center for Internet Security) is to enable the AWS Config in all multiple accounts and Regions.
2. When you are setting up AWS Config, By selecting “All resources” for the resource types you get a comprehensive configuration audit in place.
3. To avoid redundant copies of IAM configuration items in all the regions you can record global resources only in one Region.
4. Make sure that you have the Amazon S3 bucket secured in order to collect the configuration history and snapshot files.
5. For centralized management of configuration and compliance notifications, make sure you specify the AWS Simple Notification Service topic from another account.
6. Ensure you turn on the AWS Config service-linked role to allow the AWS Config to record resource configuration changes.
7. Implement the AWS managed policy 'AWS_ConfigRole' and attach that with your IAM role when you want to create an IAM role for AWS Config yourself.
8. Periodic snapshots with a minimum frequency of once per day must be turned on as this will make sure the latest configuration state for all the AWS resources in your account is backed up daily.

When we talk about the Pricing that AWS Config charges for using the service is described s follows: You get charged based on the number of configuration items recorded, the number of active AWS Config rule evaluations, and the number of conformance pack evaluations in your account.

Here the configuration item is described as a record of the configuration state of a resource in the AWS account. Whereas an AWS Config rule evaluation is described as a compliance state evaluation of a resource by an AWS Config rule in the AWS account, and a conformance pack evaluation is described as the evaluation of a resource by an AWS Config rule within the conformance pack.

The below diagram depicts the prices according to the AWS Config rules evaluations :

A point to note here is that with consolidated billing, the AWS will calculate the total number of AWS Config rules evaluations from all of the AWS accounts to determine which pricing tier is getting applied, and helps you to give a lower overall price at the higher tiers.

One service where you might gets confused as it might sound like we are talking of the same set of key features is the AWS Cloudtrail service. Yes, AWS Config and AWS CloudTrail indeed have a lot in common:

• They both have great Configuration Visibility
• They both are Fully Managed
• They both are Easy to get started
• They both are monitoring tools for the AWS resources.
• They both track changes and store a history of what happened to the AWS resources(happened in the recent past). They both are used for similar purposes—compliance and governance, auditing, security policies, and more.
• If you notice something going wrong with the AWS resources, we see it getting reflected in both AWS Config and AWS CloudTrail.

But with this section we shall list below, a few key differences between AWS Config vs AWS Cloudtrail to get a glance over the features offered by both:

The below diagram discusses some key differences between AWS Config and AWS Cloudtrail:

Now we shall dive into a few use cases of AWS Config, which we can implement if the same scenario arises.

Continuous audit and compliance:

To help the organization assess its compliance as per its internal policies and regulatory standards, AWS Config helps in providing continuous audit and compliance by expanding the visibility into the configuration of the AWS resources along with any third-party resources. AWS Config also evaluates the resource configuration changes against the standard configurations set by the organization ( meeting their independent requirements) continuously.

Troubleshooting

With the implementation of AWS Config, you can quickly troubleshoot your operational issues by easily identifying any recent changes related to a configuration that might have taken place for the AWS resources.

Security Analysis

The data from the AWS Config helps us to keep a check and gives a continuous monitoring ability for any of the configurations of our AWS resources. In addition to it, it also helps to evaluate any changes that might have been made to the configurations for recording and report any potential security weaknesses. When any changes are made in the configurations of the AWS resource then simply the Amazon Simple Notification Service (SNS) notifications are triggered ( when configured), which sends the security team a notification to check, review and accordingly take action. With the AWS Config, we can also review the configuration history of the AWS resources, and examine the security of the AWS resources after a potential security event.

Discovery

By implementing the AWS Config you get the ability to discover resources (existing in our AWS account), record their present configuration, and record any changes made to their configurations. AWS Config also helps in retaining the configuration details for the AWS resources that we deleted giving us the full discovery vision of the AWS resources. Its comprehensive snapshot of all the AWS resources along with their configuration attributes helps to get a clear vision of the inventory of resources in our account.

Compliance-as-code Framework

With the Compliance-as-code framework feature, we can create and deploy the governance and compliance rules across all our AWS accounts with all the regions. We can make use of the AWS Config rules and code the compliance requirements and pre-evaluate and suggest the remediation actions by implementing the AWS Systems Manager Automation documents and packaging these together within a conformance pack. This pack can then be simply deployed across an organization which will help us automate the assessment of our resource configurations and any changes. This helps to make sure that continuous compliance and self-governance across the AWS infrastructure are maintained.

Change Management

Once the AWS resources are created, updated, or deleted, the AWS Config maintains to check the configuration changes are streamed and the notification is sent out by the Amazon Simple Notification Service (SNS), which helps to notify all the configuration changes across the organization. We can assess how a change to one of the resources may impact other resources easily by enabling the AWS Config and simplifying the monitoring of the relationships between the resources.

Now as we understand AWS Config and its features, benefits, and pricing options, We shall be looking at which companies have started using AWS Config and are already using its advantage to assess, audit, and evaluate the configurations of your AWS resources.

The below image refers to some of the talked about companies that have been using the AWS Config and unleashing its benefits to evaluate the configurations of your AWS resources and give a proper assessment and audit of the AWS resources:

• Flatiron: To iterate faster and solve problems for improving cancer care by using AWS Config.
• Prezi: To keep up with the volatile growing pace of a highly scalable and automated platform, Prezi is using the AWS Config to its benefit.
• iZettle: Using the AWS Config, iZettle built and started operating its payment solution.
• British Gas: To give support to its Hive monitoring operations, British gas has implemented the AWS Config.
• Burt: Implemented the AWS Config in addition to other AWS services which is helping them to keep its operations agile helping them achieve success in a tough and highly specialized market.
• Autodesk: With the help of AWS config Autodesk is controlling its cloud resource usage.
• FanDuel: By using the AWS config, fuel is utilizing the AWS Config fully managed resource inventory service.