Skip to main content

AWS Config Documentation

Configuration history of AWS resources

AWS Config is designed to record details of changes to your AWS resources to provide you with a configuration history. You can use the AWS Management Console, API, or CLI to obtain details of what a resource’s configuration looked like in the past. AWS Config is also designed to deliver a configuration history file to the Amazon S3 bucket you specify.

Configuration history of software

AWS Config is designed to help you to record software configuration changes within your Amazon EC2 instances and servers running on-premises, as well as servers and Virtual Machines in environments provided by other cloud providers. With AWS Config, you are enabled to gain visibility into operating system (OS) configurations, system-level updates, installed applications, network configuration and more. AWS Config is also designed to provide a history of OS and system-level configuration changes alongside infrastructure configuration changes recorded for EC2 instances.

Resource relationships tracking

AWS Config is designed to discover, map and track AWS resource relationships in your account.

Configurable and customizable rules

AWS Config helps provide you with rules designed to evaluate provisioning and configuring of your AWS resources as well as software within managed instances. You can customize rules to evaluate your AWS resource configurations and configuration changes, or create your own custom rules. Using AWS Config, you can assess your resource configurations and resource changes for compliance against the built-in or custom rules.

Conformance packs

Conformance packs help you manage compliance of your AWS resource configuration using a common framework and packaging model. You can package a collection of AWS Config rules and remediation actions into a single entity (known as a conformance pack) and deploy it across an organization.

Conformance packs are also designed to provide compliance scores. A compliance score is a percentage-based score that helps you discern the level to which your resources are compliant for a set of requirements that are captured within the scope of a conformance pack. A compliance score is calculated based on the number of rule-to-resource combinations that are compliant within the scope of a conformance pack. For example, a conformance pack with 5 rules applying to 5 resources has 25 (5x5) possible rule-resource combinations. If 2 resources are not compliant with 2 rules, the compliance score would be 84%, indicating that 21 out of 25 rule-resource combinations are currently in compliance. Further, compliance scores are emitted to Amazon CloudWatch metrics, which allows for tracking over time. Compliance scores offer a measurement to track remediation progress, perform comparisons across different sets of requirements, and see the impact a specific change or deployment has on your compliance posture.

Multi-account, multi-region data aggregation

Multi-account, multi-region data aggregation is a capability in AWS Config that enables centralized auditing and governance. It is designed to provide you an enterprise-wide view of your AWS Config rule compliance status, and you can associate your AWS organization to add your accounts. The aggregated dashboard in AWS Config is designed to display the non-compliant rules across your organization, by number of resources, and AWS accounts that have non-compliant rules. You can then drill down to view details about the resources that are violating the rule, and the rules that are being violated by an account.

Querying configuration state

AWS Config advanced queries enable you to search the current configuration state of AWS resources based on configuration properties. With advanced queries you can search within a single account and AWS Region or query against an AWS Config aggregator to search from a central account across accounts, AWS Regions, or an AWS Organization. This enables you to perform ad hoc, property-based queries against current AWS resource state metadata.  

AWS Config also provides generative AI-based natural language querying (available in preview), enabling you to simplify your resource configuration investigations. AWS Config is designed to generate an advanced query based on your question that you can execute as-is or further fine-tune to retrieve Config data.

Extensibility

AWS Config is designed to support extensibility by allowing you to publish the configuration of third-party resources into AWS Config using our public APIs. AWS Config enables you to view and monitor the resource inventory and configuration history of third-party resources using the AWS Config console and APIs. You can also create AWS Config rules or conformance packs to help you evaluate these third-party resources against best practices, internal policies, and regulatory policies.

Configuration snapshots

AWS Config is designed to provide you with a configuration snapshot—a point-in-time capture of your resources and their configurations. Configuration snapshots are designed to be generated via the AWS CLI or API and delivered to the Amazon S3 bucket you specify.

Cloud governance dashboard

AWS Config provides three types of dashboards. First, an AWS account- and AWS Region-specific dashboard that displays your resources' compliance posture. Second, a high-level dashboard per aggregator that shows insights such as a count of non-compliant rules across your AWS Organization, non-compliant rules by number of resources, and the AWS accounts that have the highest number of non-compliant rules. Third, dashboards for each aggregator with inventory and compliance details. You can also access the underlying AWS Config advanced queries for each widget in all three types of dashboards, enabling you to dive into resource details.

Partner solutions

You can choose from AWS Partner Network (APN) partners who provide solutions that integrate with AWS Config for resource discovery, change management, compliance, or security.

Additional Information

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.aws.amazon.com/index.html. This additional information does not form part of the Documentation for purposes of the AWS Customer Agreement available at http://aws.amazon.com/agreement, or other agreement between you and AWS governing your use of AWS’s services.