AWS Config: Watching Over Resources And Configuration To Reduce Risk And Increase Compliance

IT should work for you – not the other way around. That’s a lesson that’s easy to forget as organisational complexity grows, along with regulatory and managerial overheads.

AWS Config (Config) is a managed service that's designed to help you with the responsibility of overviewing, maintaining, and troubleshooting your AWS environments - especially at scale, across accounts, and if your organisation must demonstrate compliance and effective best-practice response to incidents.

AWS Config helps your organisation manage your Amazon Web Services (AWS) environments using the following functionality:

  • Resource configuration. For all AWS accounts, Config maintains a comprehensive inventory of your computing resources – both of their current state and of any changes. It also keeps a historical record of deleted resources. 

  • Change management. Resource modifications can be streamed to SNS to enable you to take immediate action. Config also represents the relationship between resources so the consequence of any change can be understood before it happens. 

  • Audit and compliance. Because of its comprehensive overview, AWS Config lets you assess compliance both with internal policies and regulatory standards, across AWS and third-party resources. In particular, it supports a compliance-as-code approach, in line with DevOps practices. Governance and compliance rules can be rolled out across your AWS accounts and regions, with rules expressed as code and with automatic remediation powered by AWS Systems Manager

  • Rapid troubleshooting and security analysis. You can find out which recent resource configuration or deployment changes are linked to issues and fix them quickly, while continuously monitoring the configuration of your resources and streaming change events to SNS to take action based on your security posture.

With a six-year history of tight integration with other AWS services, Config is very efficient and provides insights and effective monitoring from the moment it’s enabled. Organisations benefit from its dashboard, which requires minimal configuration. Config can be set up using service-linked roles, (SLRs) that have all the required permissions to read other services without having to explicitly define the policy. The SLRs get updated automatically, so IAM policies track the changes without the need for manual intervention. 

AWS Config integrates well with other AWS services and your own monitoring, alerting, and analysis systems. It integrates with the AWS CloudTrail API to track configuration changes, for example. A combination of templates and a Rule Development Kit, together with a rules repository, helps create and maintain an environment that conforms to your organisation’s needs while being well-documented and easy to consult and maintain. 

AWS Config also works at scale, and can – and should – monitor all accounts and regions. It can work across accounts and can be managed via one master account. This helps focus ownership and establish a central source of truth for your AWS resources and remediation steps. 

This means you can, for instance, direct history files and snapshots to a central InfoSec account S3 bucket and stream notifications to an SNS topic in that account, easing the security management of your AWS accounts and infrastructure. 

As well as demonstrating and enforcing compliance, and providing rapid resolution of configuration-induced issues, AWS Config improves general oversight of resource and account usage, improving assessment and planning.

AWS Config also provides data aggregation to compile compliance statuses from multiple accounts and regions, providing an organisation-wide view – one that’s also available via an API. 

For detailed analysis, it uses a combination of advanced queries to centrally analyse the latest data, and simultaneously query across accounts, regions, and organisations. For historical state analysis, it uses Amazon Athena.

Over time, AWS Config creates a large historical metadata store of your organisation’s AWS usage. This gives you the opportunity to analyse and assess the fitness of each implementation, and can provide a basis for long-term strategic planning.

AND Digital recommends AWS Config in conjunction with Cloudflare as best practice for production platforms, and enables them by default as a standard foundation for conformance auditing and change tracking.

We provide configurations tuned for retail and finance sector organisations, and offer a flexible and responsive approach to integration, customisation and compliance requirements according to each client’s own best practices and existing systems. 

If you want to know more about AWS Config, including how it can work for you in the intelligent management and risk reduction of complex Cloud deployments, you can talk to us at [email protected].