3.1 - PaulDuvall/aws-compliance-workshop GitHub Wiki
3.1 Describe AWS and AWS Config Rules
What is AWS Config and Config Rules?
"AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations using AWS Config Rules. If a resource violates a rule, AWS Config flags the resource and the rule as noncompliant." Source
Config is Easy to Configure
"AWS Config makes it easy to track your resource's configuration without the need for up-front investments and avoiding the complexity of installing and updating agents for data collection or maintaining large databases. Once you enable AWS Config, you can view continuously updated details of all configuration attributes associated with AWS resources. You are notified via Amazon Simple Notification Service (SNS) of every configuration change." Source
Config Helps Answers Questions About Changes
"AWS Config gives you access to resource configuration history. You can relate configuration changes with AWS CloudTrail events that possibly contributed to the change in configuration. This information provides you with full visibility of changes that have been made (e.g. who made the change, the IP address where the change originated, etc.) and the effect they have on AWS resources and related resources. You can use this information to generate reports to aid auditing and assessing compliance over a period of time." Source
Config Rules Detect Noncompliant Changes
Config Rules does not prevent the user from making changes that could be noncompliant. It detects changes and identifies them as noncompliant. Optionally, you can configure a rule to run a remediation using AWS Lambda or AWS Systems Manager Automation.
Running Config Across Multiple AWS Accounts
AWS Config makes it easy to monitor compliance status across multiple accounts and regions using the multi-account, multi-region data aggregation capability. You can create a configuration aggregator in any account and aggregate the compliance details from other accounts. This capability is also integrated with AWS Organizations, so you can aggregate data from all accounts within your organization.
AWS Config Rules Relationships Changes
As shown below, once you have created a Config Rule, you can view its relationships with other AWS resources, see its compliance history, and view the configuration changes that have been applied to the monitored resources.
AWS Config Compliance Timeline
AWS Config Configuration Timeline
AWS Config CLI
aws configservice describe-config-rules --config-rule-names InstanceTypesAreT2micro