Q: What is AWS Config?
AWS Config is a fully managed service that provides you with resource inventory, configuration history, and configuration change notifications to use security and governance. With AWS Config, you can discover existing AWS resources, record configurations for third-party resources, export a complete inventory of your resources with all configuration details, and determine how a resource was configured at any point in time. These capabilities use compliance auditing, security analysis, resource change tracking, and troubleshooting.
Q: What is an AWS Config rule?
An AWS Config rule represents desired configurations for a resource and is evaluated against configuration changes on the relevant resources, as recorded by AWS Config. The results of evaluating a rule against the configuration of a resource are available on a dashboard. Using AWS Config rules, you can assess your overall compliance and risk status from a configuration perspective, view compliance trends over time, and pinpoint which configuration change caused a resource to drift out of compliance with a rule.
Q: What is a conformance pack?
A conformance pack is a collection of AWS Config rules and remediation actions that is built using a common framework and packaging model on AWS Config. By packaging the preceding AWS Config artifacts, you can simplify the deployment and reporting aspects of governance policies and configuration compliance across multiple accounts and Regions and reduce the time that a resource is kept in a non-compliant state.
Q: What are the benefits of AWS Config?
AWS Config makes it easier to track your resource’s configuration without the need for upfront investments and avoiding the complexity of installing and updating agents for data collection or maintaining large databases. Once you enable AWS Config, you can view continuously updated details of all configuration attributes associated with AWS resources. You are notified through Amazon Simple Notification Service (SNS) of every configuration change.
Q: How can AWS Config help with audits?
AWS Config gives you access to resource configuration history. You can relate configuration changes with AWS CloudTrail events that possibly contributed to the change in configuration. This information provides you full visibility, right from details, such as, “Who made the change?” and “From what IP address?”, to the effect of this change on AWS resources and related resources. You can use this information to generate reports to aid auditing and assessing compliance over a period.
Q: Who should use AWS Config and AWS Config rules?
Any AWS customer looking to improve their security and governance posture on AWS by continuously evaluating the configuration of their resources would benefit from this capability. Administrators within larger organizations who recommend best practices for configuring resources can codify these rules as AWS Config rules, and instill self-governance among users. Information security experts who monitor usage activity and configurations to detect vulnerabilities can benefit from AWS Config rules. If you have a workload that must comply to specific standards (e.g. PCI-DSS or HIPAA) can use this capability to assess compliance of their AWS infrastructure configurations, and generate reports for their auditors. Operators who manage large AWS infrastructure or components that change frequently can also benefit from AWS Config rules for troubleshooting. If you want to track changes to resources configuration, answer questions about resource configurations, demonstrate compliance, troubleshoot, or perform security analysis, you should turn on AWS Config.
Q: Who should use AWS Config conformance packs?
If you are looking for a framework to build and deploy compliance packages for your AWS resource configurations across several accounts, then you should use conformance packs. This framework can be used to build customized packs for security, DevOps and other personas, and you can quickly get started using one of the sample conformance pack templates.
Q: Does the service guarantee that my configurations are never out of compliance?
AWS Config rules and conformance packs provide information about whether your resources are compliant with configuration rules you specify. They will evaluate resource configurations against the AWS Config rules either periodically or upon detecting configuration changes, or both, depending upon how you have configured the rule. They do not guarantee that resources will be compliant or prevent users from taking non-compliant actions. They can be used, however, to bring a non-compliant resource back into compliance by configuring appropriate remediation actions for each AWS Config rule.
Q: Does the service prevent users from taking non-compliant actions?
AWS Config rules do not directly affect how end users consume AWS. AWS Config rules evaluate resource configurations only after a configuration change has been completed and recorded by AWS Config. AWS Config rules do not prevent the user from making changes that could be non-compliant. To control what you can provision on AWS and configuration parameters used during provisioning, use AWS Identity and Access Management (IAM) Policies and AWS Service Catalog respectively.
Q: I already use AWS Config rules for my resources post-provisioning. How do I run those same rules in proactive mode?
You can use the existing PutConfigRule API or the AWS Config console to enable proactive mode on an AWS Config rule in your account.
Q: Can AWS Config record the configurations of resources on premises or on other clouds?
