AWS Management & Governance Blog

Category: AWS Config

Understanding the differences between configuration history and configuration snapshot files in AWS Config

When you run your applications on AWS, you often use AWS resources, which you must create and manage collectively. As the demand for your application keeps growing, so does your need to keep track of your AWS resources. AWS Config tracks changes made to these supported AWS resources and records their changes as configuration items (CIs), […]

Read More
Architecture diagram with icons representing the AWS services and their relationships for the CloudWatchAutoAlarms Lambda function

Use tags to create and maintain Amazon CloudWatch alarms for Amazon EC2 instances (Part 1)

This blog post is the first in a two-part series. I walk you through a solution to automatically create and enforce a standard set of Amazon CloudWatch metric alarms for Amazon Elastic Compute Cloud  (Amazon EC2) instances by using Amazon EC2 instance tags. Creating and configuring a standard set of CloudWatch alarms for a large […]

Read More

Use tags to create and maintain Amazon CloudWatch alarms for Amazon EC2 instances (Part 2)

This blog post is the second in a two-part series. Part one of this blog post showed how to deploy and configure the CloudWatchAutoAlarms Lambda function to create a default alarm set and custom alarms for your Amazon Elastic Compute Cloud (Amazon EC2) instances using EC2 instance tags. In this post, I show how you […]

Read More

Best practices for AWS Config conformance packs

AWS Config conformance packs help you manage configuration compliance of your AWS resources at scale. A conformance pack is a collection of AWS Config rules and remediation actions that can be easily deployed as a single entity in an account or across an organization in AWS Organizations. This is particularly useful if you need to quickly establish a […]

Read More

Continuous permissions rightsizing to ensure least privileges in AWS using CloudKnox and AWS Config

This blog post was contributed by Kanishk Mahajan, AWS and Maya Neelakandhan, CloudKnox As you migrate your workloads to the cloud or operate your existing workloads in the cloud it would be ideal if every application was deployed with the exact permissions that it required. In practice, however, the effort required to determine the precise […]

Read More

Best practices for creating and managing sandbox accounts in AWS

Organizations use multiple environments, each with different security and compliance controls, as part of their deployment pipeline. Following the principle of least privilege, production environments have the most restrictive security and compliance controls. They tightly limit who can access the environment and which actions each user (or principal) can perform. Development and test environments also […]

Read More

Visualizing AWS Config data using Amazon Athena and Amazon QuickSight

In this guest post, Henrik André Olsen, Solutions Architect, discusses how he visualized AWS Config data in Amazon QuickSight dashboards with a high value for the Danish insurance company Topdanmark.  If you are an AWS Config user, you are probably already familiar with how to use the AWS Config console to access data, but it’s […]

Read More

View AWS Config rules across multiple accounts and Regions using AWS Systems Manager Explorer

AWS Systems Manager Explorer is a customizable operations dashboard that displays an aggregated view of operations data from across your AWS accounts and AWS Regions. Explorer provides context into how operational issues are distributed, trend over time, and vary by category. In this blog post, I explain how Explorer gathers the compliance status of AWS […]

Read More

Viewing permission issues with service-linked roles

Each AWS service requires explicit access to resources, endpoints, and objects that reside in the domain of another service. This is referred to as the permission boundary. Services like AWS Config, Amazon Macie, and AWS GuardDuty require an AWS Identity and Access Management (IAM) role that grants access to resources outside of its control. Understanding […]

Read More

DevSecOps for auto healing PCI DSS 3.2.1 violations in AWS using custom AWS Config conformance packs, AWS Systems Manager and AWS CodePipeline

If you migrate your workloads to the cloud to modernize your applications or secure infrastructure and operations, you’ll find these migrations are increasingly performed with a DevOps methodology that incorporates continuous development, integration, and testing. It is always a best practice to incorporate security as code in your DevOps workflows to uncover security issues when […]

Read More