Embedded Files
USECASE
USECASE
you need fine-grained visibility into what resources exist and how these resources are configured at any time. You can use AWS Config to notify you whenever resources are created, modified, or deleted without having to monitor these changes by polling the calls made to each resource.
Config Components and terminology
Config Components and terminology
Configuration Recorder
Configuration Recorder
The configuration recorder stores the configurations of the supported resources in your account as configuration items. You must first create and then start the configuration recorder before you can start recording.
You can create a customized configuration recorder that records only the resource types that you specify.
Configuration Stream
Configuration Stream
A configuration stream is an automatically updated list of all configuration items for the resources that AWS Config is recording. Every time a resource is created, modified, or deleted, AWS Config creates a configuration item and adds to the configuration stream.
Advanced queries
Advanced queries
Use one of the sample queries or write your own query by referring to the configuration schema of the AWS resource.
Resource Relationship
Resource Relationship
AWS Config discovers AWS resources in your account and then creates a map of relationships between AWS resources. For example, a relationship might include an Amazon EBS volume vol-123ab45d attached to an Amazon EC2 instance i-a1b2c3d4 that is associated with security group sg-ef678hk.
Conformance Packs
A conformance pack is a collection of AWS Config rules and remediation actions that can be easily deployed as a single entity in an account and a Region or across an organization in AWS Organizations.
Supported Resource Types
https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html
Resource Coverage by Region Availability
https://docs.aws.amazon.com/config/latest/developerguide/what-is-resource-config-coverage.html
Resource Discovery
Resource Discovery
When you turn on AWS Config, it first discovers the supported AWS resources that exist in your account and generates a configuration item for each resource.
AWS Config also generates configuration items when the configuration of a resource changes, and it maintains historical records of the configuration items of your resources from the time you start the configuration recorder.
Delivery of Configuration Items
Delivery of Configuration Items
S3 Bucket
For each resource type that AWS Config records, it sends a configuration history file every six hours. Each configuration history file contains details about the resources that changed in that six-hour period. Each file includes resources of one type, such as Amazon EC2 instances or Amazon EBS volumes. If no configuration changes occur, AWS Config does not send a file.
SNS Topic
For best results, use Amazon SQS as the notification endpoint for the SNS topic and then process the information in the notification programmatically.
https://docs.aws.amazon.com/config/latest/developerguide/configlimits.html
Maximum number of AWS Config Rules per Region per account 1000 increased :No
Maximum number of tags per resource 50 No
Maximum number of conformance packs per account 50 No
Recommended: Use the Service-linked role
It is recommended that you use the service-linked role. A service-linked role adds all the necessary permissions for AWS Config to run as expected.
Resource Type Value Relationship Related Resource
Amazon Relational Database Service AWS::RDS::DBInstance is associated with EC2 security group
RDS DB security group
RDS DB subnet group
AWS::RDS::DBSecurityGroup is associated with EC2 security group
Virtual private cloud (VPC)
AWS::RDS::DBSnapshot is associated with Virtual private cloud (VPC)
AWS::RDS::DBSubnetGroup is associated with EC2 security group
Virtual private cloud (VPC)
AWS::RDS::EventSubscription NA NA
AWS::RDS::DBCluster contains RDS DB instance is associated with RDS DB subnet group
EC2 security group
AWS::RDS::DBClusterSnapshot is associated with RDS DB cluster
Virtual private cloud (VPC)
AWS::RDS::GlobalCluster NA NA
AWS::RDS::OptionGroup NA NA
Maximum number of AWS Config Rules per conformance pack 130 No
The type of notification that you are receiving is indicated by the value for the messageType
- ComplianceChangeNotification : The message includes newEvaluationResult and oldEvaluationResult objects for comparison.
- ConfigurationItemChangeNotification :These notifications are delivered within minutes of a change and are collectively known as the configuration stream.
Example Configuration Item Change Notifications
https://docs.aws.amazon.com/config/latest/developerguide/example-sns-notification.html
AWS Config usually records configuration changes to your resources right after a change is detected, or at the frequency that you specify. However, this is on a best effort basis and can take longer at times. If issues persist after sometime,
Creating AWS Config Custom Lambda Rules
https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules_lambda-functions.html
Organization
Organization
Aggregators
Aggregators
Use an aggregator to get a centralized view of your resource inventory and compliance. An aggregator collects AWS Config configuration and compliance data from multiple AWS accounts and AWS Regions into a single account and Region.