AWS Config helps you record configurations for third-party resources or custom resource types such as on-premises servers, software as a service (SaaS) monitoring tools, and version control systems. To do this, you must create a resource provider schema that conforms to and validates the configuration of the resource type. You must register the custom resource using AWS CloudFormation or your infrastructure as code (IaC) tool.
If you have configured AWS Config to record all resource types, then third-party resources that are managed (created, updated, or deleted) through AWS CloudFormation are automatically tracked in AWS Config as configuration items. To dive deeper into the steps required for this and understand in which AWS Regions this is available, see the AWS Config Developer Guide: Record Configurations for Third-Party Resources.
Q: How does AWS Config work with AWS CloudTrail?
AWS CloudTrail records user API activity on your account and helps you access information about this activity. You get full details about API actions, such as identity of the caller, the time of the API call, the request parameters, and the response elements returned by the AWS service. AWS Config records point-in-time configuration details for your AWS resources as Configuration Items (CIs). You can use a CI to answer, “What did my AWS resource look like?” at a point in time. You can use CloudTrail to answer “Who made an API call to modify this resource?” For example, you can use the AWS Management Console for AWS Config to detect security group “Production-DB” was incorrectly configured in the past. Using the integrated CloudTrail information, you can pinpoint which user misconfigured “Production-DB” security group.
Q: Can I monitor compliance information of multiple accounts and Regions through a central account?
AWS Config makes it easier to monitor compliance status across multiple accounts and Regions using the multi-account, multi-Region data aggregation capability. You can create a configuration aggregator in any account and aggregate the compliance details from other accounts. This capability is also leveraged on AWS Organizations, so you can aggregate data from all accounts within your organization.
Q: Can I connect my ServiceNow and Jira Service Desk instances to AWS Config?
Yes. The AWS Service Management Connector for ServiceNow and Jira Service Desk helps ServiceNow and Jira Service Desk end users to provision, manage, and operate AWS resources natively using ServiceNow and Jira Service Desk. ServiceNow users can track resources in a configuration item view, powered by AWS Config, seamlessly on ServiceNow with the AWS Service Management Connector. Jira Service Desk users can track resources within the issue request, with the AWS Service Management Connector. This simplifies AWS product request actions for ServiceNow and Jira Service Desk users and provides ServiceNow and Jira Service Desk administrators governance and oversight over AWS products.
The AWS Service Management Connector for ServiceNow is available at no charge in the ServiceNow Store. This new feature is generally available in all AWS Regions where AWS Service Catalog is available. For more information, visit the documentation.
The AWS Service Management Connector for Jira Service Desk is available at no charge in the Atlassian Marketplace. This new feature is generally available in all AWS Regions where AWS Service Catalog is available. For more information, visit the documentation.
Q: Do I turn on AWS Config regionally or globally?
You turn on AWS Config on a per-Region basis for your account.
Q: Can AWS Config aggregate data across different AWS accounts?
Yes, you can set up AWS Config to deliver configuration updates from different accounts to one Amazon Simple Storage Service (S3) bucket, once the appropriate IAM policies are applied to the Amazon S3 bucket. You can also publish notifications to the one SNS Topic, within the same Region, once appropriate IAM policies are applied to the SNS Topic.
Q: Is API activity on AWS Config itself logged by CloudTrail?
Yes. All AWS Config API activity, including use of AWS Config API operations to read configuration data, is logged by CloudTrail.
Q: What time and time zones are displayed in the timeline view of a resource? What about daylight savings?
AWS Config displays the time at which Configuration Items (CIs) were recorded for a resource on a timeline. All times are captured in Coordinated Universal Time (UTC). When the timeline is visualized on the management console, the service uses the current time zone (adjusted for daylight savings, if relevant) to display all times in the timeline view.
AWS Config rules
Q: What is a resource’s configuration?
Configuration of a resource is defined by the data included in the Configuration Item (CI) of AWS Config. The initial release of AWS Config rules makes the CI for a resource available to relevant rules. AWS Config rules can use this information along with any other relevant information such as other attached resources and business hours to evaluate compliance of a resource’s configuration.
Q: What is a rule?
