One of the biggest headaches in any organization when it comes to resources management of IT infrastructure is understanding the following.
- What resources do we have?
- What devices are out there within our infrastructure performing functions?
- Do we have resources that are no longer needed?
- Are there any security vulnerabilities we need to worry about?
- How are the resources linked within the environment?
- What if we made a change to one resource, will this affect another?
- Do we have any history of the changes in resources that shows us how the resources change over time?
- Is the infrastructure compliant with specific governance controls and how can we ensure that this configuration is meeting specific internal and external requirements?
- Do we have accurate auditing information that can be passed to external auditors for compliance checks?
AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how resources are related to one another and how they were configured in the past so you can see how the configurations and relationships change over time.
With AWS config you can do the following:
- Evaluate your AWS resources configurations for desired settings
- Get a snapshot of the current configurations of the supported resources that are associated with your AWS account
- Retrieve configurations of one or more resources that exist on your account
- Retrieve historical configurations of one or more resources
- Receive a notification wherever a resource is created, modified, deleted
- View relationship between resources. For example, you might want to find all resources that use a particular security group
- Provide AWS CloudTrail integration to help identify who made the change and when and which API
- Enforce rules that check the compliance of your resource against specific controls
- You can perform security analysis within your AWS environment. A number of security resources can be recorded, and when this is coupled with rules relating to security such as encryption checks. This can become a powerful analysis tool
AWS Config is region-specific meaning that you have resources in multiple regions then you will have to configure AWS Config for each region you want to record resource changes for. When you doing so, you are able to specify different options for each region