Multi-Account Multi-Region Data Aggregation
Multi-account multi-region data aggregation in AWS Config allows you to aggregate AWS Config configuration and compliance data from multiple accounts and regions into a single account. Multi-account multi-region data aggregation is useful for central IT administrators to monitor compliance for multiple AWS accounts in the enterprise. Using aggregators does not incur any additional costs.
Authorization
Authorization
As a source account owner, authorization refers to the permissions you grant to an aggregator account and region to collect your AWS Config configuration and compliance data. Authorization is not required if you are aggregating source accounts that are part of AWS Organizations.
AWS Config allows you to manage AWS Config rules across all AWS accounts within an organization. You can:
Centrally create, update, and delete AWS Config rules across all accounts in your organization.
Deploy a common set of AWS Config rules across all accounts and specify accounts where AWS Config rules should not be created.
Organization management accounts, delegated administrators, and service-linked roles
If you are using an organization management account and intend to use a delegated administrator for organizational deployment, be aware that AWS Config won't automatically create the service-linked role (SLR). You must manually create the service-linked role (SLR) separately using IAM.
AWS Config and AWS Organizations
https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-config.html
https://docs.aws.amazon.com/config/latest/developerguide/example-sns-notification.html
https://docs.aws.amazon.com/config/latest/developerguide/example-sns-notification.html
{
"Type": "Notification",
"MessageId": "faeba85e-ef46-570a-b01c-f8b0faae8d5d",
"TopicArn": "arn:aws:sns:us-east-2:123456789012:config-topic-ohio",
"Subject": "[AWS Config:us-east-2] AWS::EC2::Instance i-007d374c8912e3e90 Updated in Account 123456789012",
"Message": {
"configurationItemDiff": {
"changedProperties": {
"Configuration.NetworkInterfaces.0": {
"previousValue": {
"networkInterfaceId": "eni-fde9493f",
"subnetId": "subnet-2372be7b",
"vpcId": "vpc-14400670",
"description": "",
"ownerId": "123456789012",
"status": "in-use",
"macAddress": "0e:36:a2:2d:c5:e0",
"privateIpAddress": "172.31.16.84",
"privateDnsName": "ip-172-31-16-84.ec2.internal",
"sourceDestCheck": true,
"groups": [{
"groupName": "example-security-group-1",
"groupId": "sg-c8b141b4"
}],
"attachment": {
"attachmentId": "eni-attach-85bd89d9",
"deviceIndex": 0,
"status": "attached",
"attachTime": "2017-01-09T19:36:02.000Z",
"deleteOnTermination": true
},
"association": {
"publicIp": "54.175.43.43",
"publicDnsName": "ec2-54-175-43-43.compute-1.amazonaws.com",
"ipOwnerId": "amazon"
},
"privateIpAddresses": [{
"privateIpAddress": "172.31.16.84",
"privateDnsName": "ip-172-31-16-84.ec2.internal",
"primary": true,
"association": {
"publicIp": "54.175.43.43",
"publicDnsName": "ec2-54-175-43-43.compute-1.amazonaws.com",
"ipOwnerId": "amazon"
}
}]
},
"updatedValue": null,
"changeType": "DELETE"
},
"Relationships.0": {
"previousValue": {
"resourceId": "sg-c8b141b4",
"resourceName": null,
"resourceType": "AWS::EC2::SecurityGroup",