A rule represents desired Configuration Item (CI) attribute values for resources and is evaluated by comparing those attribute values with CIs recorded by AWS Config. There are two types of rules:
AWS–managed rules: AWS–managed rules are pre-built and managed by AWS. You can choose the rule you want to enable, then supply a few configuration parameters to get started. Learn more »
Customer managed rules: Customer managed rules are custom rules, defined, and built by you. You can create a function on AWS Lambda that can be invoked as part of a custom rule and these functions apply in your account. Learn more »
The quickest way to get started with AWS Config is to use the AWS Management Console. You can turn on AWS Config in a few selections. For additional details, see the Getting Started documentation.
Q: How are rules created?
Rules are typically set up by the AWS account administrator. They can be created by leveraging AWS–managed rules (a predefined set of rules provided by AWS) or through customer managed rules. With AWS–managed rules, updates to the rule are automatically applied to any account using that rule. In the customer-managed model, customers have a full copy of the rule and apply the rule within their own account. These rules are maintained by the customers.
Q: How are rules evaluated?
Any rule can be set up as a change-triggered rule or as a periodic rule. A change-triggered rule is applied when AWS Config records a configuration change for any of the resources specified. Additionally, one of the following must be specified:
- Tag Key:(optional Value): A tag key:value implies any configuration changes recorded for resources with the specified tag key:value will initiate an evaluation of the rule.
- Resource type(s): Any configuration changes recorded for any resource within the specified resource type(s) will initiate an evaluation of the rule.
- Resource ID: Any changes recorded to the resource specified by the resource type and resource ID will initiate an evaluation of the rule.
A periodic rule is initiated at a specified frequency. Available frequencies are 1 hr, 3 hr, 6 hr, 12 hr, or 24 hrs. A periodic rule has a full snapshot of current Configuration Items (CIs) for all resources available to the rule.
Q: What is an evaluation?
Evaluation of a rule determines whether a rule is compliant with a resource at a particular point in time. It is the result of evaluating a rule against the configuration of a resource. AWS Config rules will capture and store the result of each evaluation. This result will include the resource, rule, time of evaluation, and a link to the Configuration Item (CI) that caused non-compliance.
Q: What does compliance mean?
A resource is compliant if it observes all rules that apply to it; otherwise it is noncompliant. Similarly, a rule is compliant if all resources evaluated by the rule comply with the rule; otherwise it is noncompliant. In some cases, such as when inadequate permissions are available to the rule, an evaluation cannot exist for the resource, leading to a state of insufficient data. This state is excluded from determining the compliance status of a resource or rule.
Q: What information does the AWS Config rules dashboard provide?
The AWS Config rules dashboard gives you an overview of resources tracked by AWS Config, and a summary of current compliance by resource and by rule. When you view compliance by resource, you can determine if any rule that applies to the resource is currently not compliant. You can view compliance by rule, which tells you if any resource under the purview of the rule is currently non-compliant. Using these summary views, you can explore further the AWS Config timeline view of resources, to determine which configuration parameters changed. Using this dashboard, you can start with an overview and drill into fine-grained views that give you full information about changes in compliance status, and which changes caused non-compliance.
Q: When should I use AWS Config rules versus conformance packs?
You can use individual AWS Config rules to evaluate resource configuration compliance in one or more accounts. Conformance packs provide the additional benefit of packaging rules along with remediation actions into a single entity that can be deployed across an entire organization with a single selection. Conformance packs are intended to simplify compliance management and reporting at scale when you are managing several accounts. Conformance packs are designed to provide aggregated compliance reporting at the pack level and immutability. This helps the managed AWS Config rules and remediation documents within the conformance pack to not be modified or deleted by the individual member accounts of an organization.
Q: How are AWS Config and AWS Config rules related to AWS Security Hub?
AWS Security Hub is a security and compliance service that provides security and compliance posture management as a service. It uses AWS Config and AWS Config rules as its primary mechanism to evaluate the configuration of AWS resources. AWS Config rules can also be used to evaluate resource configuration directly. AWS Config rules are also used by other AWS services, such as AWS Control Tower and AWS Firewall Manager.
Q: When do I use AWS Security Hub and AWS Config conformance packs?
