12. Deployment & Management

AWS Elastic Beanstalk

AWS Systems Manager

AWS Config

AWS Secret Manager

AWS OpsWorks

AWS Resource Access Manager

RPO, RTO, & DR Strategies

Explore

AWS Config

AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.

An AWS resource is an entity you can work with in AWS, such as an Amazon Elastic Compute Cloud (EC2) instance, an Amazon Elastic Block Store (EBS) volume, a security group, or an Amazon Virtual Private Cloud (VPC). For a complete list of AWS resources supported by AWS Config, see

Supported Resource Types⁠

⁠

Ways to Use AWS Config

When you run your applications on AWS, you usually use AWS resources, which you must create and manage collectively. As the demand for your application keeps growing, so does your need to keep track of your AWS resources. AWS Config is designed to help you oversee your application resources in the following scenarios:

Resource Administration

Governance and Visibility:

Provides fine-grained visibility into resource configurations.

Notifies you when resources are created, modified, or deleted.

Uses AWS Config rules to evaluate configuration settings.

Flags noncompliant resources and sends notifications upon rule violations.

Continuously evaluates resource configurations.

Auditing and Compliance

Historical Configurations:

Provides access to historical configurations of resources.

Helps demonstrate compliance with internal policies and best practices.

Facilitates frequent audits.

Managing and Troubleshooting Configuration Changes

Impact Assessment and Troubleshooting:

Shows relationships between resources to assess impact before modifications.

Uses historical configurations to troubleshoot issues.

Accesses the last known good configuration of problem resources.

Security Analysis

Detailed Historical Information:

Analyzes potential security weaknesses with detailed historical data.

Views IAM permissions and EC2 security group rules over time.

Determines permissions and security settings at specific times.

Partner Solutions

Third-Party Integrations:

AWS partners with third-party specialists in logging and analysis.

Solutions leverage AWS Config output.

Visit the AWS Config detail page for more information on partner solutions.

⁠

Features

When you set up AWS Config, you can complete the following:

Resource management

Specify the resource types you want AWS Config to record.

Set up an Amazon S3 bucket to receive a configuration snapshot on request and configuration history.

Set up Amazon SNS to send configuration stream notifications.

Grant AWS Config the permissions it needs to access the Amazon S3 bucket and the Amazon SNS topic.

For more information, see

Viewing AWS Resource Configurations and History⁠

and

Managing AWS Resource Configurations and History⁠

Rules and conformance packs

Specify the rules that you want AWS Config to use to evaluate compliance information for the recorded resource types.

Use conformance packs, or a collection of AWS Config rules and remediation actions that can be deployed and monitored as a single entity in your AWS account.

For more information, see

Evaluating Resources with AWS Config Rules⁠

and

Conformance Packs⁠

Aggregators

Use an aggregator to get a centralized view of your resource inventory and compliance. An aggregator collects AWS Config configuration and compliance data from multiple AWS accounts and AWS Regions into a single account and Region.

For more information, see

Multi-Account Multi-Region Data Aggregation⁠

Advanced queries

Use one of the sample queries or write your own query by referring to the configuration schema of the AWS resource.

For more information, see

Querying the Current Configuration State of AWS Resources ⁠

⁠

Delivery of Configuration Items

AWS Config can deliver configuration items through one of the following channels:

Amazon S3 Bucket

AWS Config tracks changes in the configuration of your AWS resources, and it regularly sends updated configuration details to an Amazon S3 bucket that you specify. For each resource type that AWS Config records, it sends a configuration history file every six hours. Each configuration history file contains details about the resources that changed in that six-hour period. Each file includes resources of one type, such as Amazon EC2 instances or Amazon EBS volumes. If no configuration changes occur, AWS Config does not send a file.

AWS Config sends a configuration snapshot to your Amazon S3 bucket when you use the

deliver-config-snapshot⁠

command with the AWS CLI, or when you use the

DeliverConfigSnapshot⁠

action with the AWS Config API. A configuration snapshot contains configuration details for all resources that AWS Config records in your AWS account. The configuration history file and configuration snapshot are in JSON format.

Note

AWS Config only delivers the configuration history files and configuration snapshots to the specified S3 bucket; AWS Config doesn't modify the lifecycle policies for objects in the S3 bucket. You can use lifecycle policies to specify whether you want to delete or archive objects to Amazon S3 Glacier. For more information, see

Managing Lifecycle Configuration⁠

in the Amazon Simple Storage Service User Guide. You can also see the

Archiving Amazon S3 Data to S3 Glacier⁠

blog post.

Amazon SNS Topic

AWS Config uses the Amazon SNS topic that you specify to send you notifications. The type of notification that you are receiving is indicated by the value for the messageType key in the message body, as in the following example:

"messageType": "ConfigurationHistoryDeliveryCompleted"

⁠