Table of contents
1.
Introduction
2.
Why AWS Config (Use cases)
2.1.
Discovery
2.2.
Troubleshooting
2.3.
Change management
2.4.
Continuous audit and compliance
2.5.
Security analysis
3.
Setup of AWS Config
4.
Config rule with remediation
4.1.
Create the lab environment
4.2.
Creating a Config rule to alert on Systems Manager agent of non-compliance
4.3.
Deploy an EC2 instance
5.
Config rule with lambda
5.1.
Set triggers for Lambda functions
5.2.
Testing the new CloudTrail remediation Lambda
6.
Resource details and CloudWatch 
6.1.
Ensuring the CloudWatch agent is installed on instances
7.
Advantages of AWS Config
7.1.
Continuous monitoring
7.2.
Continuous assessment
7.3.
Change management
7.4.
Operational troubleshooting
7.5.
Enterprise-wide compliance monitoring
8.
Frequently Asked Questions
8.1.
What is Amazon Config?
8.2.
What do you understand about AWS?
8.3.
List some other AWS services.
9.
Conclusion
Last Updated: Mar 27, 2024
Easy

AWS Config

Career growth poll
Do you think IIT Guwahati certified course can help you in your career?

Introduction

AWS Config is a service that allows you to audit, assess, and evaluate the configurations of your AWS resources. With Config, you can review changes in relationships and configurations between AWS resources, determine your overall compliance against the configurations specified in your guidelines, and dive into detailed resource configuration histories. Config continuously records and monitors your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.

Why AWS Config (Use cases)

Discovery

AWS Config will locate resources in your account, record their current configuration, and capture any changes to these configurations.

Troubleshooting

Using AWS Config, you can fastly troubleshoot operational issues by identifying the recent configuration changes to your resources.

Change management

When your resources are updated, created, or deleted, AWS Config streams these configuration changes to Amazon Simple Notification Service (SNS) to notify you of all the configuration changes.

Continuous audit and compliance

AWS Config is made to help you assess compliance with your internal policies and regulatory standards by providing visibility into the configuration of your AWS resources and third-party resources and continuously evaluating resource configuration changes against your desired configurations.

Security analysis

Data from AWS Config allows you to continuously monitor the configurations of your resources and evaluate these configurations for potential security weaknesses.

Setup of AWS Config

First, we will create a trail in AWS CloudTrail. An AWS CloudTrail is a service that helps you helps compliance, governance, operational auditing, and risk auditing of your AWS account. 

Please search for the CloudTrail under the Management Tools Section in the console and click on it.

  1. Click on Getting Started. Then, click on Trails on the Left Side of the screen in the CloudTrail Console.
  2. Next, click on Create trail to create our trail.
  3. We will apply the following settings:
    • Trail name: management-tools-week
    • Storage location: Create a new S3 bucket (default)
    • IAM Role: New
    • CloudWatch Logs: enabled
    • Log group name: management-tools-week
    • Role name: management-tools-week
    • Click Next to move to the next steps.
  4.  Click Create trail to complete the process.

 

Next, we will activate the config,

  1. Search for the Config Service within the Management Tools section, and then click on the Config.
  2. Next, we clicked on getting started and followed the setup wizard.
  3. On the Settings page, make sure to apply the given selections
    • All resources in this region must be recorded.
    • Global resources must be included.
    • Next, create an AWS Config service-linked role.
    • Also, create a bucket (accept the default bucket name)
  4. Bypassing rule selection, click next on the next screen, 
  5. We will set up Config rules in the following steps.
  6. At last, click on Confirm.
  7. We now have AWS Config recording changes for supported resources, and we can proceed to the config rule with remediation.

Config rule with remediation

Create the lab environment

First, we must create a CloudFormation stack that includes the resources required for this lab.

The Stack shall create the following resources:

Lab Architecture Diagram

Image source

  1. We open the CloudFormation Console for creating this Stack and click on Create Stack.
  2. When prompted for the template, we will click on upload a template file and then provide the path to the file we just downloaded.
  3. On the following pages, give the Stack a unique name (such as ConfigLab), and enter the same S3 bucket like the one you created in the Setup section.
  4. At last, we enter our email address when prompted; otherwise, we can accept the default in the following pages and create Stack.

Creating a Config rule to alert on Systems Manager agent of non-compliance

This step will help in checking if EC2 instances have a working Systems Manager agent.

  1. We click on Rules provided on the console's left side on the AWS Config console.
  2. Next, we click on Add rule.
  3. Then, in the Add Rule screen in the Filter section, type ec2-instance-managed-by-systems-manager and given rule.
  4. Under the Trigger Section, notice the trigger type. Leave the remaining settings as-is.
  5. At last, click save.

 

You can create config Rules to monitor several items within your infrastructure. Besides utilizing AWS-managed Config rules, you can also create custom rules using AWS Lambda functions.

Deploy an EC2 instance

Next, let's deploy an EC2 instance to test our Config rule. 

We can do this easily from the EC2 console. Create a t3.small instance in the same region, with no keypair or IAM instance profile. The instance should use Amazon Linux 2 as the base image, and all default options should be sufficient for creating our lab instance.

Config rule with lambda

Create a Config rule to ensure CloudTrail is enabled

This step will help create a Config rule that will evaluate if CloudTrail is enabled inside your AWS account.

