In large enterprises, multiple AWS accounts are used. Manually managing resources within these accounts can be a daunting task and is not cost-optimal. Therefore, AWS has launched a much-needed service known as “AWS Config” to automate these tasks.
This article presents detailed information on the following aspects of AWS Config:
- What is AWS Config?
- Why You Should be Using AWS Config?
- How does AWS Config Work?
- How to Implement Continuous Monitoring With AWS Config?
- How to Configure Rules in AWS Config?
- What is the Cost of AWS Config?
AWS Config helps its users with the auditing and compliance of AWS resources. It records any change in the configuration of the resources over time and alerts the users. Users can monitor unauthorized access to their resources and roll back to changes that occurred, for instance, a week ago with AWS Config.
Similarly, AWS Config records the specified resources. The evaluation for the compliance checks is carried out on the basis of the config rules. Resources in accordance with the rules are marked as “Compliant”. Similarly, non-conforming resources are marked as “Non-compliant”. Users can view these resources from the Dashboard and can fix the issues immediately.
So, before diving deep into AWS Config, a common question arises: why should AWS Config be used? There are multiple use cases of AWS config besides Auditing and Compliance. Following are some of the reasons why AWS Config should be used:
AWS Config continuously monitors and records the resources which makes it convenient to track the assets.
With AWS Config, users can determine the dependencies and relationships among different resources. For example, the S3 bucket is added as a trigger to the Lambda function. Due to certain malfunctions, the S3 bucket cannot invoke the Lambda Function. Users can view the information about this malfunctioning from the Config Dashboard.
There can be multiple resources running in an account. AWS Config allows its users to audit the resources periodically by specifying the time after which the audit should run again. It also provides instant results for immediate actions.
After auditing, a detailed report is provided to the user on the Dashboard. The non-compliant resources are displayed with “Warning signs”. This alerts the users to view the resource information and take action. However, AWS Config can also remediate the problem on its own by invoking the configured Lambda Function with the rule.
AWS Config consists of over 300+ pre-defined rules. However, the users can also implement custom config rules. The check for configuration compliance operates over these defined or custom-managed rules.
When AWS Config is enabled, it starts the configuration recorder. The recorder evaluates the resources based on the config rules. It will then create the history of the records in the form of snapshots. These snapshots are then saved to the S3 bucket where two kinds of actions can be taken. Users can remediate the problem manually using the SNS service or by using the Lambda Functions.
Following are the key concepts of the AWS Config:
Resources: These are the entities that should be managed, monitored, and evaluated by the AWS Config.
Config Rules: The rules can be AWS-managed or Custom-managed. These rules lay the foundation of the evaluation criteria of AWS Config.
Configuration Items: It represents a point-in-time view of supported resources in the account. These items include metadata, relationships, attributes, current events, etc.
Config Snapshot: it is the collection of the configuration items. The snapshots are used to maintain the history and keep the track of the resources.
Config Recorder: It is responsible for creating the snapshots of resources in the account. The recorder can be enabled and disabled based on the user’s preference.
Conformance Packs: They are composed of a common framework and a packaging model for compliance checks. The users can combine the config rules and remediation actions into a single package. This package can be deployed across various organizations.
AWS Config incurs charges and is not a free-to-use service. Users can specify the resource that should be managed and monitored. Similarly, it also provides the features to implement rules that are provided by the AWS or users can define their own rules too. Upon finding a resource that is non-compliant with the rule, the user will be notified through Simple Notification Service.
Let’s explore the steps in which we can implement AWS Config for Continuous Monitoring:
Step 1: AWS Management Console
Search the “Config” service in the search bar of the AWS Management Console. Click on it from the displayed results:
Step 2: Get Started
Tap the “Get started” button from the AWS Config Console:
Step 3: General Settings
From the interface displayed, the user is provided with three different options. Users can either record all the current and future resources, record all the resources except those that are specified, or can only record the resources that are specified.
