Q: What is AWS Config?
AWS Config is a fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance. With AWS Config you can discover existing AWS resources, export a complete inventory of your AWS resources with all configuration details, and determine how a resource was configured at any point in time. These capabilities enable compliance auditing, security analysis, resource change tracking, and troubleshooting.
Q: What is a Config Rule?
A Config Rule represents desired configurations for a resource and is evaluated against configuration changes on the relevant resources, as recorded by AWS Config. The results of evaluating a rule against the configuration of a resource are available on a dashboard. Using Config Rules, you can assess your overall compliance and risk status from a configuration perspective, view compliance trends over time and pinpoint which configuration change caused a resource to drift out of compliance with a rule.
Q: What is a Conformance Pack?
A conformance pack is a collection of Config rules and remediation actions that is built using a common framework and packaging model in AWS Config. By packaging the above Config artifacts, you can simplify the deployment and reporting aspects of governance policies and configuration compliance across multiple accounts and regions and reduce the time that a resource is left in a non-compliant state.
Q: What are the benefits of AWS Config?
AWS Config makes it easy to track your resource’s configuration without the need for up-front investments and avoiding the complexity of installing and updating agents for data collection or maintaining large databases. Once you enable AWS Config, you can view continuously updated details of all configuration attributes associated with AWS resources. You are notified via Amazon Simple Notification Service (SNS) of every configuration change.
Q: How can AWS Config help with audits?
AWS Config gives you access to resource configuration history. You can relate configuration changes with AWS CloudTrail events that possibly contributed to the change in configuration. This information provides you full visibility, right from details, such as “Who made the change?”, “From what IP address?” to the effect of this change on AWS resources and related resources. You can use this information to generate reports to aid auditing and assessing compliance over a period of time.
Q: Who should use AWS Config and Config Rules?
Any AWS customer looking to improve their security and governance posture on AWS by continuously evaluating the configuration of their resources would benefit from this capability. Administrators within larger organizations who recommend best practices for configuring resources can codify these rules as Config Rules, and enable self-governance among users. Information Security experts who monitor usage activity and configurations to detect vulnerabilities can benefit from Config Rules. Customers with workloads that need to comply with specific standards (e.g. PCI-DSS or HIPAA) can use this capability to assess compliance of their AWS infrastructure configurations, and generate reports for their auditors. Operators who manage large AWS infrastructure or components that change frequently can also benefit from Config Rules for troubleshooting.Customers who want to track changes to resources configuration, answer questions about resource configurations, demonstrate compliance, troubleshoot or perform security analysis should turn on AWS Config.
Q: Who should use AWS Config Conformance Packs?
If you are looking for a framework to build and deploy compliance packages for your AWS resource configurations across several accounts, which includes rules and remediation actions that are authored by AWS APN partners or even themselves, then they should use conformance packs. This framework could be used to build customized packs for Security, DevOps and other personas, and customers can quickly get started using one of the sample conformance pack templates.
Q: Does the service guarantee that my configurations are never out of compliance?
Config rules and conformance packs provide information about whether your resources are compliant with configuration rules you specify. They will evaluate resource configurations against the Config rules either periodically or upon detecting configuration changes, or both, depending upon how you have configured the rule. They do not guarantee that resources will be compliant or prevent users from taking non-compliant actions. They can be used however, to bring a non-compliant resource back into compliance by configuring appropriate remediation actions for each Config rule.
Q: Does the service prevent users from taking non-compliant actions?
Config Rules does not directly affect how end-users consume AWS. It evaluates resource configurations only after a configuration change has been completed and recorded by AWS Config. Config Rules does not prevent the user from making changes that could be non-compliant. To control what a user can provision on AWS and configuration parameters allowed during provisioning, please use AWS Identity and Access Management (IAM) Policies and AWS Service Catalog respectively.
Q: Can rules be evaluated prior to provisioning a resource?
Config Rules evaluates rules after the Configuration Item (CI) for the resource is captured by AWS Config. It does not evaluate rules prior to provisioning a resource or prior to making configuration changes on the resource.
Q: How does AWS Config work with AWS CloudTrail?
AWS CloudTrail records user API activity on your account and allows you to access information about this activity. You get full details about API actions, such as identity of the caller, the time of the API call, the request parameters, and the response elements returned by the AWS service. AWS Config records point-in-time configuration details for your AWS resources as Configuration Items (CIs). You can use a CI to answer “What did my AWS resource look like?” at a point in time. You can use AWS CloudTrail to answer “Who made an API call to modify this resource?” For example, you can use the AWS Management Console for AWS Config to detect security group “Production-DB” was incorrectly configured in the past. Using the integrated AWS CloudTrail information, you can pinpoint which user misconfigured “Production-DB” security group.
