In this series we will discuss the AWS Config service. The first part will be about Config introductory notions and how to deploy Config. In the second part of the series we will see how we can benefit from Config to keep track of our resources.
In the first part we will discuss:
Purpose of Config
Basic deployment of Config
AWS Config provides the ability to have a detailed view of your resources in AWS. You can view how they relate to each other and how they were configured in the past so you can understand how they changed over the time.
VMware Training – Resources (Intense)
A few purposes of AWS Config are:
Resource administration—You know what resources you have, how they are configured and you can receive notifications when resources are changed/added/deleted
Auditing and compliance—You might need configuration history changes due to internal policies that requires frequent auditing
Troubleshooting configuration changes—When a resource is changed, it might affect another resource. AWS Config allows the possibility to assess how a configuration change of a resource will affect other resources
Let’s discuss about the Config concepts:
Resources—Are entities that are created and managed through the AWS Management console, AWS SDK or AWS CLI. For the details about the resources supported, check the reference section.
Configuration Items—They represent a point in time view of various attributes of an AWS resource. For the details about the components of the configuration item, check the reference section.
Resource Relationship—Describes how various AWS resources relate to one another. The relationships are the result of the AWS Config discovery during initiation. For the details about the relationships supported, check the reference section.
Configuration Snapshot—This is a collection of configuration items for the recorded resources and it is a complete picture of the resources recorded and their configuration
Configuration Stream—This is an automatically updated list of the configuration items for the resources that are recorded. Every time a change of a resource happens, a notification is sent
Configuration History—This is a collection of configuration items for a recorded resource over a period of time. Typically this is 6 hours
Configuration Recorder—It allows the storing of the configuration as configuration items for the recorded resources
Now that we have covered the basics of AWS Config and before we start configuring AWS Config, let’s see the current status of our EC2 or CloudTrail resources, because only these two types of resources can be recorded.
First, let’s see what tags we have. As you can see, we have only two tags: One identifies the name of the resource and the other one is custom made by me to identify the operating system of the instance. Later we will use the tag to filter out the resources:
So, I have one EC2 instance (AMAZON):
That has only one volume attached (ROOT_VOLUME):
So let’s move on with the AWS Config deployment. From the AWS Management Console, from “Administration & Security” section, select “Config”:
If this is the first time AWS Config is used, you should see the message below, from where you can start the AWS Config deployment:
The first step will be to define what resources you want to record. You can choose not to fill anything and, in this case, all the available resources will be recorded:
Or you choose specific EC2 and CloudTrail resources that you want to record:
The next step is to select where the configuration history and configuration snapshot files will be saved. You have the option to create a new S3 bucket, use an existing one from the current AWS account or use an existing one from another AWS account:
The last step will be to enable the notifications for configuration changes. Again, as with the S3 bucket, you can either create a new one, use an existing one from the current AWS account or use an existing one from another AWS account:
In the next step, you will be asked for permission to read the resources configuration. In order to do this, an IAM role will be created that will grant the two permissions shown below:
You can view the IAM role name and the role policy. Click on “Allow” to finish the process:
And you are done. The recording is started and there will be few moments until the inventory is done:
If you click on “Status” you can see the service status and that there was no configuration snapshot or configuration history performed:
As mentioned, a S3 bucket is created that will hold several pieces of information. Right now, we don’t have any of the configuration snapshots or configuration history of the resources:
You can look for a resource by using the tag or the resource ID. As mentioned earlier, we have two tags and we will use them because it’s simpler to find the resources.
As you can see, we found our resources:
If you select any of them, you can view the configuration details, the relationships, and the configuration changes. First you will see a timeline since the AWS Config was deployed (or turned on) or since that specific resource was created. This will help you later to identify when changes happened to the specific resource:
On the same page, you can view the configuration details of the resource. The type of details is specific to the type of the resource:
You can view the resource configuration details in JSON format if you click on “View Details”:
Next, you can see the relationship between the resources selected and the other resources that are recorded and have some sort of connection with the selected resource. As you can see, we have the resource IDs of the other resources used by the resource we selected:
Because we just turned up AWS Config, there are no configuration or relationship changes:
And this is pretty much what you are going to get after you deploy AWS Config.
And we reached the end of the first part of the series discussing the AWS Config service. By reaching the point of the series, you should know what is AWS Config, what are its benefits, and how you can deploy it.
In the next part of the series, we will see how it can track the changes and allow the user to understand how the resource changed over the time.