Management Tools | AWS Config Flashcards
(37 cards)
What is AWS Config?
General
AWS Config | Management Tools
AWS Config is a fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance. With AWS Config you can discover existing AWS resources, export a complete inventory of your AWS resources with all configuration details, and determine how a resource was configured at any point in time. These capabilities enable compliance auditing, security analysis, resource change tracking, and troubleshooting.
What is a Config Rule?
General
AWS Config | Management Tools
A Config Rule represents desired configurations for a resource and is evaluated against configuration changes on the relevant resources, as recorded by AWS Config. The results of evaluating a rule against the configuration of a resource are available on a dashboard. Using Config Rules, you can assess your overall compliance and risk status from a configuration perspective, view compliance trends over time and pinpoint which configuration change caused a resource to drift out of compliance with a rule.
What are the benefits of AWS Config?
General
AWS Config | Management Tools
AWS Config makes it easy to track your resource’s configuration without the need for up-front investments and avoiding the complexity of installing and updating agents for data collection or maintaining large databases. Once you enable AWS Config, you can view continuously updated details of all configuration attributes associated with AWS resources. You are notified via Amazon Simple Notification Service (SNS) of every configuration change.
How can AWS Config help with audits?
General
AWS Config | Management Tools
AWS Config gives you access to resource configuration history. You can relate configuration changes with AWS CloudTrail events that possibly contributed to the change in configuration. This information provides you full visibility, right from details, such as “Who made the change?”, “From what IP address?” to the effect of this change on AWS resources and related resources. You can use this information to generate reports to aid auditing and assessing compliance over a period of time.
Who should use AWS Config and Config Rules?
General
AWS Config | Management Tools
Any AWS customer looking to improve their security and governance posture on AWS by continuously evaluating the configuration of their resources would benefit from this capability. Administrators within larger organizations who recommend best practices for configuring resources can codify these rules as Config Rules, and enable self-governance among users. Information Security experts who monitor usage activity and configurations to detect vulnerabilities can benefit from Config Rules. Customers with workloads that need to comply with specific standards (e.g. PCI-DSS or HIPAA) can use this capability to assess compliance of their AWS infrastructure configurations, and generate reports for their auditors. Operators who manage large AWS infrastructure or components that change frequently can also benefit from Config Rules for troubleshooting.Customers who want to track changes to resources configuration, answer questions about resource configurations, demonstrate compliance, troubleshoot or perform security analysis should turn on AWS Config.
Does the service guarantee that my configurations are never out of compliance?
General
AWS Config | Management Tools
Config Rules provides information about whether your resources are compliant with configuration rules you specify. It will evaluate rules as soon as updated Configuration Items (CIs) for the resource are available within AWS Config. It does not guarantee that resources will be compliant or prevent users from taking non-compliant actions. Further, Config Rules does not automatically snap non-compliant resources back into compliance.
Does the service prevent users from taking non-compliant actions?
General
AWS Config | Management Tools
Config Rules does not directly affect how end-users consume AWS. It evaluates resource configurations only after a configuration change has been completed and recorded by AWS Config. Config Rules does not prevent the user from making changes that could be non-compliant. To control what a user can provision on AWS and configuration parameters allowed during provisioning, please use AWS Identity and Access Management (IAM) Policies and AWS Service Catalog respectively.
Can rules be evaluated prior to provisioning a resource?
General
AWS Config | Management Tools
Config Rules evaluates rules after the Configuration Item (CI) for the resource is captured by AWS Config. It does not evaluate rules prior to provisioning a resource or prior to making configuration changes on the resource.
How does AWS Config work with AWS CloudTrail?
Getting Started
AWS Config | Management Tools
AWS CloudTrail records user API activity on your account and allows you to access information about this activity. You get full details about API actions, such as identity of the caller, the time of the API call, the request parameters, and the response elements returned by the AWS service. AWS Config records point-in-time configuration details for your AWS resources as Configuration Items (CIs). You can use a CI to answer “What did my AWS resource look like?” at a point in time. You can use AWS CloudTrail to answer “Who made an API call to modify this resource?” For example, you can use the AWS Management Console for AWS Config to detect security group “Production-DB” was incorrectly configured in the past. Using the integrated AWS CloudTrail information, you can pinpoint which user misconfigured “Production-DB” security group.
How do I get started with this service?
Getting Started
AWS Config | Management Tools
The quickest way to get started with AWS Config is to use the AWS Management Console. You can turn on AWS Config in a few clicks. For additional details, see the Getting Started documentation.
How do I access my resources’ configuration?
Getting Started
AWS Config | Management Tools
You can lookup current and historical resource configuration using the AWS Management Console, AWS Command Line Interface or SDKs.
For additional details, please refer to AWS Config documentation.
Do I turn on AWS Config regionally or globally?
Getting Started
AWS Config | Management Tools
You turn on AWS Config on a per-region basis for your account.
Can AWS Config aggregate data across different AWS accounts?
