AWS Config Documentation
Configuration history of AWS resources
Configuration history of software
Resource relationships tracking
Configurable and customizable rules
Conformance packs
Conformance packs help you manage compliance of your AWS resource configuration at scale—from policy definition to auditing and aggregated reporting—using a common framework and packaging model. Conformance packs are integrated with AWS Organizations. Using conformance packs as your compliance framework, you can package a collection of AWS Config rules and remediation actions into a single entity (known as a conformance pack) and deploy it across an entire organization. This is particularly useful if you need to quickly establish a common baseline for resource configuration policies and best practices across multiple accounts in your organization in a scalable and efficient way.
Conformance packs also provide compliance scores. A compliance score is a percentage-based score that helps you discern the level to which your resources are compliant for a set of requirements that are captured within the scope of a conformance pack. A compliance score is calculated based on the number of rule-to-resource combinations that are compliant within the scope of a conformance pack. For example, a conformance pack with 5 rules applying to 5 resources has 25 (5x5) possible rule-resource combinations. If 2 resources are not compliant with 2 rules, the compliance score would be 84%, indicating that 21 out of 25 rule-resource combinations are currently in compliance. Further, compliance scores are emitted to Amazon CloudWatch metrics, which allows for tracking over time. Compliance scores offer a measurement to track remediation progress, perform comparisons across different sets of requirements, and see the impact a specific change or deployment has on your compliance posture.
Multi-account, multi-region data aggregation
Multi-account, multi-region data aggregation is a capability in AWS Config that enables centralized auditing and governance. It is designed to provide you an enterprise-wide view of your AWS Config rule compliance status, and you can associate your AWS organization to quickly add your accounts. The aggregated dashboard in AWS Config is designed to display the total count of non-compliant rules across your organization, the top five non-compliant rules by number of resources, and the top five AWS accounts that have the greatest number of non-compliant rules. You can then drill down to view details about the resources that are violating the rule, and the list of rules that are being violated by an account.
Querying configuration state
AWS Config also provides generative AI-based natural language querying (available in preview), enabling you to simplify your resource configuration investigations. AWS Config generates an advanced query based on your question that you can execute as-is or further fine-tune to retrieve Config data.
Extensibility
Configuration snapshots
Cloud governance dashboard
Partner solutions
Integrations
Connect with ITSM / ITOM Software
AWS CloudTrail
AWS Config integrates with AWS CloudTrail to help you correlate configuration changes to particular events in your account. You can use the CloudTrail logs to obtain the details of the event that invoked the change, including who made the request, at what time, and from which IP address. You can navigate to the AWS Config timeline from the AWS CloudTrail console to view the configuration changes related to your AWS API activities.
AWS Security Hub
AWS Audit Manager
AWS Systems Manager
AWS Config integrates with AWS Systems Manager to help you record configuration changes to software on your Amazon EC2 instances and servers in your on-premises environment. With this integration, you can gain visibility into operating system (OS) configurations, system-level updates, installed applications, network configuration, and more. AWS Config is also designed to provide a history of OS and system-level configuration changes alongside infrastructure configuration changes recorded for EC2 instances. You can navigate to the AWS Config timeline from the Systems Manager console to view the configuration changes of your managed EC2 instances.
Amazon EC2 Dedicated Host
AWS Config integrates with Amazon EC2 Dedicated Hosts to help you assess license compliance. AWS Config records when instances are launched, stopped, or terminated on a Dedicated Host, and pairs this information with host and instance level information relevant to software licensing, such as Host ID, Amazon Machine Image (AMI) IDs, number of sockets and physical cores. This enables you to use AWS Config as a data source for your license reporting. You can navigate to the AWS Config timeline from the Amazon EC2 Dedicated Hosts console to view the configuration changes of your Amazon EC2 Dedicated Hosts.
Application Load Balancers
AWS Config integrates with Elastic Load Balancing (ELB) service to help you record configuration changes to Application Load Balancers. AWS Config also includes relationships with associated EC2 security groups, VPCs, and subnets. You can use this information for security analysis and troubleshooting. For example, you can check which security groups are associated with your application load balancer at any point in time. You can navigate to the AWS Config timeline from the ELB console to view the configuration changes of your Application Load Balancers.
AWS Organizations
Additional Information
For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.aws.amazon.com/index.html. This additional information does not form part of the Documentation for purposes of the AWS Customer Agreement available at http://aws.amazon.com/agreement, or other agreement between you and AWS governing your use of AWS’s services.