Having visibility of who has done what, how and when (i.e. access to resource configuration history) is crucial in a fast-changing ecosystem.
Regulation - and its footsoldiers: the auditors - are a major concern for enterprise IT and can pose a serious barrier to innovation by reducing the amount of time, money and energy available to put into forward-thinking projects (investment banks spend 78% of their IT budget complying with regulation…!).
Having up-to-date, real-time information to hand round the clock facilitates the generation of reports for auditing and compliance. And frees up time and energy that can be focused instead on core business goals.
Unfortunately, in large enterprises, governance and resource inventory is often dictated by a complex system that is difficult and tedious to keep up-to-date. Adding and removing assets is typically done in batches and not necessarily in real time (it’s sometimes done before it’s in production, sometimes after having been decommissioned), leading to a non-current state.
When you’re dealing with a large environment or multiple large environments, this also becomes a security concern as you are in a position of uncertainty about what you have in your data centers, who is originating such traffic, what applications it belongs to, etc.
In modern cloud implementations you will find that the scalability and elasticity of your resources are crucial for your operations, as is the ability to keep your inventory up to date, secure and totally within your control, from an identity and authentication point of view.
AWS Config does just that, making pleasing the all-important auditors a lot easier! Here’s how.
Introducing AWS Config
AWS Config is a fully-managed service that enhances security and governance by providing you with an AWS resource inventory, configuration history, and configuration change notifications. Config Rules enables you to create rules that automatically check the configuration of AWS resources as recorded by AWS Config. With this service you can discover existing and deleted AWS resources, determine your overall compliance against rules, and dive into the configuration details of a resource at any point in time. These capabilities enable compliance auditing, security analysis, resource change tracking, and troubleshooting.
You can view continuously updated details of the configuration attributes of all your AWS resources as well as software configurations within EC2 instances. You are notified via Amazon Simple Notification Service (SNS) of the updated configuration and the specific changes from the previous state, and you can process these notifications programmatically.
You can configure pre-built rules managed by AWS to meet your governance criteria, or create your own custom rules that codify internal practices and guidelines.
You can also create custom rules using AWS Lambda (here are some examples from AWS).
AWS Config rules gives you a visual dashboard to help you quickly spot non-compliant resources and take appropriate action. IT administrators, security experts, developers, and operators can see a shared view of compliance. For organizations subject to established industry standards, Config Rules can help to ensure compliance.
AWS Config and Config Rules are designed to help you assess compliance with internal policies and regulatory standards by providing visibility into the configuration of a resource at any time, and evaluating relevant configuration changes against rules that you can define.
It will discover resources that exist in your account, record their current configuration and capture any changes to these configurations. Config will also retain configuration details for resources that have been deleted. A comprehensive snapshot of all resources and their configuration attributes provides a complete inventory of resources in your account.
Properly configured resources improve your security state. Data from AWS Config enables you to continuously monitor the configurations of your resources and evaluate these configurations for potential security weaknesses. After a potential security event, AWS Config enables you to examine the configuration of your resources at any single point in the past.
If you want to know more about AWS Config, you can find more resources here.
Also, here are some videos about the announcement of this service three years ago, and two re:Invent sessions with use cases and examples on how to create Config Rules.