Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

AWS SysOps Administrator > AWS Config > Flashcards

AWS Config Flashcards

1
Q

IAM Role Policy for Getting Configuration Details

A

To record your AWS resource configurations, AWS Config requires IAM permissions to get the configuration details about your resources.

Use the AWS managed policy AWSConfigRole and attach it to the IAM role that you assign to AWS Config. AWS updates this policy each time AWS Config adds support for an AWS resource type, which means AWS Config will continue to have the required permissions to get configuration details as long as the role has this managed policy attached.

If you configured AWS Config to record S3 buckets for your account, AWS Config records and delivers notifications when an S3 bucket is created, updated, or deleted.

If you configured AWS Config to record S3 buckets, and are not receiving configuration change notifications:

Verify that the IAM role assigned to AWS Config has the AWSConfigRole managed policy.

If you have S3 bucket policies attached to your buckets, verify that they allow AWS Config permission to record changes to your buckets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What Is AWS Config?

A

AWS Config allows you to see a detailed view of the configuration of your AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.

With AWS Config, you can do the following:

Evaluate your AWS resource configurations for desired settings.

Get a snapshot of the current configurations of the supported resources that are associated with your AWS account.

Retrieve configurations of one or more resources that exist in your account.

Retrieve historical configurations of one or more resources.

Receive a notification whenever a resource is created, modified, or deleted.

View relationships between resources. For example, you might want to find all resources that use a particular security group.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

AWS Config Managed and Custom Rules

A

An AWS Config rule represents your desired configuration settings for specific AWS resources or for an entire AWS account. AWS Config provides customizable, predefined rules to help you get started. If a resource violates a rule, AWS Config flags the resource and the rule as noncompliant, and AWS Config notifies you through Amazon SNS.

AWS Config Custom Rules
With AWS Config you can also create custom rules. While AWS Config continuously tracks your resource configuration changes, it checks whether these changes violate any of the conditions in your rules.

After you activate a rule, AWS Config compares your resources to the conditions of the rule. After this initial evaluation, AWS Config continues to run evaluations each time one is triggered. The evaluation triggers are defined as part of the rule, and they can include the following types:

Configuration changes – AWS Config triggers the evaluation when any resource that matches the rule’s scope changes in configuration. The evaluation runs after AWS Config sends a configuration item change notification.

Periodic – AWS Config runs evaluations for the rule at a frequency that you choose (for example, every 24 hours).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Multi-Account Multi-Region Data Aggregation

A

Multi-account multi-region data aggregation in AWS Config allows you to aggregate AWS Config configuration and compliance data from multiple accounts and regions into a single account. Multi-account multi-region data aggregation is useful for central IT administrators to monitor compliance for multiple AWS accounts in the enterprise.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How AWS Config Works

A

AWS Config keeps track of all changes to your resources by invoking the Describe or the List API call for each resource in your account. The service uses those same API calls to capture configuration details for all related resources.

For example, removing an egress rule from a VPC security group causes AWS Config to invoke a Describe API call on the security group. AWS Config then invokes a Describe API call on all of the instances associated with the security group. The updated configurations of the security group (the resource) and of each instance (the related resources) are recorded as configuration items and delivered in a configuration stream to an Amazon Simple Storage Service (Amazon S3) bucket.

AWS Config also tracks the configuration changes that were not initiated by the API. AWS Config examines the resource configurations periodically and generates configuration items for the configurations that have changed.

If you are using AWS Config rules, AWS Config continuously evaluates your AWS resource configurations for desired settings. Depending on the rule, AWS Config will evaluate your resources either in response to configuration changes or periodically. Each rule is associated with an AWS Lambda function, which contains the evaluation logic for the rule. When AWS Config evaluates your resources, it invokes the rule’s AWS Lambda function. The function returns the compliance status of the evaluated resources. If a resource violates the conditions of a rule, AWS Config flags the resource and the rule as noncompliant. When the compliance status of a resource changes, AWS Config sends a notification to your Amazon SNS topic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly

AWS SysOps Administrator (1 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions