AWS Config · 2020. 9. 11. · AWS Config features Resource relationship tracking Discovers, maps,...

© 2020, Amazon Web Services, Inc. or its Affiliates.

Tariq Habib

Solutions Architect

September 11th, 2020

AWS ConfigBuilding an effective governance framework


Inventory and configuration management

• What is currently out there?

• What is the latest configuration state of my resources?

• What relationships exist between my resources?

• What configuration changes occurred in the past?

• Which resources have violated compliance policies?


Governance and compliance management

• Are my resources properly configured?

• Do my resources comply with regulatory requirements

• How do I ensure continuous compliance?

• How can I get notified in near real-time if resource(s) go out of

compliance?


AWS Config


Benefits

Continuous

monitoring

Continuous

assessment

Change

management

Operational

troubleshooting

Enterprise-wide

compliance

monitoring

including third-

party resources


How it works

AWS ConfigAWS Config records and

normalizes the changes

into a consistent format

Access change history and

compliance results using the

console or APIs. CloudWatch

Events or SNS alert you when

changes occur. Deliver change

history and snapshot files to

your S3 bucket for analysis.

Amazon S3

Amazon

CloudWatch

Amazon SNS

AWS Config APIs

& Console

AWS Config automatically

evaluates the recorded

configurations against the

configurations you specify.

Configuration change

occurs in your AWS

resources.


AWS Config features

Configuration history of AWS resources

Records details of changes to your AWS resources to provide you with a configuration history timeline

Obtain details of what a resource’s configuration looked like at any point in the past

Configuration snapshots

Provides a point-in-time capture of all your resources and their configurations

Configuration history of software (requires SSM agent)

Records software configuration changes within your Amazon EC2 instances and servers running on-

premises or other cloud providers

Provides a history of OS and system-level configuration changes alongside infrastructure configuration

changes recorded for EC2 instances

Configurable and customizable rules

Assess your resource configurations and resource changes for compliance against built-in or custom rules

and automate remediation of non-compliant resources

Customize pre-built rules or create your own custom rules in AWS Lambda that define your internal best

practices and guidelines for resource configurations


AWS Config features

Resource relationship tracking

Discovers, maps, and tracks AWS resource relationships in your account

For example, if a new Amazon EC2 security group is associated with an Amazon EC2 instance, Config

records the updated configurations of both the Amazon EC2 security group and the Amazon EC2 instance.

Cloud governance dashboard

Provides a visual dashboard to help you quickly spot non-compliant resources and take appropriate action

Multi-account, multi-region data aggregation

Enables centralized auditing and governance by providing an enterprise-wide view of your resources and

Config rule compliance status

Conformance packs

Packages a collection of AWS Config rules and remediation actions into a single entity and deploy it in a

single account or across an entire organization.


Configuration history

of AWS resources


Basic Components

Configuration Items

Represents a point-in-time view of the various attributes of a supported AWS resource that exists in your

account

Includes metadata, attributes, relationships, current configuration, and related events

AWS Config creates a configuration item whenever it detects a change to a resource type that it is recording

Configuration History

A collection of the configuration items for a given resource over any time period

Determine things like when the resource was first created, how the resource has been configured over the

last month, and what configuration changes were introduced yesterday at 9 AM

Access historical configuration items for a resource from the API or in the console using the timeline

Configuration Recorder

Stores the configurations of the supported resources in your account as configuration items

Records all supported resources in the region where AWS Config is running by default

You can create a customized configuration recorder that records only the resource types that you specify


AWS Resources


AWS Resource


Resource Timeline


Configuration Item


Resource Timeline


Configuration Changes


Resource Relationships


Advanced queries


Query editor


Query output


Configuration

history of software


Prerequisites

AWS Systems Manager

Configure EC2 and on-premises servers as managed instances in AWS Systems Manager

Initiate collection of software inventory from your managed instances using the Systems Manager Inventory

capability

Turn on recording for the managed instance inventory resource type in AWS Config


Managed Instance Information timeline


Manage Instance Information timeline


Managed Instance Information timeline


Configurable and

customizable rules


Basic Components

AWS Config Rule

Represents your desired configuration settings for specific AWS resources or for an entire AWS account

If a resource violates a rule, AWS Config flags the resource and the rule as noncompliant

AWS Config provides customizable, predefined rules to help you get started but you can also create custom

rules

Evaluation Triggers

While AWS Config continuously tracks your resource configuration changes, it checks whether these

changes violate any of the conditions in your rules

After you activate a rule, AWS Config compares your resources to the conditions of the rule. After this initial

evaluation, AWS Config continues to run evaluations each time one is triggered

Evaluation triggers are defined as part of the rule, and they can include the following types:

- Configuration changes: triggers the evaluation when any resource that matches the rule's scope

changes in configuration

- Periodic: runs evaluations for the rule at a frequency that you choose (for example, every 24

hours)


AWS Config rules

Analyze configuration changes

90+ pre-built rules provided by AWS

Custom rules using AWS Lambda

GitHub repo: Community sourced rules

Aggregate compliance into a central account

Compliance history


Managed rules (AWS Security Hub)


Managed rules


Configuring managed rules


Compliance history timeline


Resource timeline


Compliance history timeline


Compliance changes


Configuring remediation actions


Executing remediation actions


Remediation actions


Advanced compliance query


Conformance Packs


AWS Config Conformance Pack features

Configuration compliance common framework

A collection of AWS Config rules and remediation actions as a single entity

Deploys in a single account and a Region or across organization in AWS Organizations

Immutable

Individual rules cannot be changed outside of the pack, regardless of access or account permission

When deployed by an organization’s master account, it cannot be modified by the organization’s member

accounts.


Conformance Packs


Multi-Account,

multi-Region aggregation


Basic Components

Aggregator

A new resource type in AWS Config that collects AWS Config configuration and compliance data from

multiple source accounts and regions

Aggregator Account

An AWS account that owns one or more aggregators

Source Account

The AWS account from which you want to aggregate AWS Config resource configuration and compliance

data

A source account can be an individual account or an organization in AWS Organizations

You can provide source accounts individually or you can retrieve them through AWS Organizations

Authorization

As a source account owner, authorization refers to the permissions you grant to an aggregator account and

region to collect your AWS Config configuration and compliance data

Authorization is not required if you are aggregating source accounts that are part of AWS Organizations


Multi-account, multi-region data aggregation

Central dashboard

that provides an

aggregated view

Multi-account,

multi-region

Integrates with

AWS Organizations

Available at no

additional charge


Multi-account, multi-region data aggregation feature

Accounts and regions

Select the source accounts and

regions from where you want to

collect AWS Config data

AWS Config data

Collection of AWS Config

data from multiple source

accounts and regions

Aggregator

Contains the resource configuration

information and the compliance

data recorded in AWS Config

Aggregated view

View all compliant and

non-compliant rules and

resources for each aggregator


Aggregated resource search


Aggregated rules view


Advanced query (cross-account)


Q&AName of presenter


Thank You!

AWS Config · 2020. 9. 11. · AWS Config features Resource relationship tracking Discovers, maps,...

Documents

Transcript of AWS Config · 2020. 9. 11. · AWS Config features Resource relationship tracking Discovers, maps,...