⬡ Hub
Skip to content

AWS Config

Detailed Content

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. This helps you maintain compliance, improve security posture, and troubleshoot operational issues.

Core Concepts and Features

  • Configuration Item (CI): A point-in-time record of the configuration of a specific AWS resource (e.g., an EC2 instance, an S3 bucket, a security group). CIs include metadata, attributes, relationships to other resources, and current configuration.
  • Configuration Recorder: A component that records changes to the configurations of your AWS resources. You can configure it to record all supported resources or a specific subset. It continuously monitors your AWS account for resource changes.
  • Configuration History: A timeline of all configuration items for a given resource. It allows you to see how a resource's configuration has changed over time, which is invaluable for troubleshooting and auditing.
  • Configuration Snapshot: A complete picture of the configurations of all supported resources in your account at a given point in time. Snapshots are delivered to an S3 bucket.
  • AWS Config Rules: Define your desired configuration settings for AWS resources. Config continuously evaluates your resources against these rules. Rules can be:
    • AWS Managed Rules: Predefined, customizable rules provided by AWS (e.g., s3-bucket-public-read-prohibited).
    • Custom Rules: Rules that you create using AWS Lambda functions to evaluate resources against custom criteria.
  • Compliance Status: For each resource, Config reports whether it is COMPLIANT or NON_COMPLIANT with your defined rules. This provides a clear overview of your compliance posture.
  • Remediation Actions: You can associate automatic remediation actions with Config rules. When a resource is found to be NON_COMPLIANT, Config can automatically trigger a Systems Manager Automation document to bring the resource back into compliance.
  • Conformance Packs: A collection of AWS Config rules and remediation actions that can be easily deployed as a single entity in an account and region, or across an organization. Conformance packs help you establish a common baseline for security, operational, and cost optimization best practices.
  • Aggregators: Allows you to collect AWS Config data from multiple accounts and multiple regions into a single account and region. This provides a centralized view of compliance across your entire AWS Organization.
  • Integration with other AWS Services: Integrates with AWS CloudTrail (for change events), Amazon S3 (for history and snapshots), Amazon SNS (for notifications), AWS Lambda (for custom rules), AWS Systems Manager (for remediation), and AWS Security Hub (for findings).

Use Cases

  • Continuous Compliance Monitoring: Continuously monitor your AWS resources against internal policies, industry standards (e.g., PCI DSS, HIPAA), or regulatory requirements. Automatically identify non-compliant resources and trigger alerts or remediation.
  • Security Posture Management: Detect security misconfigurations (e.g., publicly accessible S3 buckets, overly permissive security groups) and ensure that security best practices are followed across your environment.
  • Operational Troubleshooting: Use configuration history to quickly identify what changed in your environment when an operational issue occurred, helping to pinpoint the root cause.
  • Change Management: Track all configuration changes to your AWS resources, providing an auditable trail for change management processes.
  • Resource Inventory and Auditing: Maintain a comprehensive inventory of your AWS resources and their configurations over time, which is essential for auditing and reporting.
  • Multi-Account/Multi-Region Governance: Use aggregators and conformance packs to enforce consistent compliance and configuration baselines across your entire AWS Organization.

Interview Questions

Conceptual Questions

  1. What is AWS Config and what problem does it solve?
    • AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. It solves the problem of continuously monitoring resource configurations, tracking changes, and ensuring compliance with desired configurations, which is crucial for security, governance, and operational troubleshooting.
  2. Explain the concept of a Configuration Item (CI) and Configuration History in AWS Config.
    • A Configuration Item (CI) is a point-in-time record of the configuration of a specific AWS resource. It includes metadata, attributes, and relationships. Configuration History is a timeline of all CIs for a given resource, showing how its configuration has changed over time. This is invaluable for auditing and troubleshooting.
  3. What are AWS Config Rules? Differentiate between AWS Managed Rules and Custom Rules.
    • AWS Config Rules define your desired configuration settings for AWS resources. Config continuously evaluates your resources against these rules.
    • AWS Managed Rules: Predefined, customizable rules provided by AWS for common compliance checks (e.g., s3-bucket-public-read-prohibited).
    • Custom Rules: Rules that you create using AWS Lambda functions to evaluate resources against custom criteria specific to your organization's needs.
  4. How does AWS Config help with automated remediation?
    • You can associate automatic remediation actions with Config rules. When a resource is found to be NON_COMPLIANT with a rule, Config can automatically trigger a Systems Manager Automation document to bring the resource back into compliance (e.g., encrypting an unencrypted S3 bucket, closing an overly permissive security group).
  5. What are Conformance Packs in AWS Config and why are they useful?
    • Conformance Packs are collections of AWS Config rules and remediation actions that can be easily deployed as a single entity in an account and region, or across an organization. They are useful for establishing a common baseline for security, operational, and cost optimization best practices, simplifying compliance management at scale.