Q: Can I monitor compliance information of multiple accounts and regions via a central account?
AWS Config makes it easy to monitor compliance status across multiple accounts and regions using the multi-account, multi-region data aggregation capability. You can create a configuration aggregator in any account and aggregate the compliance details from other accounts. This capability is also integrated with AWS Organizations, so you can aggregate data from all accounts within your organization.
Q: Do I turn on AWS Config regionally or globally?
You turn on AWS Config on a per-region basis for your account.
Q: Can AWS Config aggregate data across different AWS accounts?
Yes, you can set up AWS Config to deliver configuration updates from different accounts to one S3 bucket, once the appropriate IAM policies are applied to the S3 bucket. You can also publish notifications to the one SNS Topic, within the same region, once appropriate IAM policies are applied to the SNS Topic.
Q: Is API activity on AWS Config itself logged by AWS CloudTrail?
Yes. All AWS Config API activity, including use of AWS Config APIs to read configuration data, is logged by AWS CloudTrail.
Q: What time and timezones are displayed in the timeline view of a resource? What about daylight savings?
AWS Config displays the time at which Configuration Items (CIs) were recorded for a resource on a timeline. All times are captured in Coordinated Universal Time (UTC). When the timeline is visualized on the management console, the services uses the current time zone (adjusted for daylight savings, if relevant) to display all times in the timeline view.
Q: What is a resource’s configuration?
Configuration of a resource is defined by the data included in the Configuration Item (CI) of AWS Config. The initial release of Config Rules makes the CI for a resource available to relevant rules. Config Rules can use this information along with any other relevant information such as other attached resource, business hours, etc. to evaluate compliance of a resource’s configuration.
Q: What is a rule?
A rule represents desired Configuration Item (CI) attribute values for resources and are evaluated by comparing those attribute values with CIs recorded by AWS Config. There are two types of rules:
AWS managed rules: AWS managed rules are pre-built and managed by AWS. You simply choose the rule you want to enable, then supply a few configuration parameters to get started. Learn more »
Customer managed rules: Customer managed rules are custom rules, defined and built by you. You can create a function in AWS Lambda that can be invoked as part of a custom rule and these functions execute in your account. Learn more »
The quickest way to get started with AWS Config is to use the AWS Management Console. You can turn on AWS Config in a few clicks. For additional details, see the Getting Started documentation.
Q: How are rules created?
Rules are typically set up by the AWS account administrator. They can be created by leveraging AWS managed rules – a predefined set of rules provided by AWS or through customer managed rules. With AWS managed rules updates to the rule are automatically applied to any account using that rule. In the customer-managed model, the customer has a full copy of the rule, and executes the rule within his/her own account. These rules are maintained by the customer.
Q: How are rules evaluated?
Any rule can be setup as a change-triggered rule or as a periodic rule. A change-triggered rule is executed when AWS Config records a configuration change for any of the resources specified. Additionally, one of the following must be specified:
Tag Key:(optional Value): A tag key:value implies any configuration changes recorded for resources with the specified tag key:value will trigger an evaluation of the rule.
Resource type(s): Any configuration changes recorded for any resource within the specified resource type(s) will trigger an evaluation the rule.
Resource ID: Any changes recorded to the resource specified by the resource type and resource ID will trigger an evaluation of the rule.
A periodic rule is triggered at a specified frequency. Available frequencies are 1hr, 3hr, 6hr, 12hr or 24hrs. A periodic rule has a full snapshot of current Configuration Items (CIs) for all resources available to the rule.
Q: What is an evaluation?
Evaluation of a rule determines whether a rule is compliant with a resource at a particular point in time. It is the result of evaluating a rule against the configuration of a resource. Config Rules will capture and store the result of each evaluation. This result will include the resource, rule, time of evaluation and a link to Configuration Item (CI) that caused non-compliance.
Q: What does compliance mean?
A resource is compliant if complies with all rules that apply to it. Otherwise it is noncompliant. Similarly, a rule is compliant if all resources evaluated by the rule comply with the rule. Otherwise it is noncompliant. In some cases, such as when inadequate permissions are available to the rule, an evaluation may not exist for the resource, leading to a state of insufficient data. This state is excluded from determining the compliance status of a resource or rule.
Q: What information does the Config Rules dashboard provide?
The Config Rules dashboard gives you an overview of resources tracked by AWS Config, and a summary of current compliance by resource and by rule. When you view compliance by resource, you can determine if any rule that applies to the resource is currently not compliant. You can view compliance by rule, which tells you if any resource under the purview of the rule is currently non-compliant. Using these summary views, you can dive deeper into the Config timeline view of resources, to determine which configuration parameters changed. Using this dashboard, you can start with an overview and drill into fine-grained views that give you full information about changes in compliance status, and which changes caused non-compliance.
