AWS Config is a fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance. Config Rules enables you to create rules that automatically check the configuration of AWS resources recorded by AWS Config.
With AWS Config, you can discover existing and deleted AWS resources, determine your overall compliance against rules, and dive into configuration details of a resource at any point in time. These capabilities enable compliance auditing, security analysis, resource change tracking, and troubleshooting.
AWS Config Rules is a new set of cloud governance capabilities that allow IT Administrators to define guidelines for provisioning and configuring AWS resources and then continuously monitor compliance with those guidelines. AWS Config Rules lets you choose from a set of pre-built rules based on common AWS best practices or custom rules that you define. For example, ensure EBS volumes are encrypted, EC2 instances are properly tagged, and Elastic IP addresses (EIPs) are attached to instances. AWS Config Rules can continuously monitor configuration changes to your AWS resources and provides a new dashboard to track compliance status. Using Config Rules, an IT Administrator can quickly determine when and how a resource went out of compliance.
AWS Config Rules is now available in the US East (N. Virginia), US West (Oregon), EU (Ireland), EU (Frankfurt) and Asia Pacific (Tokyo) regions.
You can view continuously updated details of all configuration attributes of your AWS resources. You are notified via Amazon Simple Notification Service (SNS) of the updated configuration and the specific changes from the previous state, and you can process these notifications programmatically.
AWS Config Rules allows you to assess overall compliance of your AWS resource configurations with organization policies and guidelines. There’s no need to start a compliance scan in order to see the status of your AWS resources. You can choose to evaluate rules each time an AWS resource changes or at a regular interval. You can get notified about changes in compliance of your rules using Amazon SNS.
You can enable AWS Config and get started with Config Rules with a few clicks in the AWS Management Console. AWS Config will discover your AWS resources and start recording configuration changes. You can create basic rules using the pre-built templates managed by AWS, and assess compliance. You can also access information about the configuration of any resource, status of rules and compliance using the AWS Management Console, CLI, or SDKs.
AWS Config Rules gives you a visual dashboard with lists, charts, and graphs to help you quickly spot non-compliant resources and take appropriate action. IT Administrators, Security Experts, Developers, and Operators can see a shared view of compliance. For organizations subject to established industry standards, Config Rules can help to ensure compliance.
You can configure pre-built rules managed by AWS to meet your governance criteria, or create your own custom rules that codify internal practices and guidelines. You can create custom rules in AWS Lambda using several examples provided.
You can choose from numerous AWS Partner Network (APN) partners who provide solutions that integrate with AWS Config and Config Rules for resource discovery, change management, compliance or security.
AWS Config will discover resources that exist in your account, record their current configuration and capture any changes to these configurations. Config will also retain configuration details for resources that have been deleted. A comprehensive snapshot of all resources and their configuration attributes provides a complete inventory of resources in your account.
When your resources are created, updated, or deleted, AWS Config streams these configuration changes to Amazon Simple Notification Service (SNS), so that you are notified of all configuration changes. AWS Config represents relationships between resources, so that you can assess how a change to one resource may impact other resources.
AWS Config and Config Rules are designed to help you assess compliance with internal policies and regulatory standards by providing visibility into the configuration of a resource at any time, and evaluating relevant configration changes against rules that you can define.
Using AWS Config, you can quickly troubleshoot operational issues by identifying the recent configuration changes to your resources.
Properly configured resources improve your security posture. Data from AWS Config enables you to continuously monitor the configurations of your resources and evaluate these configurations for potential security weaknesses. After a potential security event, AWS Config enables you to examine the configuration of your resources at any single point in the past.