"name": "Is associated with SecurityGroup"
},
"updatedValue": null,
"changeType": "DELETE"
},
"Configuration.NetworkInterfaces.1": {
"previousValue": null,
"updatedValue": {
"networkInterfaceId": "eni-fde9493f",
"subnetId": "subnet-2372be7b",
"vpcId": "vpc-14400670",
"description": "",
"ownerId": "123456789012",
"status": "in-use",
"macAddress": "0e:36:a2:2d:c5:e0",
"privateIpAddress": "172.31.16.84",
"privateDnsName": "ip-172-31-16-84.ec2.internal",
"sourceDestCheck": true,
"groups": [{
"groupName": "example-security-group-2",
"groupId": "sg-3f1fef43"
}],
"attachment": {
"attachmentId": "eni-attach-85bd89d9",
"deviceIndex": 0,
"status": "attached",
"attachTime": "2017-01-09T19:36:02.000Z",
"deleteOnTermination": true
},
"association": {
"publicIp": "54.175.43.43",
"publicDnsName": "ec2-54-175-43-43.compute-1.amazonaws.com",
"ipOwnerId": "amazon"
},
"privateIpAddresses": [{
"privateIpAddress": "172.31.16.84",
"privateDnsName": "ip-172-31-16-84.ec2.internal",
"primary": true,
"association": {
"publicIp": "54.175.43.43",
"publicDnsName": "ec2-54-175-43-43.compute-1.amazonaws.com",
"ipOwnerId": "amazon"
}
}]
},
"changeType": "CREATE"
},
"Relationships.1": {
"previousValue": null,
"updatedValue": {
"resourceId": "sg-3f1fef43",
"resourceName": null,
"resourceType": "AWS::EC2::SecurityGroup",
"name": "Is associated with SecurityGroup"
},
"changeType": "CREATE"
},
"Configuration.SecurityGroups.1": {
"previousValue": null,
"updatedValue": {
"groupName": "example-security-group-2",
"groupId": "sg-3f1fef43"
},
"changeType": "CREATE"
},
"Configuration.SecurityGroups.0": {
"previousValue": {
"groupName": "example-security-group-1",
"groupId": "sg-c8b141b4"
},
"updatedValue": null,
"changeType": "DELETE"
}
},
"changeType": "UPDATE"
},
"configurationItem": {
"relatedEvents": [],
"relationships": [
{
"resourceId": "eni-fde9493f",
"resourceName": null,
"resourceType": "AWS::EC2::NetworkInterface",
"name": "Contains NetworkInterface"
},
{
"resourceId": "sg-3f1fef43",
"resourceName": null,
"resourceType": "AWS::EC2::SecurityGroup",
"name": "Is associated with SecurityGroup"
},
{
"resourceId": "subnet-2372be7b",
"resourceName": null,
"resourceType": "AWS::EC2::Subnet",
"name": "Is contained in Subnet"
},
{
"resourceId": "vol-0a2d63a256bce35c5",
"resourceName": null,
"resourceType": "AWS::EC2::Volume",
"name": "Is attached to Volume"
},
{
"resourceId": "vpc-14400670",
"resourceName": null,
"resourceType": "AWS::EC2::VPC",
"name": "Is contained in Vpc"
}
],
"configuration": {
"instanceId": "i-007d374c8912e3e90",
"imageId": "ami-9be6f38c",
"state": {
"code": 16,
"name": "running"
},
"privateDnsName": "ip-172-31-16-84.ec2.internal",
"publicDnsName": "ec2-54-175-43-43.compute-1.amazonaws.com",
"stateTransitionReason": "",
"keyName": "ec2-micro",
"amiLaunchIndex": 0,
"productCodes": [],
"instanceType": "t2.micro",
"launchTime": "2017-01-09T20:13:28.000Z",
"placement": {
"availabilityZone": "us-east-2c",
"groupName": "",
"tenancy": "default",
"hostId": null,
"affinity": null
},
"kernelId": null,
"ramdiskId": null,
"platform": null,
"monitoring": {"state": "disabled"},
"subnetId": "subnet-2372be7b",
"vpcId": "vpc-14400670",
"privateIpAddress": "172.31.16.84",
