AWS Config · 2020. 9. 11. · AWS Config features Resource relationship tracking Discovers, maps,...

Tariq Habib

Solutions Architect

September 11th, 2020

AWS ConfigBuilding an effective governance framework

Inventory and configuration management

• What is currently out there?

• What is the latest configuration state of my resources?

• What relationships exist between my resources?

• What configuration changes occurred in the past?

• Which resources have violated compliance policies?

Governance and compliance management

• Are my resources properly configured?

• Do my resources comply with regulatory requirements

• How do I ensure continuous compliance?

• How can I get notified in near real-time if resource(s) go out of

compliance?

AWS Config

Benefits

Continuous

monitoring

Continuous

assessment

Change

management

Operational

troubleshooting

Enterprise-wide

compliance

monitoring

including third-

party resources

How it works

AWS ConfigAWS Config records and

normalizes the changes

into a consistent format

Access change history and

compliance results using the

console or APIs. CloudWatch

Events or SNS alert you when

changes occur. Deliver change

history and snapshot files to

your S3 bucket for analysis.

Amazon S3

Amazon

CloudWatch

Amazon SNS

AWS Config APIs

& Console

AWS Config automatically

evaluates the recorded

configurations against the

configurations you specify.

Configuration change

occurs in your AWS

resources.

AWS Config features

Configuration history of AWS resources

Records details of changes to your AWS resources to provide you with a configuration history timeline

Obtain details of what a resource’s configuration looked like at any point in the past

Configuration snapshots

Provides a point-in-time capture of all your resources and their configurations

Configuration history of software (requires SSM agent)

Records software configuration changes within your Amazon EC2 instances and servers running on-

premises or other cloud providers

Provides a history of OS and system-level configuration changes alongside infrastructure configuration

changes recorded for EC2 instances

Configurable and customizable rules

Assess your resource configurations and resource changes for compliance against built-in or custom rules

and automate remediation of non-compliant resources

Customize pre-built rules or create your own custom rules in AWS Lambda that define your internal best

practices and guidelines for resource configurations

AWS Config features

Resource relationship tracking

Discovers, maps, and tracks AWS resource relationships in your account

For example, if a new Amazon EC2 security group is associated with an Amazon EC2 instance, Config

records the updated configurations of both the Amazon EC2 security group and the Amazon EC2 instance.

Cloud governance dashboard

Provides a visual dashboard to help you quickly spot non-compliant resources and take appropriate action

Multi-account, multi-region data aggregation

Enables centralized auditing and governance by providing an enterprise-wide view of your resources and

Config rule compliance status

Conformance packs

Packages a collection of AWS Config rules and remediation actions into a single entity and deploy it in a

single account or across an entire organization.

Configuration history

of AWS resources

Basic Components

Configuration Items

Represents a point-in-time view of the various attributes of a supported AWS resource that exists in your

account

Includes metadata, attributes, relationships, current configuration, and related events

AWS Config creates a configuration item whenever it detects a change to a resource type that it is recording

Configuration History

A collection of the configuration items for a given resource over any time period

Determine things like when the resource was first created, how the resource has been configured over the

last month, and what configuration changes were introduced yesterday at 9 AM

Access historical configuration items for a resource from the API or in the console using the timeline

Configuration Recorder

Stores the configurations of the supported resources in your account as configuration items

Records all supported resources in the region where AWS Config is running by default

You can create a customized configuration recorder that records only the resource types that you specify

AWS Resources

AWS Resource

Resource Timeline

Configuration Item

Resource Timeline

Configuration Changes

Resource Relationships

Advanced queries

Query editor

Query output

Configuration

history of software

Prerequisites

AWS Systems Manager

Configure EC2 and on-premises servers as managed instances in AWS Systems Manager

Initiate collection of software inventory from your managed instances using the Systems Manager Inventory

capability

Turn on recording for the managed instance inventory resource type in AWS Config

Managed Instance Information timeline

Manage Instance Information timeline

Managed Instance Information timeline

Configurable and

customizable rules

Basic Components

AWS Config Rule

Represents your desired configuration settings for specific AWS resources or for an entire AWS account

If a resource violates a rule, AWS Config flags the resource and the rule as noncompliant

AWS Config provides customizable, predefined rules to help you get started but you can also create custom

Evaluation Triggers

While AWS Config continuously tracks your resource configuration changes, it checks whether these

changes violate any of the conditions in your rules

After you activate a rule, AWS Config compares your resources to the conditions of the rule. After this initial

evaluation, AWS Config continues to run evaluations each time one is triggered

Evaluation triggers are defined as part of the rule, and they can include the following types:

- Configuration changes: triggers the evaluation when any resource that matches the rule's scope

changes in configuration

- Periodic: runs evaluations for the rule at a frequency that you choose (for example, every 24

hours)

AWS Config rules

Analyze configuration changes

90+ pre-built rules provided by AWS

Custom rules using AWS Lambda

GitHub repo: Community sourced rules

Aggregate compliance into a central account

Compliance history

Managed rules (AWS Security Hub)

Managed rules

Configuring managed rules

Compliance history timeline

Resource timeline

Compliance history timeline

Compliance changes

Configuring remediation actions

Executing remediation actions

Remediation actions

Advanced compliance query

Conformance Packs

AWS Config Conformance Pack features

Configuration compliance common framework

A collection of AWS Config rules and remediation actions as a single entity

Deploys in a single account and a Region or across organization in AWS Organizations

Immutable

Individual rules cannot be changed outside of the pack, regardless of access or account permission

When deployed by an organization’s master account, it cannot be modified by the organization’s member

accounts.