For this demo, select the highlighted option and check the “Include globally recorded resource types” option:
Users can specify custom role for the Config.For this purpose, select the “Choose a role from your account” option. However, user can also proceed with the existing role by choosing the “Use an existing AWS Config service-linked role” option:
Step 4: Delivery Method
In the “Delivery method” block, the user can choose the existing bucket where all the snapshots will be recorded or can create a new S3 bucket. For this tutorial, select the “Create a bucket” option under the Amazon S3 bucket section. Provide a unique identifier for the S3 bucket in the “S3 Bucket name (required)” text field.
Prefix is the optional field but can be custom-specified. Users can receive notifications on their specific email in the SNS topic. For this purpose, check the “Amazon SNS topic” option and specify the topic’s name configured in the account:
Step 5: Tap the “Next” button
Click the “Next” button located at the bottom of the interface to proceed further:
Step 6: Config rules
Next comes the Config rules. By specifying the Config rules for the evaluation of the resources, users can track the compliance of the resources:
For this demo, scroll to the bottom of the interface and tap the “Next” button. The rules will be configured further in the demo:
Step 7: Confirm Configurations
In this step, the previously configured information is displayed to the user. After reviewing the information, click the “Confirm” button:
This will create the S3 bucket as specified in the Config setup. The user will be redirected to the Dashboard where the information about the resources is displayed:
To implement rules for the evaluation, click on the “Rules” option from the navigation pane. Click the “Add rule” button from the Rules Dashboard:
On the next interface, the user is provided with three different options. These include AWS-managed rules, custom rules using Guard, or associating these rules with the Lambda Function. The Lambda Function will evaluate the resource and determine whether it is complying with the rule or not. For the moment, select the “Add AWS managed rule” option:
Scroll down to the “AWS Managed Rules” section. There are 356 pre-defined rules provided by AWS along with their description and names. The Labels specify the services supported by the rule:
For this demo, we are specifying a “restricted ssh rule” for EC2 instances. By using this rule, we can restrict the incoming SSH traffic that is not specified within the security group. Search the rule by using the “SSH” keyword and click on it to select it:
Proceed to the next step by clicking the “Next” button:
After clicking the “Next” button, scroll down to the “Scope of changes” section. Each of the three options displayed serves a different purpose:
- All changes: This will allow the Config to record changes whenever any resource is modified.
- Resources: By using this option, we can specify the resources for tracking.
- Tags: Users can also track the resources by their defined tags. By choosing this option specify the tag’s key-value pair for unique identification
For this demo, select the “Resources” option. In the “Resource category” text field, select the “AWS resources” option and for the “Resource type”, select the “AWS EC2 security group” option. This rule will check all the security groups for SSH traffic and will provide the details of the instances that are non-compliant with the rules:
Keeping the defaults, click the “Next” button located at the bottom of the interface:
On the next page, review the information and hit the “Save” button to configure the rule:
The rule has been successfully added:
This will take some time to evaluate the security groups. After evaluation, it will display the total number of security groups that are non-compliant with the rule:
To view the details of the non-compliant resources, tap the name of the “rule” from the dashboard:
Here, the information of the non-compliant security group is displayed:
That is all from this section.
AWS Config follows the pay-as-you-go model. The users are only charged for the services they utilize AWS Config. AWS Config deducts charges based on the configuration items. It only charges the users for the number of resources it monitors. Initially, users are charged $0.003 per configuration item recorded. A configuration item is recorded when changes occur in the resource. These changes can be in terms of configurations, dependencies, or relationships.
Charges for the AWS Config can be determined from the monthly bill. Users are provided with the option to stop the AWS recorder anytime. The resources can be assessed on the basis of the previous record. To learn more about the AWS Config pricing, refer to the AWS Documentation.
To set up AWS Config, access the Config’s console, specify the resources and rules, and then hit the “Save” button to start the Config Recorder. AWS Config will evaluate the resources based on the config rule specified. The information will be displayed on the Dashboard. Each resource is either marked as “Compliant” or “Non-compliant” for easy identification of issues. This article is an extensive guide to setting up AWS Config for compliance and monitoring purposes.