AWS Config: A Year in Review 2017

It’s been another exciting year for AWS Config, a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. We have expanded our regional availability, added support for new resource types, introduced new managed Config rules, and introduced a dashboard view of your resource configuration and compliance. In this post, I recap some of this year’s announcements and provide links to additional resources.

Regional expansion: With the addition of the South America (São Paulo), Canada (Central), Asia Pacific (Mumbai), and Europe (London) Regions, AWS Config now supports Config rules in all 17 public AWS Regions and in AWS GovCloud (US). For the complete list of regions where Config and Config rules are available, see the AWS Config section under AWS Regions and Endpoints.

New resource types: We have added support for eight new services in 2017. You can now record configuration changes from the following:

• AWS CloudFormation
• Classic Load Balancers
• AWS WAF
• Amazon CloudFront
• AWS CodeBuild
• Auto Scaling groups
• Amazon DynamoDB
• Amazon CloudWatch

New managed rules: AWS Config allows you to enable rules to evaluate whether your AWS resources comply with common best practices. In 2017, we added support for nine new rules, bringing the total to 47. Two of the rules that we announced during the AWS NY Summit allow you to secure your Amazon S3 buckets. The rules check your S3 buckets for unrestricted public write access or unrestricted public read access. They are backed by a new semantic-based automated reasoning engine, which returns a compliance decision.

Notable features: In 2017, we released ready-to-use AWS CloudFormation templates for all managed rules and added support for a test mode to check the functionality of custom Config rules. Using the test mode, you can safely check whether your custom Config rules are correctly reporting evaluation results for your resources without sending evaluation results to Config and incurring charges.

We also introduced an AWS Config dashboard that allows you to view the total number of resources being recorded in your account and the count of resources by type to easily access the configuration history of a resource. With a Config dashboard, you can also quickly spot the number of resources that are non-compliant with your Config rules in each region, view the Config rules with the most non-compliant resources, and drill down to view the resources that are non-compliant with a particular Config rule.

For the complete list of 2017 AWS Config announcements, see What’s New from AWS Config. To view Config documentation, click here.

Individual announcements for the releases noted in this post are listed below.

Regional expansion:

• AWS Config Supports Rules in South America (Sao Paulo) and Canada (Central) regions
• AWS Config Rules Available in AWS GovCloud (US)
• AWS Config Supports Rules in Asia Pacific (Mumbai) Region
• AWS Config Rules Available in Europe (London) Region

New resource types:

• AWS Config Adds Support for Classic Load Balancers
• AWS Config Adds Support for AWS WAF and Amazon CloudFront
• AWS Config Adds Support for AWS CodeBuild
• AWS Config Adds Support for Auto Scaling Groups
• AWS Config Adds Support for Amazon DynamoDB Tables
• AWS Config Tracks Changes to AWS CloudFormation Stacks
• AWS Config Supports Amazon CloudWatch Alarms and Additional Rules

New managed rules:

• AWS Config Supports New Managed Rules for Securing Amazon S3 Buckets
• AWS Config Supports Amazon CloudWatch Alarms and Additional Rules
• AWS Config Rules Supports New Managed Rules

Notable features:

• Introducing AWS Config Dashboard
• AWS Config Rules Adds AWS CloudFormation Templates and a Test Mode for Rule Authoring

The AWS Config team is excited about 2018 and is looking forward to continually adding new functionality. To learn more about Config features, see the AWS Config page.