AWS Cloud Operations Blog
Use AWS Config inventory and compliance dashboards for a unified view of resource inventory and compliance
We recently announced AWS Config compliance and inventory dashboards, a new AWS Config feature, that provides unified dashboards for AWS resource configurations and compliance across AWS accounts, AWS regions, or an AWS Organization. In this blog post, I will walk you through the dashboards and widgets that are included as of today for this launch.
About AWS Config service
AWS Config is a fully managed service that provides you with resource inventory, configuration history, and configuration change notifications to use for security and governance. With AWS Config, you can discover existing AWS resources, record configurations for third-party resources, export a complete inventory of your resources with all configuration details, and determine how a resource was configured at any point in time. These capabilities use compliance, auditing, security analysis, resource change tracking, and troubleshooting.
Background
AWS Config enables users to continuously track and monitor the configuration and compliance of their AWS resources. It also enables users to assess resource compliance using AWS Config rules, and tracks how configurations change over time. As customer’s workload on AWS grows in size and complexity to span multiple accounts and regions, the number of resources and configuration complexity grows with it. Cloud operations teams have traditionally leveraged advanced queries in AWS Config to gain deeper insights into the state of their resources and configuration. Now with the introduction of inventory and compliance dashboards some of those insights are now readily available as prebuilt, curated dashboards providing a quick glimpse into the overall state of resources and their compliance. There is no extra charge for using inventory and compliance dashboards.
Prerequisites
- The inventory and compliance dashboards rely on the AWS Config Aggregator to aggregate the data into a single data source. An aggregator must be created and configured before dashboards can be enabled and populated. Please note that this feature supports all configuration types in AWS Organizations such as single account multi-region, multi-account multi-region, and at AWS Organization level.
- Permissions: Most existing AWS Config service-related roles should be sufficient, but at a minimum, the following permissions are needed for accessing inventory and compliance dashboards.
config:DescribeConfigAggregators
config:SelectAggregateResourceConfig
Scenario
Let’s say you are a cloud administrator managing a large AWS environment spanning across multiple AWS accounts and regions. You are often faced with questions such as, “what percentage of total” resources are reporting noncompliant status? Or “What is the most common resource type across the” entire environment? etc. Before you start building an advanced query, you can now first refer to inventory and compliance dashboards to see if one of the existing dashboards already provide the data you are looking for.
Available dashboards and widgets
There are two main dashboards each containing multiple widgets. These are the widgets available per dashboard at launch.
Compliance dashboard
- Compliance summary by resources
- Top 10 resource types by noncompliant resources
- Top 10 accounts by noncompliant resources
- Top 10 regions by noncompliant resources
- Top 10 account level conformance packs by noncompliant rules
- Top 10 Organization level conformance packs by noncompliant rules
- Top 10 accounts by noncompliant rules across conformance packs
Inventory dashboard
- Top 10 resource types by resource count
- Resource count by region
- Top 10 accounts by resource count
- Resource count by Amazon EC2 service resource types
- Top 5 EC2 instance types
- Number of EC2 instances that are running vs. stopped by type
- EBS Volumes by volume type and size
Getting started
- To access inventory and compliance dashboards, log into your AWS account and access the AWS Config service console (fig. 1).
- In the main, AWS Config screen, expand Aggregators in the left-hand pane and select either Compliance dashboard or Inventory dashboard.
- If you have multiple aggregators configured, you can select the correct one from the dropdown menu (fig. 2)
Once the correct aggregator is selected, the dashboards will show up at the bottom section of this screen. Following (fig. 3) is an example showing overall compliance state (compliant vs noncompliant).
From here you can explore any of the widgets available in each dashboard. Please note that, the data populated in each widget is obtained from the aggregator, if there is no data available, your widget will not be populated.
You can refine and fine-tune the data shown in a widget by applying a filter (fig. 4) – for example you can refine “Compliance summary by resources” widget to show compliant vs noncompliant summary for a particular region.
Inventory and compliance dashboards are powered by AWS Config advanced queries. You can select the “View and analyze query editor” link inside the widget to view the underlying advanced query. Once inside query editor, you can examine the SQL statement for that query and use it as a starting point to build more complex queries customized to your need. Please refer to Querying the Current Configuration State of AWS Resources for more information.
Conclusion
In this post, I showed you how you can leverage inventory and compliance dashboards in AWS Config to gain quick insights into the compliance state and inventory of your AWS resources across multiple accounts and regions. To learn more about this feature, please visit AWS Config service documentation