Conformance Packs

Multi-Account,

multi-Region aggregation

Basic Components

Aggregator

A new resource type in AWS Config that collects AWS Config configuration and compliance data from

multiple source accounts and regions

Aggregator Account

An AWS account that owns one or more aggregators

Source Account

The AWS account from which you want to aggregate AWS Config resource configuration and compliance

A source account can be an individual account or an organization in AWS Organizations

You can provide source accounts individually or you can retrieve them through AWS Organizations

Authorization

As a source account owner, authorization refers to the permissions you grant to an aggregator account and

region to collect your AWS Config configuration and compliance data

Authorization is not required if you are aggregating source accounts that are part of AWS Organizations

Multi-account, multi-region data aggregation

Central dashboard

that provides an

aggregated view

Multi-account,

multi-region

Integrates with

AWS Organizations

Available at no

additional charge

Multi-account, multi-region data aggregation feature

Accounts and regions

Select the source accounts and

regions from where you want to

collect AWS Config data

AWS Config data

Collection of AWS Config

data from multiple source

accounts and regions

Aggregator

Contains the resource configuration

information and the compliance

data recorded in AWS Config

Aggregated view

View all compliant and

non-compliant rules and

resources for each aggregator

Aggregated resource search

Aggregated rules view

Advanced query (cross-account)

Q&AName of presenter

Thank You!

AWS Config · 2020. 9. 11. · AWS Config features Resource relationship tracking Discovers, maps,...

Documents

Transcript of AWS Config · 2020. 9. 11. · AWS Config features Resource relationship tracking Discovers, maps,...

AWS Resource Groups - Welcome Resource Groups Welcome Table of Contents Welcome 1 Actions ...

Resource Sizing: Spotfire for AWS - TIBCO Software · PDF fileResource Sizing: Spotfire for AWS With TIBCO Spotfire® for AWS, you can have the best in analytics software ... (VPC).

DevOps at Amazon: A Look at Our Tools and Processes · AWS Snowball AWS Organizations Device Farm Amazon Config Amazon RDS for Aurora WorkDocs AWS Snowball Edge CodeCommit AWS CodePipeline

8KMiles aids a leading Internet FM ... - Amazon Web Services8kmprod.s3.amazonaws.com/wp-content/uploads/2016/... · AWS CloudTrail and AWS Config set up with Python AWS Lambda for

CiscoWorks Resource Manager Essentials Compliance · PDF fileCiscoWorks Resource Manager Essentials Compliance ... part of the CiscoWorks LAN Management Solution ... Choose Config

Module 5 AWS Elasticity and Management CloudWatch • A monitoring service for AWS cloud resources and the applications you run on AWS • Visibility into resource utilization, operational

The Resource For All Your Welding, Gases and Safety Supplies! · AWS PHB-4 AWS PHB-5 AWS PHB-6 AWS PHB-7 AWS PHB-8 AWS D1.1/D1.1M AWS FMC AWS FMDM AWS FMPK Everyday Pocket Handbook

Automated Compliance and Governance with AWS Config and AWS CloudTrail - June 2017 AWS Online Tech Talks

PasswordSafeCloud ResourceBrokerInstall&Config Guide7 · 2020. 12. 1. · ResourceBrokerInstall&Config Guide7.2 ... Password Safe Cloud Resource Broker Installation and Configuration

AWS Config - API Reference · AWS Conﬁg API Reference Table of Contents Welcome.....1

Eirik Gulbrandsen Cloud Security Alliance Norway ... · AWS Config AWS CloudTrail. IN2120 INFORMATION SECURITY. IN2120 INFORMATION SECURITY SECURITY S H I F T L E F T P R O D U C

(SEC315) NEW LAUNCH: Get Deep Visibility into Resource Configurations | AWS re:Invent 2014

Pentesting AWS...AWS CLI, or set up AWS Config rules to audit and enforce Private snapshots Make use of Trusted Advisor at least for public S3, any to any traffic present in SG. Make

Continuous Platform Evolution for ... - aws-community-day.de · o aws advantages • highly ... 5 10 st y y. stage 2: move to emr resource & use case decoupling aws cloud emr emr

AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using Amazon CloudWatch Events and AWS Config Rules (SAC401)

CIS AWS Foundations Benchmark - Amazon S3 Web Services – CIS AWS Foundations Benchmark December 2017 Page 6 of 20 Lambda functions – All custom AWS Config and CloudWatch Events

HYLAFAX-CONFIG(5F) HYLAFAX-CONFIG(5F)people.ifax.com/~aidan/hylafax/man/hylafax-config.4f.pdf · HYLAFAX-CONFIG(5F) HYLAFAX-CONFIG(5F) NAME conﬁg − HylaFA X conﬁguration database

Golden Configuration Catalyst 2018 - TM Forum · user on device should be considered as “Golden Config” or not. A Golden Config True/False field should be added in API 3. Resource

Enabling Self-Service for Data Scientists with AWS …aws-de-media.s3.amazonaws.com/images/AWS_Summit... · Amazon EC2 Systems Manager AWS CloudTrail AWS Config AWS Managed Services

AWS Config - Guía para desarrolladores · AWS Config Guía para desarrolladores Modos de utilizar AWS Config Qué es AWS Config AWS Config proporciona una vista detallada de la configuración