Config

Introduction

• Regional Auditing and recording compliance of your AWS resources.

Feature

• Can be aggregated accross regions and accounts.

• Recording record configurations and changes over time.

• Doesn't prevent actions from happening (no deny).

• Can send SNS notification for changes.

• Config Rules

  • Can use AWS managed config rules (over 75)

  • Can make custom config rules (must be defined in AWS Lambda)

    • Evaluate if each EBS disk is of certain type.

    • Evaluate if each EC2 instance is of certain type.

  • Rules can be evaluated / triggered:

    • For each config change.

    • And / or: at regular time intervals.

    • Can trigger CloudWatch events if the rule is not compliant (and chain with Lambda).

  • Rules can have auto remediations:

    • If a resource is not compliant, you can trigger an auto remediation.

    • Define the remediation through SSM Automations.

    • Ex. remediate security group rules, or stop instances with non-approved tags.

Scenario

• Unrestricted SSH access to a Security Group

• S3 Policy for public access

• ALB configuration changes over time