Getting Started
AWS Config | Management Tools
Yes, you can set up AWS Config to deliver configuration updates from different accounts to one S3 bucket, once the appropriate IAM policies are applied to the S3 bucket. You can also publish notifications to the one SNS Topic, within the same region, once appropriate IAM policies are applied to the SNS Topic.
Is API activity on AWS Config itself logged by AWS CloudTrail?
Getting Started
AWS Config | Management Tools
Yes. All AWS Config API activity, including use of AWS Config APIs to read configuration data, is logged by AWS CloudTrail.
What time and timezones are displayed in the timeline view of a resource? What about daylight savings?
Config Rules
AWS Config | Management Tools
AWS Config displays the time at which Configuration Items (CIs) were recorded for a resource on a timeline. All times are captured in Coordinated Universal Time (UTC). When the timeline is visualized on the management console, the services uses the current time zone (adjusted for daylight savings, if relevant) to display all times in the timeline view.
What is a resource’s configuration?
Config Rules
AWS Config | Management Tools
Configuration of a resource is defined by the data included in the Configuration Item (CI) of AWS Config. The initial release of Config Rules makes the CI for a resource available to relevant rules. Config Rules can use this information along with any other relevant information such as other attached resource, business hours, etc. to evaluate compliance of a resource’s configuration.
What is a rule?
Config Rules
AWS Config | Management Tools
A rule represents desired Configuration Item (CI) attribute values for resources and are evaluated by comparing those attribute values with CIs recorded by AWS Config. There are two types of rules:
AWS managed rules: AWS managed rules are pre-built and managed by AWS. You simply choose the rule you want to enable, then supply a few configuration parameters to get started. Learn more »
Customer managed rules: Customer managed rules are custom rules, defined and built by you. You can create a function in AWS Lambda that can be invoked as part of a custom rule and these functions execute in your account. Learn more »
The quickest way to get started with AWS Config is to use the AWS Management Console. You can turn on AWS Config in a few clicks. For additional details, see the Getting Started documentation.
How are rules created?
Config Rules
AWS Config | Management Tools
Rules are typically set up by the AWS account administrator. They can be created by leveraging AWS managed rules – a predefined set of rules provided by AWS or through customer managed rules. With AWS managed rules updates to the rule are automatically applied to any account using that rule. In the customer-managed model, the customer has a full copy of the rule, and executes the rule within his/her own account. These rules are maintained by the customer.
How many rules can I create?
Config Rules
AWS Config | Management Tools
You can create up to 50 rules in your AWS account by default. Additionally, you can request an increase for the limit on the number of rules in your account by visiting the AWS Service Limits page.
How are rules evaluated?
Config Rules
AWS Config | Management Tools
Any rule can be setup as a change-triggered rule or as a periodic rule. A change-triggered rule is executed when AWS Config records a configuration change for any of the resources specified. Additionally, one of the following must be specified:
Tag Key:(optional Value): A tag key:value implies any configuration changes recorded for resources with the specified tag key:value will trigger an evaluation of the rule.
Resource type(s): Any configuration changes recorded for any resource within the specified resource type(s) will trigger an evaluation the rule.
Resource ID: Any changes recorded to the resource specified by the resource type and resource ID will trigger an evaluation of the rule.
A periodic rule is triggered at a specified frequency. Available frequencies are 1hr, 3hr, 6hr, 12hr or 24hrs. A periodic rule has a full snapshot of current Configuration Items (CIs) for all resources available to the rule.
What is an evaluation?
Config Rules
AWS Config | Management Tools
Evaluation of a rule determines whether a rule is compliant with a resource at a particular point in time. It is the result of evaluating a rule against the configuration of a resource. Config Rules will capture and store the result of each evaluation. This result will include the resource, rule, time of evaluation and a link to Configuration Item (CI) that caused non-compliance.
What does compliance mean?
Config Rules
AWS Config | Management Tools
A resource is compliant if complies with all rules that apply to it. Otherwise it is noncompliant. Similarly, a rule is compliant if all resources evaluated by the rule comply with the rule. Otherwise it is noncompliant. In some cases, such as when inadequate permissions are available to the rule, an evaluation may not exist for the resource, leading to a state of insufficient data. This state is excluded from determining the compliance status of a resource or rule.
What information does the Config Rules dashboard provide?
Services and Region Support
AWS Config | Management Tools
The Config Rules dashboard gives you an overview of resources tracked by AWS Config, and a summary of current compliance by resource and by rule. When you view compliance by resource, you can determine if any rule that applies to the resource is currently not compliant. You can view compliance by rule, which tells you if any resource under the purview of the rule is currently non-compliant. Using these summary views, you can dive deeper into the Config timeline view of resources, to determine which configuration parameters changed. Using this dashboard, you can start with an overview and drill into fine-grained views that give you full information about changes in compliance status, and which changes caused non-compliance.
What AWS resources types are covered by AWS Config?
Services and Region Support
AWS Config | Management Tools
Review our documentation for a complete list of supported resource types.
