For full text search please use the '?' prefix. e.g. ? Onboarding

Config

AWS Config provides inventory and continuous assessment and compliance for AWS environments. It ingests CloudTrail data and stores it in S3, optionally notifying an SNS topic, and provides a common interface where the state of all AWS resources can be tracked.

Concepts

  • Resource Inventory allows you to lookup configuration changes and compliance statuses for resources by resource ID or tags.
    • Snapshots represent the state of the infrastructure at a point in time. They're written to the S3 bucket.
  • Config Rules are compliance tests either shipped as part of the platform or developed by third parties that can audit resources either periodically or in real-time.

Enabling

Config can be configured to record data about all resources within the region in which it's created, or just instances of specific per-service types. If you're monitoring all resources in a region you can opt to include global resources (such as Route53 DNS zones or IAM policies); enabling this option in two different regions will cause data duplication. To enable:

  1. Create an S3 bucket to store the resource inventory data.
  2. Optionally, create an SNS topic that should be notified about configuration changes. This SNS topic may be in the same AWS account or another account.
  3. Create a role which allows the appropriate permissions against the monitored resources and can notify the configured SNS topic.
  4. Create a Config instance to enable the service.

Rules

Config Rules can be either built-in and maintained by AWS, or Lambda functions obtained from third parties or written internally. AWS maintain a community repository.

There are two supported trigger types:

  • Periodic executes the rule according the specified time interval.
  • Configuration changes executes the rule when change events are recorded for the scoped resources.

Custom rules support optional parameters allowing for reuse in different contexts.

IAM role for custom rules

Lambda instances running custom or third-party Config Rules must be allowed access to both the S3 bucket and the Config service.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowGetConfigS3Objects",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": "arn:aws:s3:::bucket-name/AWSLogs/*/Config/*"
    },
    {
      "Sid": "AllowConfig",
      "Effect": "Allow",
      "Action": [
        "config:Describe*",
        "config:Get*",
        "config:List*",
        "config:Put*",
      ],
      "Resource": "*"
    }
  ]
}

Pricing

  • $.003 per configuration item.
  • $2 per-config rule.
  • $0.10 per 1,000 rule evaluations.
    • First 20,000 free.
Backlinks