Study Guide945 words
Mastering AWS Config: Tracking Account Configuration Changes
Viewing configuration changes that have occurred in an account (for example, AWS Config)
Mastering AWS Config: Tracking Account Configuration Changes
AWS Config is a foundational service for governance, compliance, and risk management. It provides a detailed view of the configuration of AWS resources in your account, including how resources were configured in the past and how they relate to one another.
Learning Objectives
After studying this guide, you should be able to:
- Explain the core purpose of AWS Config as a "time machine" for resource state.
- Differentiate between AWS Config, AWS CloudTrail, and Amazon EventBridge.
- Describe the components of AWS Config, including the Configuration Recorder and Configuration Items.
- Define how AWS Config Rules are used to assess compliance against a baseline.
- Understand how resource relationships help in troubleshooting and impact analysis.
Key Terms & Glossary
- Configuration Item (CI): A point-in-time record of the attributes and relationships of a specific resource.
- Configuration Recorder: The mechanism that discovers and records changes to resource configurations.
- Delivery Channel: The path (usually an S3 bucket and SNS topic) used to store and notify about configuration changes.
- Configuration History: A collection of CIs for a single resource over a period of time.
- Configuration Snapshot: A complete point-in-time backup of all CIs currently being recorded in an account.
- Resource Relationship: A mapping showing how one resource depends on or is connected to another (e.g., an EBS volume attached to an EC2 instance).
The "Big Idea"
Think of AWS Config as a Time Machine. While other services tell you who did something (CloudTrail) or when an event happened (EventBridge), AWS Config tells you exactly what your environment looked like at any specific moment. It shifts the focus from "logs of actions" to "state of infrastructure," allowing you to rewind time to see why a system broke or how it deviated from your security standards.
Formula / Concept Box
| Component | Primary Function | Data Destination |
|---|---|---|
| Recorder | Monitors and captures state changes | Internal Config Store |
| Items (CI) | Individual point-in-time state records | Grouped into History |
| History | Long-term record of changes | Amazon S3 |
| Rules | Compliance check against baseline | SNS / Dashboard |
| Snapshots | Full account configuration backup | Amazon S3 |
Hierarchical Outline
- I. Core Capabilities
- Resource Inventory: Automated discovery of resources in a region.
- History Tracking: Retention of configuration data even after resources are deleted.
- Relationship Mapping: Visualizing dependencies (e.g., Security Group → EC2).
- II. Components of the Workflow
- Configuration Recorder: The "workhorse"; only one allowed per region.
- Delivery Channel: Defines where data goes (S3 for storage, SNS for alerts).
- III. Governance & Compliance
- Managed Rules: Pre-built AWS logic (e.g., "Check if S3 buckets are public").
- Custom Rules: User-defined logic powered by AWS Lambda.
- Remediation: Automated actions to fix non-compliant resources.
Visual Anchors
The AWS Config Workflow
Loading Diagram...
Resource Relationship Concept
\begin{tikzpicture}[node distance=2cm, every node/.style={draw, rectangle, rounded corners, fill=blue!10, align=center}] \node (ec2) {EC2 Instance$i-12345)}; \node (ebs) [right of=ec2, xshift=2cm] {EBS Volume$vol-6789)}; \node (sg) [below of=ec2] {Security Group$sg-000)}; \node (vpc) [below of=sg] {VPC$vpc-abc)};
code
\draw[<->, thick] (ec2) -- node[above, draw=none, fill=none] {\scriptsize Attached} (ebs);
\draw[->, thick] (ec2) -- node[left, draw=none, fill=none] {\scriptsize Member of} (sg);
\draw[->, thick] (sg) -- node[left, draw=none, fill=none] {\scriptsize Inside} (vpc);\end{tikzpicture}
Definition-Example Pairs
- Configuration Item (CI)
- Definition: A JSON fragment containing resource metadata, attributes, and relationships.
- Example: A CI for an EBS volume records that it was 100GB, encrypted with KMS Key A, and attached to Instance B at 10:00 AM.
- Managed Rule
- Definition: Predefined rules maintained by AWS to check common compliance scenarios.
- Example: The
s3-bucket-public-read-prohibitedrule flags any S3 bucket that allows public read access as "Non-compliant."
- Configuration Timeline
- Definition: A visual representation in the console showing every modification to a resource.
- Example: An IT auditor checks the timeline of a compromised EC2 instance to see when its Security Group was changed to allow port 22 (SSH) from the open internet.
Worked Examples
Scenario: Troubleshooting a Detached Volume
Problem: A critical application fails because a data volume is missing.
- Open AWS Config Console: Search for the specific EBS volume ID.
- View Timeline: Look at the events from the last hour.
- Identify Change: You find a "Relationship Change" where the status moved from
ATTACHEDtoDETACHED. - Correlate with CloudTrail: Click the link in the timeline to see the CloudTrail event. You discover a junior admin accidentally ran a script that detached the volume.
- Identify Compliance Gap: Because the
ec2-volume-inuse-checkrule was active, Config had already sent an SNS notification to the DevOps team the moment the volume became unattached.
Checkpoint Questions
- What is the primary difference between AWS Config and AWS CloudTrail?
- Can you have multiple Configuration Recorders in a single AWS region?
- Where does AWS Config deliver its configuration history files?
- Which feature allows you to see how a change in a security group might affect multiple EC2 instances?
Comparison Tables
| Feature | AWS Config | AWS CloudTrail | Amazon EventBridge |
|---|---|---|---|
| Primary Focus | State (What it looks like) | Activity (Who did what) | Events (What just happened) |
| Data Format | Configuration Items (JSON) | API Logs (JSON) | Event Patterns (JSON) |
| Ideal Use Case | Compliance & Auditing | Security Forensics | Automation & Alerting |
| Historical View | Detailed timeline of attributes | Log of API calls | Real-time stream (limited history) |
Muddy Points & Cross-Refs
- Config vs. CloudWatch: Students often confuse these. Remember: CloudWatch monitors performance (CPU, RAM) and logs; Config monitors infrastructure settings (Tags, Size, Relationships).
- Config vs. Systems Manager (SSM) Inventory: SSM Inventory focuses on the software inside the instance (applications, OS version), whereas Config focuses on the AWS resource settings (instance type, EBS attachments).
- Cost Management: AWS Config is charged per configuration item recorded and per rule evaluation. In high-churn environments, this can become expensive. It is best practice to filter the recorder to only include the resource types you actually need to audit.
[!TIP] Use the "Resource Relationship" view in the AWS Config console to perform impact analysis before deleting resources. If you delete a VPC, Config can show you every subnet and instance that will be orphaned.
Answers to Checkpoints
- Config tracks state/configuration; CloudTrail tracks API calls/activity.
- No, only one configuration recorder is allowed per region.
- To an Amazon S3 bucket (via the delivery channel).
- Resource Relationships / Relationship Mapping.