Q: When should I use AWS Config Rules versus Conformance Packs?
You can use individual AWS Config rules to evaluate resource configuration compliance in one or more accounts. Conformance packs provide the additional benefit of packaging rules along with remediation actions into a single entity that can be deployed across an entire organization with a single click. Conformance packs are intended to simplify compliance management and reporting at-scale, when you are managing several accounts. Conformance packs are designed to provide aggregated compliance reporting at the pack level as well as immutability, to help you ensure that the managed AWS Config rules and remediation documents within the conformance pack cannot be modified or deleted by the individual member accounts of an organization.
Q: When should I use AWS Config Conformance Packs vs. AWS Security Hub compliance standards?
If you are looking for a managed service that offers AWS-validated collections of automated checks related to regulatory and best practice frameworks, then AWS Security Hub is the recommended service. Security Hub will update its compliance standards, if there are changes to regulatory requirements or new best practices identified, so that you don’t have to worry about updating these standards yourself.
On the other hand, if you are looking for a self-managed service, i.e. a framework to build and deploy configuration compliance packages that could include rules and remediation actions that are authored by AWS, APN Partners or even themselves, then they should use conformance packs. This framework could be used to build customized packs for Security, DevOps or any other persona and customers can quickly get started using one of the sample conformance pack templates.
Q: How do I get started with Conformance Packs?
The quickest way to get started is by creating a conformance pack using one of our sample templates via the CLI or the AWS Config console. Some of the sample templates include Amazon S3 Operational Best Practices, Amazon DynamoDB Operational Best Practices and Operational Best Practices for PCI. These templates are written in YAML. You can download these templates from our documentation site and modify them to suit your environment using your favorite text editor. You can even add custom AWS Config rules that you may have previously written into the pack.
Multi-account, multi-region data aggregation
Q: What is multi-account, multi-region data aggregation?
Data aggregation in AWS Config allows you to aggregate AWS Config data from multiple accounts and regions into a single account. Multi-Account data aggregation is useful for central IT administrators to monitor compliance for multiple AWS accounts in the enterprise.
Q: Can I use the data aggregation capability to centrally provision Config rules across multiple accounts?
The data aggregation capability cannot be used for provisioning rules across multiple accounts. It is purely a reporting capability that provides visibility into your compliance. You can use CloudFormation StackSets to provision rules across accounts and regions. Here is a useful blog.
Q: What is an aggregator?
An aggregator is an AWS Config resource type that collects AWS Config data from multiple accounts and regions. Use an aggregator to view the resource configuration and compliance data recorded in AWS Config for multiple accounts and regions.
Q: What information does the Aggregated view provide?
The Aggregated view displays the total count of non-compliant rules across the organization, the top five non-compliant rules by number of resources, and the top five AWS accounts that have the most number of non-compliant rules. You can then drill down to view more details about the resources that are violating the rule and the list of rules that are being violated by an account.
Q: I am not an AWS Organizations customer. Can I still use the data aggregation capability?
You can specify the accounts to aggregate the Config data from, by uploading a file or by individually entering accounts. Note that since these accounts are not part of any AWS organization, you will need each account to explicitly authorize the aggregator account. Learn more.
Q: I only have a single account, can I still take advantage of the data aggregation capability?
The data aggregation capability is useful for multi-region aggregation as well. So you can aggregate the Config data for your account across multiple regions using this capability.
Q: In what regions is the multi-account, multi-region data aggregation capability available?
The data aggregation capability is available in the following nine regions: US East (N.Virginia), US East (Ohio), US West (Oregon), US West (San Francisco), EU (Ireland), EU (Frankfurt), Asia Pacific (Tokyo), Asia Pacific (Sydney), and Asia Pacific (Singapore).
Q: What if I have an account that includes a region not supported by this feature?
When you create an aggregator, you specify the regions from where you can aggregate data. This list only shows regions where this feature is available. You can also select “all regions”, in which case as soon as support is added in other regions, it will automatically aggregate the data.
Services and region support
Q: What regions is AWS Config available in?
For details on the regions where AWS Config is available, please visit this page:
Q: What is a configuration item?
A Configuration Item (CI) is the configuration of a resource at a given point-in-time. A CI consists of 5 sections:
- Basic information about the resource that is common across different resource types (e.g., Amazon Resource Names, tags),
- Configuration data specific to the resource (e.g., EC2 instance type),
- Map of relationships with other resources (e.g., EC2::Volume vol-3434df43 is “attached to instance” EC2 Instance i-3432ee3a),
- AWS CloudTrail event IDs that are related to this state (only for AWS resources)
- Metadata that helps you identify information about the CI, such as the version of this CI, and when this CI was captured.