  1. Go to the Config console, and click on Rules on the console's left.
  2. Then, click on Add Rule.
  3. Under the Add Rule screen, in the Filter section, type cloudtrail-enabled, and then click on the cloudTrail-enabled rule.
  4. Inside the Trigger section, we will notice that the trigger type is Periodic and will interchange the frequency with 1 hour.
  5. We will search for the Amazon Resource Name (ARN) for the CloudWatch log group. In the CloudWatch console, we will click on Log groups and then the management-tools-week log group. Copy ARN, and paste it into the cloudWatchLogsLogGroupArn field.
  6. Click Save.

 

When this rule finishes, your AWS account will be marked as compliant.

Set triggers for Lambda functions

We will be creating the trigger for the Lambda function deployed by our CloudFormation template.

  1. Go to the CloudWatch console, and click on Rules under Events on the left side.
    1. Click Create Rule
    2. Within Event Source, we will
      • Select the radio button beside the event pattern.
      • Put Service Name: Config
      • Event Type: Config Rules Compliance Change
      • Select the radio button beside the Specific message type
        • From the Drop Down, we will Select ComplianceChangeNotification.
      • Select the radio button beside the Specific rule name
        • Type cloudtrail-enabled
    3. Click on Add target.
    4. Select the ConfigSSMLab-EnforceCloudTrailFunction Lambda function.
  2. Click Configure details.
  3. Enter CloudTrailChange as the rule name and then click on Create rule.

Testing the new CloudTrail remediation Lambda

Until now, we have an event configured to force remediation of a broken CloudTrail configuration. We will now execute it.

  1. In CloudTrail, we will remove the CloudWatch Logs Configuration by clicking on the trail by going to the trail we created in the first lab and later clicking on Edit. Finally, deselect the Enabled box and save the changes.
  2. Please navigate to our Config rule for CloudTrail, and re-evaluate the rule. Please refresh the screen after a minute and ensure it comes up as non-compliant.
  3. Go Back to CloudTrail. We will see the CloudWatch log configuration return and get an email.

Resource details and CloudWatch 

Ensuring the CloudWatch agent is installed on instances

Now to make sure that the latest version of the CloudWatch agent is installed on our instance, we will create a State Manager job. State Manager is a scalable and secure configuration management service that ensures your hybrid infrastructure and Amazon EC2 are in a consistent or intended state.

  1. Go to the Systems Manager Console, and under Actions, click on State Manager.
  2. Next, click on Create Association.
  3. Enter CloudWatchAgentInstall as the name of the association.
  4. Within Document, click the radio button next to the AWS-ConfigureAWSPackage command
  5. Under Parameters, make the following changes,
    1. Action: Install
    2. Installation type: In-place update
    3. Name: AmazonCloudWatchAgent
  6. Inside Targets, select Choose instances manually, and then check to select the EC2 instance that you created earlier in the lab.
    1. If this is not a shared or pre-existing AWS account, then there is likely only a single instance in the list.
  7. Inside Specify schedule,
    1. Select the Radio Button next to CRON schedule builder
    2. Enter Every Day at 22:30
  8. Click on Create Association.

 

 The following association will then run every day at 10:30 PM and ensure the latest version of the CloudWatch Agent is installed. 

Advantages of AWS Config

Continuous monitoring

Config enables you to inventory your AWS resources, the configurations of your AWS resources, and software configurations within EC2 instances at any time. 

Continuous assessment

AWS Config enables you to continuously audit and assess the overall compliance of your AWS resource configurations with your organization’s policies and guidelines.

Change management

With AWS Config, you can track the relationships among resources and review resource dependencies before making changes. 

Operational troubleshooting

With AWS Config, you can capture a comprehensive history of your AWS resource configuration changes to simplify troubleshooting your operational issues.

Enterprise-wide compliance monitoring

With multi-region, multi-account data aggregation in AWS Config, you can see compliance status across your enterprise and identify non-compliant accounts. You can dive deeper to view the status for a specific region or a specific account across regions. 

Frequently Asked Questions

What is Amazon Config?

Amazon Config is a service that enables you to audit, assess, and evaluate the configurations of your Amazon Web Services resources.

What do you understand about AWS?

Amazon Web Services is a subordinate of Amazon that provides on-demand cloud computing platforms and APIs to companies, individuals, and governments, on a metered pay-as-you-go basis.

List some other AWS services.

Amazon Web Services offers a broad set of global cloud-based products including analytics, storage, compute, databases, networking, mobile, IoT, security, developer tools, management tools, and enterprise applications. These services help organizations lower IT costs, move faster, and scale.

Conclusion

I hope this article helps helped you provide some meaningful insights on Amazon Config. We learned about its setup, creating the lab environment, config rule with lambda, resource details and CloudWatch.

Refer to our guided paths on Coding Ninjas Studio to learn more about DSA, Competitive Programming, System Design, JavaScript, etc. Enroll in our courses, refer to the mock test and problems available, interview puzzles, and look at the interview bundle and interview experiences for placement preparations.

We hope that this blog has helped you increase your knowledge regarding AWS Config, and if you liked this blog, check other links. Do upvote our blog to help other ninjas grow. Happy Coding!"

Live masterclass