What AWS service can we use along with config to analyze your configuration data?
|
AWS Config (Amazon Web Services Config) is an Amazon cloud auditing tool that provides an inventory of existing resources, allowing an administrator to accurately track AWS assets to analyze compliance levels and security. It also enables an administrator to troubleshoot why a resource may have stopped working properly. Show
AWS Config records previous resource configuration details and uses Amazon Simple Notification Service to notify an administrator of configuration changes. Historical resource configurations can be viewed using the AWS Management Console, command-line interface or software developer's kits. Administrators enable AWS Config to receive continuously updated details of all resource configurations, which are called configuration items (CIs), at a given point in time. CIs are comprised of basic information that is common across different resource types (what tags are applied); configuration data, such as which type of Elastic Computer Cloud instance a resource runs on; and relationships with other resourced, including shared volumes or instances with another resource. CIs can also include AWS CloudTrail IDs related to the resource and metadata that help identify the CI version and when it was captured. Configuration changes include the IP address and information on the person requesting a change. Configuration snapshots and records are also delivered to an Amazon Simple Storage Service bucket. Admins can integrate AWS Config with AWS CloudTrail to pinpoint additional details about API calls to or from a service. AWS Config can also gather data across different AWS accounts. Charges for AWS Config are based on the number of configuration items recorded for resources. This was last updated in December 2015 Continue Reading About AWS Config (Amazon Web Services Config)
Dig Deeper on AWS infrastructure
Configuration history of softwareAWS Config enables you to record software configuration changes within your Amazon EC2 instances and servers running on-premises, as well as servers and Virtual Machines in environments provided by other cloud providers. With AWS Config, you gain visibility into operating system (OS) configurations, system-level updates, installed applications, network configuration and more. AWS Config also provides a
history of OS and system-level configuration changes alongside infrastructure configuration changes recorded for EC2 instances. Resource relationships trackingAWS Config discovers, maps, and tracks AWS resource relationships in your account. For example, if a new Amazon EC2 security group is associated with an Amazon EC2 instance, AWS Config records the updated configurations of both the Amazon EC2 security group and the Amazon
EC2 instance. Configurable and customizable rulesAWS Config provides you with pre-built rules for evaluating provisioning and configuring of your AWS resources as well as software within managed instances, including Amazon EC2 instances and servers running on-premises. You can customize pre-built rules to evaluate your AWS resource configurations and configuration changes, or create your own custom rules in AWS Lambda that
define your internal best practices and guidelines for resource configurations. Using AWS Config, you can assess your resource configurations and resource changes for compliance against the built-in or custom rules. Conformance packsConformance packs help you manage compliance of your AWS resource configuration at scale--from policy definition to auditing and aggregated reporting--using a common framework and packaging model. Conformance
packs are integrated with AWS Organizations. Using conformance packs as your compliance framework, you can package a collection of AWS Config rules and remediation actions into a single entity (known as a conformance pack) and deploy it across an entire organization. This is particularly useful if you need to quickly establish a common baseline for resource configuration policies and best practices across multiple accounts in your organization in a scalable and efficient way. Conformance packs also provide compliance scores. A compliance score is a percentage-based score that helps you quickly discern the level to which your resources are compliant for a set of requirements that are captured within the scope of a conformance pack. A compliance score is calculated based on the number of rule-to-resource combinations that are compliant within the scope of a conformance pack. For example, a conformance pack with 5 rules applying to 5 resources has 25 (5x5) possible rule-resource combinations. If 2 resources are not compliant with 2 rules, the compliance score would be 84%, indicating that 21 out of 25 rule-resource combinations are currently in compliance. Further, compliance scores are emitted to Amazon CloudWatch metrics, which allows for tracking over time. Compliance scores offer a consistent measurement to track remediation progress, perform comparisons across different sets of requirements, and see the impact a specific change or deployment has on your compliance posture. Multi-account, multi-region data aggregationMulti-account, multi-region data aggregation is a capability in AWS Config that enables centralized auditing and governance. It gives you an enterprise-wide view of your AWS Config rule compliance status, and you can associate your AWS organization to quickly add your accounts. The aggregated dashboard in AWS Config will display the total count of
non-compliant rules across your organization, the top five non-compliant rules by number of resources, and the top five AWS accounts that have the most number of non-compliant rules. You can then drill down to view details about the resources that are violating the rule, and the list of rules that are being violated by an account. IntegrationsAWS OrganizationsYou can use
AWS Organizations to define the accounts to use for AWS Config’s multi-account, multi-region data aggregation capability. AWS Organizations is an account management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage. By providing your AWS Organizations details, you can monitor the compliance status across your organization. AWS CloudTrailAWS Config integrates with AWS CloudTrail to correlate configuration changes to particular events in your account. You can use the CloudTrail logs to obtain the details of the event that invoked the change, including who made the request, at what time, and from which IP address. You can navigate to the Config timeline from the AWS CloudTrail console to view the configuration changes related to your AWS API
activities. To learn more about this feature, read our documentation here. Connect with ITSM / ITOM SoftwareIT Service Management (ITSM) tools, such as Jira Service Desk,
can connect with AWS Config to make it easier for ITSM platform users to request and manage AWS services and resources. The AWS Service Management Connector for Jira Service Desk provides Jira Service Desk administrators governance and oversight over their AWS products. AWS Security HubAWS Security Hub centralizes security checks from other AWS services, including AWS Config rules.