If a compliance standard, such as PCI DSS, is already present in Security Hub, then the fully managed Security Hub service is an easier way to operationalize it. You can investigate findings through Security Hub’s integration with Amazon Detective, and you can build automated or semiautomated remediation actions using the Security Hub integration with Amazon EventBridge. However, if you want to assemble your own compliance or security standard, which can include security, operational, or cost optimization checks, AWS Config conformance packs are the way to go. AWS Config conformance packs simplify management of AWS Config rules by packaging a group of AWS Config rules and associated remediation actions into a single entity. This packaging simplifies deployment of rules and remediation actions across an organization. It also enables aggregated reporting, as compliance summaries can be reported at the pack level. You can start with the AWS Config conformance pack samples we provide and customize as you see fit.
Q: Do both Security Hub and AWS Config conformance packs support continuous compliance monitoring?
Yes, both Security Hub and AWS Config conformance packs support continuous compliance monitoring, given their reliance on AWS Config and AWS Config rules. The underlying AWS Config rules can be triggered either periodically or upon detecting changes to the configuration of resources. This helps you continuously audit and assess the overall compliance of your AWS resource configurations with your organization’s policies and guidelines.
Q: How do I get started with conformance packs?
The quickest way to get started is by creating a conformance pack using one of our sample templates through the CLI or the AWS Config console. Some of the sample templates include S3 Operational Best Practices, Amazon DynamoDB Operational Best Practices, and Operational Best Practices for PCI. These templates are written in YAML. You can download these templates from our documentation site and modify them to suit your environment using your favorite text editor. You can even add custom AWS Config rules that you could have previously written into the pack.
Multi-account, multi-Region data aggregation
Q: What is multi-account, multi-Region data aggregation?
Data aggregation on AWS Config helps you aggregate AWS Config data from multiple accounts and Regions into a single account and a single Region. Multi-account data aggregation is useful for central IT administrators to monitor compliance for multiple AWS accounts in the enterprise.
Q: Can I use the data aggregation capability to centrally provision AWS Config rules across multiple accounts?
The data aggregation capability cannot be used for provisioning rules across multiple accounts. It is purely a reporting capability that provides visibility into your compliance. You can use AWS CloudFormation StackSets to provision rules across accounts and Regions. Learn more in this blog link.
Q: What is an aggregator?
An aggregator is an AWS Config resource type that collects AWS Config data from multiple accounts and Regions. Use an aggregator to view the resource configuration and compliance data recorded on AWS Config for multiple accounts and Regions.
Q: What information does the aggregated view provide?
The aggregated view displays the total count of non-compliant rules across the organization, the top five non-compliant rules by number of resources, and the top five AWS accounts that have the highest number of non-compliant rules. You can then drill down to view more details about the resources that are violating the rule and the list of rules that are being violated by an account.
Q: I am not an AWS Organizations customer. Can I still use the data aggregation capability?
You can specify the accounts to aggregate the AWS Config data from by uploading a file or by individually entering accounts. Note that since these accounts are not part of any AWS organization, you will need each account to explicitly authorize the aggregator account. Learn more.
Q: I have only a single account, can I still take advantage of the data aggregation capability?
The data aggregation capability is useful for multi-Region aggregation as well. Thus, you can aggregate the AWS Config data for your account across multiple Regions using this capability.
Q: What if I have an account that includes a Region not supported by this feature?
When you create an aggregator, you specify the Regions from where you can aggregate data. This list shows only Regions where this feature is available. You can also select “all Regions,” in which case as soon as support is added in other Regions, it will automatically aggregate the data.
Services and Region support
Q: What is a configuration item?
A Configuration Item (CI) is the configuration of a resource at a given point-in-time. A CI consists of five sections:
- Basic information about the resource that is common across different resource types (such as Amazon Resource Names, tags),
- Configuration data specific to the resource (such as EC2 instance type),
- Map of relationships with other resources (such as EC2::Volume vol-3434df43 is “attached to instance” EC2 Instance i-3432ee3a),
- CloudTrail event IDs that are related to this state (only for AWS resources)
- Metadata that helps you identify information about the CI, such as the version of this CI, and when this CI was captured.
Q: What is a custom configuration item?
A custom Configuration Item (CI) is the CI for a third-party or custom resource. Examples include on-premises databases, Active Directory servers, version control systems like GitHub and third-party monitoring tools such as Datadog.
Q: What are AWS Config relationships and how are they used?