Scenario-Based Questions

  1. Your security team requires that all S3 buckets in your AWS account must have encryption enabled and must not be publicly accessible. You need a continuous way to monitor this and automatically remediate any non-compliant buckets. How would you achieve this using AWS Config?
    • I would enable AWS Config to record S3 bucket configurations. Then, I would deploy two AWS Managed Config Rules:
      • s3-bucket-server-side-encryption-enabled to check for encryption.
      • s3-bucket-public-read-prohibited to check for public access.
    • For each rule, I would configure automatic remediation actions using AWS Systems Manager Automation documents. For example, if a bucket is found to be non-compliant with the public read rule, an automation document could automatically apply a bucket policy to block public access.
  2. Your organization needs to track all configuration changes to critical EC2 instances and security groups for auditing purposes. You also need to be able to quickly identify what changed when an operational issue occurs. How would you set this up?
    • I would enable AWS Config to record configuration changes for EC2 instances and security groups. This would create a Configuration History for each resource. For auditing, I could query this history to see who made what changes and when. For troubleshooting, if an operational issue occurs, I could use the configuration history to pinpoint recent changes to the affected resources, helping to identify the root cause of the problem.
  3. You are managing a multi-account AWS environment under AWS Organizations. You need to enforce a consistent set of security and operational best practices across all accounts. How would you use AWS Config to streamline this governance?
    • I would use AWS Config Conformance Packs. I would define a conformance pack that includes a collection of relevant AWS Config rules and remediation actions (e.g., rules for IAM password policies, security group best practices, S3 bucket encryption). Then, I would deploy this conformance pack across all member accounts in my AWS Organization from a delegated administrator account. This ensures a consistent baseline of compliance and configuration across the entire organization.

Coding/CLI Examples

Here are some common AWS Config operations using the AWS CLI and Python (Boto3).

AWS CLI Examples

  1. Enable AWS Config and start the Configuration Recorder: ```bash # Assume an IAM role 'arn:aws:iam::123456789012:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig' exists # Assume an S3 bucket 'my-config-bucket-12345' exists

    1. Create a Configuration Recorder

    aws configservice put-configuration-recorder \ --configuration-recorder Name=default,RoleARN=arn:aws:iam::123456789012:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig

    2. Create a Delivery Channel (where Config sends configuration history and snapshots)

    aws configservice put-delivery-channel \ --delivery-channel Name=default,S3BucketName=my-config-bucket-12345

    3. Start the Configuration Recorder

    aws configservice start-configuration-recorder --configuration-recorder-name default ```

  2. Deploy an AWS Managed Config Rule (e.g., s3-bucket-public-read-prohibited): bash aws configservice put-config-rule \ --config-rule Name=s3-bucket-public-read-prohibited,Source={Owner=AWS,SourceIdentifier=S3_BUCKET_PUBLIC_READ_PROHIBITED},Scope={ComplianceResourceTypes=[AWS::S3::Bucket]} \ --description "Checks if S3 buckets are publicly readable."

  3. Get compliance details for a Config Rule: bash aws configservice get-compliance-details-by-config-rule \ --config-rule-name s3-bucket-public-read-prohibited

  4. Get configuration history for a specific resource: bash aws configservice get-resource-config-history \ --resource-type AWS::EC2::Instance \ --resource-id i-0abcdef1234567890

Python (Boto3) Examples

First, ensure you have Boto3 installed (pip install boto3) and your AWS credentials configured.

  1. Enable AWS Config and start recording: ```python import boto3

    config_client = boto3.client('config')

    config_recorder_name = "default" config_role_arn = "arn:aws:iam::123456789012:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig" # REPLACE with your Config Service Role ARN s3_bucket_name = "my-boto3-config-bucket-12345" # REPLACE with your S3 bucket name

    try: # 1. Create Configuration Recorder config_client.put_configuration_recorder( ConfigurationRecorder={ 'name': config_recorder_name, 'roleARN': config_role_arn } ) print(f"Configuration Recorder {config_recorder_name} created.")

    # 2. Create Delivery Channel
config_client.put_delivery_channel(
    DeliveryChannel={
        'name': config_recorder_name,
        's3BucketName': s3_bucket_name
    }
)
print(f"Delivery Channel {config_recorder_name} created.")

# 3. Start Configuration Recorder
config_client.start_configuration_recorder(
    ConfigurationRecorderName=config_recorder_name
)
print(f"Configuration Recorder {config_recorder_name} started.")

    except Exception as e: print(f"Error enabling AWS Config: {e}") ```

  2. Deploy a Custom Config Rule (requires a Lambda function for evaluation): ```python import boto3 import json

    config_client = boto3.client('config')

    rule_name = "my-custom-instance-type-rule" lambda_arn = "arn:aws:lambda:us-east-1:123456789012:function:MyConfigCustomRuleLambda" # REPLACE with your Lambda function ARN

    try: response = config_client.put_config_rule( ConfigRule={ 'ConfigRuleName': rule_name, 'Description': 'Checks if EC2 instances are of allowed types.', 'Source': { 'Owner': 'CUSTOM_LAMBDA', 'SourceIdentifier': lambda_arn, 'EventSource': 'aws.config', 'MessageType': 'ConfigurationItemChangeNotification' }, 'Scope': { 'ComplianceResourceTypes': ['AWS::EC2::Instance'] }, 'InputParameters': json.dumps({'allowedInstanceTypes': 't2.micro,t3.small'}) } ) print(f"Custom Config Rule {rule_name} deployed.") except Exception as e: print(f"Error deploying custom Config Rule: {e}") ```

  3. Get compliance summary for all Config Rules: ```python import boto3

    config_client = boto3.client('config')

    try: response = config_client.get_compliance_summary_by_config_rule() print("Config Rule Compliance Summary:") for item in response['ComplianceSummaryByConfigRules']: print(f" Rule: {item['ConfigRuleName']}") print(f" Compliant: {item['ComplianceSummary']['CompliantResourceCount']['TotalResources']}") print(f" Non-Compliant: {item['ComplianceSummary']['NonCompliantResourceCount']['TotalResources']}") except Exception as e: print(f"Error getting compliance summary: {e}") ```