A Year in AWS Config and AWS Config Rules

AWS Config is a fully managed service that provides AWS resource inventory, configuration history, and configuration change notifications to enable security and governance. You can use AWS Config Rules enables you to create rules that automatically check the configuration of AWS resources recorded by AWS Config. Over the last year, we expanded the service coverage for Config in 7 new regions, and expanded support for Config rules in 9 new regions. We added support for 15 resource types from 6 new services, and developed 18 new managed rules. Let’s look back on these significant new features and updates to Config and Config Rules that we introduced in 2016.

New regions: AWS Config is available in the Asia Pacific (Seoul), Asia Pacific (Mumbai), China (Beijing), Canada (Central), EU (London), US East (Ohio), and GovCloud (US) Regions, in addition to 9 other regions we added in previous years. Similarly, you can now verify compliance policies for provisioning and configuring AWS resources with Config Rules in US West (Oregon), EU (Ireland), EU (Frankfurt), Asia Pacific (Tokyo), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Seoul), US East (Ohio), and US West (N. California) Regions, in addition to US East (N. Virginia). See all regions and endpoints supported by AWS Config and AWS Config Rules here.

New resource types: You can record configuration changes from 15 resource types from the following services: Amazon Redshift, AWS Certificate Manager (ACM), Amazon Relational Database Service (Amazon RDS), Application Load Balancers from the Elastic Load Balancing (ELB) service, Amazon S3, and Amazon EC2 Systems Manager. Learn more about all supported AWS resource types here.

New managed rules: You can use the following managed rules to assess compliance of your AWS and on-premises infrastructure against desired configurations.

Compute

• approved-amis-by-id
  • Check whether your running instances are using specified AMIs. Running instances with AMIs that are not on the compliance list are flagged as noncompliant.
• approved-amis-by-tag
  • Check whether your running instances are using specified AMIs. You can specify the tags that identify the AMIs. Running instances with AMIs that don’t have at least one of the specified tags are flagged as noncompliant.
• desired-instance-tenancy
  • Check your instances for specified tenancy.
• desired-instance-type
  • Check whether your EC2 instances are of the specified instance types.
• ebs-optimized-instance
  • Check whether EBS optimization is enabled for your EC2 instances that can be EBS-optimized.
• ec2-managedinstance-applications-blacklisted
  • Check that none of the specified applications are installed on your instance.
• ec2-managedinstance-applications-required
  • Check whether all of the specified applications are installed on your instance.
• ec2-managedinstance-platform-check
  • Check whether EC2 managed instances have the desired configurations.

Database

• db-instance-backup-enabled
  • Check whether your RDS DB instances have backups enabled. Optionally, you can check the backup retention period and the backup window.

• dynamodb-throughput-limit-check
  • Check whether provisioned DynamoDB throughput is approaching the maximum limit for your account. By default, the rule checks if provisioned throughput exceeds a threshold of 80% of your account limits.
• rds-multi-az-support
  • Check whether high availability is enabled for your RDS DB instances.
• rds-storage-encrypted
  • Check whether storage encryption is enabled for your RDS DB instances.
• redshift-cluster-configuration-check
  • Check whether Amazon Redshift clusters have the specified settings.
• redshift-cluster-maintenancesettings-check
  • Check whether Amazon Redshift clusters have the specified maintenance settings.

Security, Identity, and Compliance

• iam-password-policy
  • Check whether your account password policy for IAM users meets the specified requirements.
• root-account-mfa-enabled
  • Check whether users of your AWS account require a multi-factor authentication (MFA) device to sign in with root credentials.

Storage

• s3-bucket-logging-enabled
  • Check whether logging is enabled for your S3 buckets.
• s3-bucket-versioning-enabled
  • Check whether versioning is enabled for your S3 buckets.

Rule re-evaluation: You can re-evaluate your Config rules manually to verify that your rules are assessing your resources correctly. This capability helps identify issues with the logic in your Config rule. Learn more about evaluating AWS Config Rules on demand here.

New AWS Config Rules Repository: You can share and benefit from the rules created by the AWS Community through the AWS Config rules GitHub repository. To learn more, see the AWS Security Blog.

Support for EC2 software inventory: You can gain visibility into AWS and on-premises operating system configurations, system-level updates, installed applications, network configuration, and more through AWS Config integration with Amazon EC2 Systems Manager.

AWS CloudTrail integration: The AWS Config console integrates with AWS CloudTrail to display API events associated with configuration changes. The API events contain details such as the name of the API, user identity of the caller, and the time at which the API call was made. You can use this information to correlate the API calls that may have resulted in the configuration changes recorded by AWS Config. To learn more about this feature, read our documentation here.

Compliance certifications: AWS Config is certified with the Payment Card Industry Data Security Standard (PCI DSS) version 3.2, which enables you to rely on AWS infrastructure as you manage your own PCI DSS compliance certification. AWS Config is now also certified with International Organization for Standardization and meets requirements of ISO 9001, ISO 27001, ISO 27017, and ISO 27018 standards.

The AWS Config team is excited about 2017 and is looking forward to continually improving Config and Config Rules functionality. To learn more about Config features, see the AWS Config page.