AWS Config takes the relationships among resources into account when recording changes. For example, if a new EC2 Security Group is associated with an EC2 Instance, AWS Config records the updated configurations of both the primary resource, the EC2 Security Group, and related resources, if these resources changed.
Q: Does AWS Config record every state that a resource has been in?
AWS Config detects change to a resource's configuration and records the configuration state that resulted from that change. In cases where several configuration changes are made to a resource in quick succession, AWS Config will record only the latest configuration of that resource that represents the cumulative impact of the set of changes. In these situations, AWS Config will list only the latest change in the relatedEvents field of the Configuration Item. This helps users and programs to continue to change infrastructure configurations without having to wait for AWS Config to record intermediate transient states.
Q: Does AWS Config record configuration changes that did not result from API activity on that resource?
Yes, AWS Config will regularly scan the configuration of resources for changes that haven’t yet been recorded and record these changes. CIs recorded from these scans will not have a relatedEvent field in the message, and only the latest state that is different from state already recorded is selected.
Q: Does AWS Config record configuration changes to software within EC2 instances?
Yes. AWS Config helps you record configuration changes to software within EC2 instances in your AWS account and also virtual machines (VMs) or servers in your on-premises environment. The configuration information recorded by AWS Config includes Operating System updates, network configuration, and installed applications. You can evaluate whether your instances, VMs, and servers are in compliance with your guidelines using AWS Config rules. The deep visibility and continuous monitoring capabilities provided by AWS Config help you assess compliance and troubleshoot operational issues.
Q: Does AWS Config continue to send notifications if a resource that was previously non-compliant is still non-compliant after a periodic rule evaluation?
AWS Config sends notifications only when the compliance status changes. If a resource was previously non-compliant and is still non-compliant, AWS Config will not send a new notification. If the compliance status changes to “compliant,” you will receive a notification for the change in status.
Q: Can I flag, exempt, or exclude resources from being evaluated by AWS Config rules?
Yes, you can exclude resources by navigating to the AWS Config 'recorder settings' page in the console and selecting the 'Exclude Resource Types' option and specifying the desired exclusions. Alternatively, you can utilize the PutConfigurationRecorder API to access this feature. This API will disable the configuration recording for that resource type. Also, when you configure AWS Config rules, you can specify whether your rule runs evaluations against specified resource types or resources with a specific tag.
Q: How will I be charged for AWS Config?
With AWS Config, you are charged based on the number of configuration items recorded, the number of active AWS Config rule evaluations, and the number of conformance pack evaluations in your account. A configuration item is a record of the configuration state of a resource in your AWS account. An AWS Config rule evaluation is a compliance state evaluation of a resource by an AWS Config rule in your AWS account. A conformance pack evaluation is the evaluation of a resource by an AWS Config rule within the conformance pack. For more detail and examples, visit https://aws.amazon.com/config/pricing/.
Q: Does the pricing for AWS Config rules include the costs for Lambda functions?
You can choose from a set of managed rules provided by AWS or you can author your own rules, written as Lambda functions. Managed rules are fully maintained by AWS and you do not pay any additional Lambda charges to run them. You can enable managed rules, provide any required parameters, and pay a single rate for each active AWS Config rule in a given month. Custom rules give you full control as they are applied as Lambda functions in your account. In addition to monthly charges for an active rule, standard Lambda free tier* and function application rates apply to custom AWS Config rules.
*AWS Free Tier is not available in the AWS China (Beijing) Region or the AWS China (Ningxia) Region.
Q: I want to change the Lambda function for my custom AWS Config rule. What is the recommended approach?
Charges are incurred whenever a new rule is created and it becomes active. If you must update or replace the Lambda function associated with a rule, the recommended approach is to update the rule instead of deleting it and creating a new rule.
Q: What AWS Partner solutions are available for AWS Config?
APN Partner solutions such as Splunk, ServiceNow, Evident.io, CloudCheckr, Redseal, and Red Hat CloudForms provide offerings that are fully integrated with data from AWS Config. Managed service providers, such as 2nd Watch and Cloudnexa have also announced integrations with AWS Config. Additionally, with AWS Config Rules, partners such as CloudHealth Technologies, Alert Logic, and Trend Micro are providing integrated offerings that can be used. These solutions include capabilities such as change management and security analysis and help you visualize, monitor, and manage AWS resource configurations.