1.2 AWS Config Lab

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. With Config, you can review changes in configurations and relationships between AWS resources, dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines. This enables you to simplify compliance auditing, security analysis, change management, and operational troubleshooting.

Turn on AWS Config

In order to use AWS Config it needs to be turned on for each region and account we want to assess, audit and evaluate configurations. Once turned on AWS config will create a configuration item for supporting services and store it in the S3 bucket we specify in the configuration.

  1. Search for the Config service under the “Management & Governance” tools section in the console and click on “Config”.
  2. Click on “Get started”, lets follow the setup wizard

    • Keep all defaults and click Next – This will create an S3 Bucket, a role for the Config service, and will record all resources supported by Config within the region. For a list of supported services click here.
    • Click Next on the next screen, we will setup Config Rules later.
    • On the last screen click on Confirm.

We now have AWS Config recording changes for supported resources within our region.

Create a Config Rule

Now lets create a simple config rule. This rule checks to ensure that the AWS Systems Manager Service is running on EC2 Instances, we will review the rule later after we have deploy an EC2 Instance. We will learn more about AWS Systems Manager in a later lab.

  1. In the AWS Config console, click on Rules on the left side menu.
  2. Then click on the Add rule button.
  3. In the search bar type ec2-, this will filter rules that begin with ec2-. Click on the ec2-instance-managed-by-systems-manager rule.
  4. We are going to keep the default settings, but will point out some options. Since this is a pre-created rule our “Trigger type” is pre-selected. Configuration changes will trigger or re-evaluate when a change has occurred, we can also trigger the rule to check things periodically. Notice the scope is set to “Resources*” and the resources the rule will trigger on. For a periodic rule we would select the time interval the rule will trigger on. For more information on triggers refer to AWS Config documentation here.
  5. The option to point out is the ability to set auto-remediation when our rule evaluates resources as non-compliant. Here we can specify an AWS Systems Manager Automation document that would remediate our non-compliant resources. We will look at this in a later lab. Click on Save to save the rule.
  6. We should now see the rule evaluating.

Congratulations! You have turned AWS Config on and configured an AWS Config Rule. If you wait for the rule to evaluate it will come up “Noncompliant”. Return to this rule after you have created Inventory Collection in the AWS Systems Manager lab. The rule is dependant on inventory collection.