"publicIpAddress": "54.175.43.43",
"stateReason": null,
"architecture": "x86_64",
"rootDeviceType": "ebs",
"rootDeviceName": "/dev/xvda",
"blockDeviceMappings": [{
"deviceName": "/dev/xvda",
"ebs": {
"volumeId": "vol-0a2d63a256bce35c5",
"status": "attached",
"attachTime": "2017-01-09T19:36:03.000Z",
"deleteOnTermination": true
}
}],
"virtualizationType": "hvm",
"instanceLifecycle": null,
"spotInstanceRequestId": null,
"clientToken": "bIYqA1483990561516",
"tags": [{
"key": "Name",
"value": "value"
}],
"securityGroups": [{
"groupName": "example-security-group-2",
"groupId": "sg-3f1fef43"
}],
"sourceDestCheck": true,
"hypervisor": "xen",
"networkInterfaces": [{
"networkInterfaceId": "eni-fde9493f",
"subnetId": "subnet-2372be7b",
"vpcId": "vpc-14400670",
"description": "",
"ownerId": "123456789012",
"status": "in-use",
"macAddress": "0e:36:a2:2d:c5:e0",
"privateIpAddress": "172.31.16.84",
"privateDnsName": "ip-172-31-16-84.ec2.internal",
"sourceDestCheck": true,
"groups": [{
"groupName": "example-security-group-2",
"groupId": "sg-3f1fef43"
}],
"attachment": {
"attachmentId": "eni-attach-85bd89d9",
"deviceIndex": 0,
"status": "attached",
"attachTime": "2017-01-09T19:36:02.000Z",
"deleteOnTermination": true
},
"association": {
"publicIp": "54.175.43.43",
"publicDnsName": "ec2-54-175-43-43.compute-1.amazonaws.com",
"ipOwnerId": "amazon"
},
"privateIpAddresses": [{
"privateIpAddress": "172.31.16.84",
"privateDnsName": "ip-172-31-16-84.ec2.internal",
"primary": true,
"association": {
"publicIp": "54.175.43.43",
"publicDnsName": "ec2-54-175-43-43.compute-1.amazonaws.com",
"ipOwnerId": "amazon"
}
}]
}],
"iamInstanceProfile": null,
"ebsOptimized": false,
"sriovNetSupport": null,
"enaSupport": true
},
"supplementaryConfiguration": {},
"tags": {"Name": "value"},
"configurationItemVersion": "1.2",
"configurationItemCaptureTime": "2017-01-09T22:50:14.328Z",
"configurationStateId": 1484002214328,
"awsAccountId": "123456789012",
"configurationItemStatus": "OK",
"resourceType": "AWS::EC2::Instance",
"resourceId": "i-007d374c8912e3e90",
"resourceName": null,
"ARN": "arn:aws:ec2:us-east-2:123456789012:instance/i-007d374c8912e3e90",
"awsRegion": "us-east-2",
"availabilityZone": "us-east-2c",
"configurationStateMd5Hash": "8d0f41750f5965e0071ae9be063ba306",
"resourceCreationTime": "2017-01-09T20:13:28.000Z"
},
"notificationCreationTime": "2017-01-09T22:50:15.928Z",
"messageType": "ConfigurationItemChangeNotification",
"recordVersion": "1.2"
},
"Timestamp": "2017-01-09T22:50:16.358Z",
"SignatureVersion": "1",
"Signature": "lpJTEYOSr8fUbiaaRNw1ECawJFVoD7I67mIeEkfAWJkqvvpak1ULHLlC+I0sS/01A4P1Yci8GSK/cOEC/O2XBntlw4CAtbMUgTQvb345Z2YZwcpK0kPNi6v6N51DuZ/6DZA8EC+gVTNTO09xtNIH8aMlvqyvUSXuh278xayExC5yTRXEg+ikdZRd4QzS7obSK1kgRZWI6ipxPNL6rd56/VvPxyhcbS7Vm40/2+e0nVb3bjNHBxjQTXSs1Xhuc9eP2gEsC4Sl32bGqdeDU1Y4dFGukuzPYoHuEtDPh+GkLUq3KeiDAQshxAZLmOIRcQ7iJ/bELDJTN9AcX6lqlDZ79w==",
"SigningCertURL": "https://sns.us-east-2.amazonaws.com/SimpleNotificationService-b95095beb82e8f6a046b3aafc7f4149a.pem",
"UnsubscribeURL": "https://sns.us-east-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-east-2:123456789012:config-topic-ohio:956fe658-0ce3-4fb3-b409-a45f22a3c3d4"
}
Page updated
Google Sites
Report abuse