Learn about AWS Config and compliance.
- [Narrator] Maintaining compliance is one of the most critical and challenging operational considerations for the modern, IT organization. Since having to respond to audit findings is nobody's idea of a good time, AWS offers Config. Config helps ease the burden of implementing and tracking compliance controls. Anyone who has worked in IT has been subjected to the inevitable IT audit. During an audit, changes to financially significant systems are typically put under a microscope. The mechanics of change, as well as the ability to attest to who changed what and for what reason, are all subject to scrutiny.
Let's explore a scenario which Config can help prevent. Suppose a trusted employee wants to get a change into production before taking a vacation. In order to do so, she circumvents change control and elevates her IAM privileges to push the change into production directly. During the yearly audit, that specific change is randomly selected for review. When looking into the specifics of this change, the auditor discovers that it was unauthorized.
Unsurprisingly, the lack of approval for this change generates an audit finding. To prevent this unfortunate scenario from happening, it is possible to use Config to evaluate IAM policy changes as they happen. With a bit of Lambda scripting, unauthorized changes can be reverted while the appropriate staff are notified. Catching this type of change and reacting to it as it happens will make the yearly audit much easier. Config is a managed service that simplifies compliance reporting. Config automatically records changes to resources within your AWS account.
For example, you can easily track the history of when a security group was applied and what it was applied to, with Config. Config partners with CloudTrail to give you API level details of what is changing things in your AWS infrastructure. Config tracks many AWS services out of the box. If you install an agent on your EC2 Instances, it is possible to use Config to record software changes. Config rules are a feature within Config that can help you focus on compliance issues of particular interest.
A Config rule specifies the desired state of a specific configuration. For example, many organizations have a password complexity policy. It is possible to define a Config rule that describes the desired password complexity. Config rules can execute on a periodic basis. The frequency with which a rule is evaluated is up to you. For example, it is an AWS recommended best practice to have multi-factor authentication enabled for the root credentials of your AWS account.
A Config rule that checks to see whether or not MFA is enabled, could be set to run on a nightly basis. Response time is a consideration when resolving compliance issues. To minimize response time, Config rules can be set to execute on an event-driven basis. For example, if someone disabled MFA on your root credentials, you would want to know as soon as possible. An event-driven Config execution would help with this use case. AWS provides a set of canned Config rules that apply to a broad set of it's customers.
Depending on the needs of your organization, it is possible to implement a customer managed rule by writing a Lambda function. Config rules can be assembled into a dashboard. Using a dashboard, it is possible to get an at-a-glance view into your compliance. Regardless of if you want to set up Config to alert on a periodic basis, event-driven basis or both, you'll want to be notified when something in your AWS account changes, that does not match the Config rule you defined. Similar to CloudWatch, Config relies on SNS to process alerts.
You will likely want to configure multiple topics based on what you are watching with Config. For example, IAM and EC2 configuration drifts are likely to be handled by different support teams. With Config, you can examine rule compliance over time. To store it's history, Config relies on an S3 bucket of your choosing. Unlike many AWS services, there is a charge to using Config. Presently, each active Config rule costs a flat $2.00 per month and includes 20,000 evaluations.
This course is also part of a series designed to help you prepare for the AWS Certified SysOps Administrator – Associate certification exam.
This course includes trademarks owned by Amazon Web Services. This course has not been prepared, approved, or endorsed by Amazon Web Services.
- Exploring monitoring tools
- Understanding CloudWatch
- Using CloudWatch alarms
- Monitoring EC2 memory
- Using AWS Config
- Understanding AWS logging and ElasticSearch
- Combining CloudWatch and Lambda