Security Hub enables and controls Config rules to ensure your resource configurations are aligned to best practices. Enable Config on all accounts in all Regions where Security Hub is in order to run security checks on your environment’s resources. AWS Audit ManagerAWS Audit Manager helps you continuously audit your AWS usage to simplify how you assess risk and compliance with
regulations and industry standards. Audit Manager automates evidence collection, so you can configure a control data source, such as AWS Config, to collect automated evidence. AWS Systems ManagerAWS Config integrates with AWS Systems Manager to record configuration changes to software on your Amazon EC2 instances and servers in your on-premises environment. With this integration,
you can gain visibility into operating system (OS) configurations, system-level updates, installed applications, network configuration, and more. Config also provides a history of OS and system-level configuration changes alongside infrastructure configuration changes recorded for EC2 instances. You can navigate to the Config timeline from the Systems Manager console to view the configuration changes of your managed EC2 instances. You can use Config to view AWS Systems Manager Inventory
history and track changes for all your managed instances. Amazon Firewall ManagerTo use AWS Firewall Manager, you must enable AWS Config for each of your AWS Organizations member accounts. When new applications are created, Firewall Manager is the single service to build firewall rules, create security policies, and enforce them consistently. Amazon EC2 Dedicated HostAWS Config integrates with Amazon EC2 Dedicated Hosts to assess license compliance. Config records when instances are launched, stopped, or terminated on a Dedicated Host, and pairs this information with host and instance level information relevant to software licensing, such as Host ID,
Amazon Machine Image (AMI) IDs, number of sockets and physical cores. This enables you to use Config as a data source for your license reporting. You can navigate to the Config timeline from the Amazon EC2 Dedicated Hosts console to view the configuration changes of your Amazon EC2 Dedicated Hosts. Application Load BalancersAWS Config integrates with Elastic Load Balancing (ELB) service to record configuration changes to Application Load Balancers. Config also includes relationships with associated EC2 security groups, VPCs, and subnets. You can use this information for security analysis and troubleshooting. For example, you can check which security groups are associated with your application load
balancer at any point in time. You can navigate to the Config timeline from the ELB console to view the configuration changes of your Application Load Balancers. Which AWS service can be used to manage configuration versions?AWS OpsWorks for Puppet Enterprise is a fully managed configuration management service that hosts Puppet Enterprise, a set of automation tools from Puppet for infrastructure and application management. OpsWorks also maintains your Puppet master server by automatically patching, updating, and backing up your server.
What is config service in AWS?AWS Config is a fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance.
Which AWS services and configuration options can be used to collect and then analyze the logs?The Centralized Logging on AWS solution helps organizations collect, analyze, and display Amazon CloudWatch Logs in a single dashboard. This solution consolidates, manages, and analyzes log files from various sources.
Which AWS support service gives a report on configuration compliance with best practices?AWS Security Hub is a security and compliance service that provides security and compliance posture management, as a service. It uses AWS Config and Config rules as its primary mechanism to evaluate the configuration of AWS resources.
|
