AWS Config is a fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance. Config Rules enables you to create rules that automatically check the configuration of AWS resources recorded by AWS Config.
With AWS Config, you can discover existing and deleted AWS resources, determine your overall compliance against rules, and dive into configuration details of a resource at any point in time. These capabilities enable compliance auditing, security analysis, resource change tracking, and troubleshooting.
You can view continuously updated details of all configuration attributes of your AWS resources as well as software configurations within EC2 instances. You are notified via Amazon Simple Notification Service (SNS) of the updated configuration and the specific changes from the previous state, and you can process these notifications programmatically.
AWS Config Rules allows you to assess overall compliance of your AWS resource configurations with organization policies and guidelines. There’s no need to start a compliance scan in order to see the status of your AWS resources. You can choose to evaluate rules each time an AWS resource changes or at a regular interval. You can get notified about changes in compliance of your rules using Amazon SNS.
You can enable AWS Config and get started with Config Rules with a few clicks in the AWS Management Console. AWS Config will discover your AWS resources and start recording configuration changes. You can create basic rules using the pre-built templates managed by AWS, and assess compliance. You can also access information about the configuration of any resource, status of rules and compliance using the AWS Management Console, CLI, or SDKs.
AWS Config Rules gives you a visual dashboard with lists, charts, and graphs to help you quickly spot non-compliant resources and take appropriate action. IT Administrators, Security Experts, Developers, and Operators can see a shared view of compliance. For organizations subject to established industry standards, Config Rules can help to ensure compliance.
You can configure pre-built rules managed by AWS to meet your governance criteria, or create your own custom rules that codify internal practices and guidelines. You can create custom rules in AWS Lambda using several examples provided.
You can choose from numerous AWS Partner Network (APN) partners who provide solutions that integrate with AWS Config and Config Rules for resource discovery, change management, compliance or security.
AWS Config will discover resources that exist in your account, record their current configuration and capture any changes to these configurations. Config will also retain configuration details for resources that have been deleted. A comprehensive snapshot of all resources and their configuration attributes provides a complete inventory of resources in your account.
When your resources are created, updated, or deleted, AWS Config streams these configuration changes to Amazon Simple Notification Service (SNS), so that you are notified of all configuration changes. AWS Config represents relationships between resources, so that you can assess how a change to one resource may impact other resources.
AWS Config and Config Rules are designed to help you assess compliance with internal policies and regulatory standards by providing visibility into the configuration of a resource at any time, and evaluating relevant configration changes against rules that you can define.
Using AWS Config, you can quickly troubleshoot operational issues by identifying the recent configuration changes to your resources.
Properly configured resources improve your security posture. Data from AWS Config enables you to continuously monitor the configurations of your resources and evaluate these configurations for potential security weaknesses. After a potential security event, AWS Config enables you to examine the configuration of your resources at any single point in the past.