Q: What is a custom configuration item?
A custom configuration item is the Configuration Item for a third party or custom resource. Examples include on-premise databases, Active Directory servers, version control systems like GitHub and third party monitoring tools such as Datadog.
Q: What are AWS Config relationships and how are they used?
AWS Config takes the relationships among resources into account when recording changes. For example, if a new Amazon EC2 Security Group is associated with an Amazon EC2 Instance, AWS Config records the updated configurations of both the primary resource, the Amazon EC2 Security Group, and related resources, such as the Amazon EC2 Instance, if these resources actually changed.
Q: Does AWS Config record every state a resource has been in?
AWS Config detects change to resource's configuration and records the configuration state that resulted from that change. In cases where several configuration changes are made to a resource in quick succession (e.g. within a span of few minutes), Config will only record the latest configuration of that resource that represents cumulative impact of the set of changes. In these situations, Config will only list the latest change in the relatedEvents field of the Configuration Item.This allows users and programs to continue to change infrastructure configurations without having to wait for Config to record intermediate transient states.
Q: Does AWS Config record configuration changes that did not result from API activity on that resource?
Yes, AWS Config will regularly scan configuration of resources for changes that haven't yet been recorded and record these changes. CIs recorded from these scans will not have a relatedEvent field in the payload, and only the latest state that is different from state already recorded is picked up.
Q: Does AWS Config record configuration changes to software within EC2 instances?
Yes. AWS Config enables you to record configuration changes to software within EC2 instances in your AWS account and also virtual machines (VMs), or servers in your on-premises environment. The configuration information recorded by AWS Config includes Operating System updates, network configuration, installed applications, etc. You can evaluate whether your instances, VMs, and servers are in compliance with your guidelines using AWS Config Rules. The deep visibility and continuous monitoring capabilities provided by AWS Config allow you to assess compliance and troubleshoot operational issues.
Q: Does AWS Config continue to send notifications if a resource that was previously non-compliant is still non-compliant after a periodic rule evaluation?
AWS Config sends notifications only when the compliance status changes. If a resource was previously non-compliant and is still non-compliant, Config will not send a new notification. If the compliance status changes to “compliant”, you will receive a notification for the change in status.
Q: Can I flag or exempt resources from being evaluated by Config rules?
When you configure Config rules, you can specify whether your rule runs evaluations against specified resource types or resources with a specific tag.
Q: How will I be charged for AWS Config?
With AWS Config, you are charged based on the number of configuration items recorded, the number of active AWS Config rule evaluations and the number of conformance pack evaluations in your account. A configuration item is a record of the configuration state of a resource in your AWS account. An AWS Config rule evaluation is a compliance state evaluation of a resource by a AWS Config rule in your AWS account, and a conformance pack evaluation is the evaluation of a resource by a AWS Config rule within the conformance pack. For more detail and examples, visit https://aws.amazon.com/config/pricing/
Q: Does the pricing for AWS Config Rules include the costs for AWS Lambda functions?
You can choose from a set of managed rules provided by AWS or you can author your own rules, written as AWS Lambda functions. Managed rules are fully maintained by AWS and you do not pay any additional AWS Lambda charges to run them. Simply enable managed rules, provide any required parameters, and pay a single rate for each active AWS Config rule in a given month. Custom rules give you full control as they are executed as AWS Lambda functions in your account. In addition to monthly charges for an active rule, standard AWS Lambda free tier* and function execution rates apply to custom AWS Config rules.
*AWS Free Tier is not available in the AWS China (Beijing) Region or the AWS China (Ningxia) Region.
Q: I want to change the Lambda function for my custom AWS Config rule. What is the recommended approach?
Charges are incurred whenever a new rule is created and it becomes active. If you need to update or replace the Lambda function associated with a rule, the recommended approach is to update the rule instead of deleting it and creating a new rule.
Q: What AWS Partner solutions are available for AWS Config?
APN Partner solutions such as Splunk, ServiceNow, Evident.IO, CloudCheckr, Redseal Networks and RedHat CloudForms provide offerings that are fully integrated with data from AWS Config. Managed Service Providers, such as 2ndWatch and CloudNexa have also announced integrations with AWS Config. Additionally, with Config Rules, partners such as CloudHealth Technologies, AlertLogic and TrendMicro are providing integrated offerings that can be used by customers. These solutions include capabilities such as change management and security analysis and allow you to visualize, monitor and manage AWS resource configurations.
For more information, click here.