AWS Config: The Infrastructure Time Machine

AWS Config is a fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance. It allows you to audit, assess, and evaluate the configurations of your AWS resources.

The Real-World Analogy: Think of AWS Config as a Building Inspector equipped with a CCTV camera. It doesn’t just watch who enters the building (that’s CloudTrail); it records every time a wall is moved, a lock is changed, or a window is opened, and alerts you if those changes violate the city’s building codes.

Core Concepts for SAA-C03

1. Configuration Recorder

The recorder detects changes in your resource configurations and captures them as Configuration Items (CI). It must be started for AWS Config to begin recording. You can record all supported resources in a region or specific types.

2. AWS Config Rules

Rules represent your ideal configuration settings.

  • Managed Rules: Predefined rules created by AWS (e.g., “s3-bucket-public-read-prohibited”).
  • Custom Rules: Created using AWS Lambda functions for specialized logic.

3. Remediation

When a resource is flagged as “Non-compliant,” AWS Config can trigger AWS Systems Manager (SSM) Automation documents to fix the issue automatically (e.g., stopping an EC2 instance that lacks required tags).

AWS Config vs. Related Services

Feature AWS Config AWS CloudTrail Amazon CloudWatch
Focus Resource State & Compliance API Calls / “Who did what?” Performance Metrics & Logs
Primary Unit Configuration Item (CI) Event / Log Entry Metric / Alarm
History Point-in-time snapshots Audit trail of actions Real-time streaming
Reaction SSM Remediation EventBridge Trigger Auto Scaling / Alarms

Decision Matrix: When to choose AWS Config?

  • Requirement: “Ensure all EBS volumes are encrypted.” → Use Config Rules.
  • Requirement: “Track the history of an S3 bucket’s settings over 2 years.” → Use Config Timeline.
  • Requirement: “Find out who deleted an IAM Role.” → Use CloudTrail (not Config).
  • Requirement: “Aggregate compliance status across 50 AWS accounts.” → Use Config Multi-Account Aggregator.

Exam Tips and Gotchas

  • Regional Service: AWS Config is regional. To see a global view, you must set up an Aggregator.
  • Cost Factor: You are charged per Configuration Item recorded and per Rule evaluation. In high-churn environments, this can become expensive.
  • CloudTrail Integration: In the Config console, you can see the specific CloudTrail event that caused a configuration change—this is a frequent “correct answer” for troubleshooting scenarios.
  • Recording Strategy: You can exclude certain resource types (like KMS keys) to save on costs if they change frequently but don’t need auditing.
  • S3 & SNS: Config delivers configuration snapshots to an S3 bucket and sends notifications of changes via SNS.

Topics covered:

Summary of key subtopics covered in this guide:

  • Configuration Recorder and Configuration Items (CIs)
  • Managed vs. Custom Config Rules
  • Automated Remediation via SSM Automation
  • Multi-account, Multi-region Data Aggregation
  • Differences between Config, CloudTrail, and CloudWatch
  • Integration with SNS and S3 for delivery and alerting
Architecture Overview

AWS Config Workflow

AWS Resources Config Recorder Detects Changes S3 Bucket (Logs) Config Rules SSM Auto-Remediation

Security & Compliance

Continuously monitor for drift. Use managed rules to check for public S3 buckets, unencrypted volumes, or MFA status on IAM users.

Use Case: PCI-DSS Auditing

Ecosystem Integration

  • IAM: Control who can change Config settings.
  • EventBridge: Trigger Lambda on compliance change.
  • Organizations: Deploy rules across the whole org.

Cost Optimization

Avoid recording high-volume, low-value resources (e.g., Network Interfaces in dynamic environments) to minimize CI recording fees.

Pro-Tip: Set up Aggregators

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top