Ref: https://learn.cantrill.io/courses/1820301/lectures/41301516

• Summary:
• Contents:

AWS Config - Overview

• 🔧 Records configuration changes on resources over time
  • Outputs configuration items (CIs), which together form configuration histories
    • Great for auditing changes & checking compliance
  • e.g. Enable monitoring on an SG → when a change in the SG happens, Config tracks pre-change state, post-change state, who changed it, and attached resources
• ‼️ No protection against configuration changes!!!
  • Does NOT prevent changes from happening…
    • …but will track the changes, and can alert of changes
• Regional service
  • Configuration histories stored in S3 Config bucket (in consistent format)
  • Support for cross-region & cross-account aggregation of configuration histories
• Two functionalities:
  1. Recorder functionality: log any configuration changes in specified resources
  2. Config rules: mark resources as compliant/non-compliant to a defined standard
     • AWS-managed or custom rules (defined with Lambda functions, which evaluate the resources when executed)
     • Can e.g. alert when an instance surpasses 90% CPU rate → instance marked non-compliant when CPU>90%
• Changes can generate:
  • SNS notifications
  • Near-real-time events sent to EventBridge
    • Can trigger Lambda remediation functions
    • Can route events to SSM, which is effective for anything relating to EC2 instance configuration
  • 💡 While Config doesn't prevent changes, it can be used for automatic remediation
• Architecture Diagram