AWS Config - Overview & Hands-On.
Scope:
- Concept,
- Core Components,
- Data Flow,
- Integrations,
- Pricing,
- Best Practices,
- Example: Enforcing S3 Bucket Policy,
- Real-World Use Cases,
- Project: Hands-On.
1. The Concept: AWS Config.
AWS Config is a managed service for configuration
tracking and compliance auditing.
- It
records configuration changes of supported AWS resources.
- It continuously evaluates resources against rules (managed or custom).
- It provides a timeline of changes, compliance status, and integration with other AWS services (e.g., Security Hub, EventBridge, Systems Manager).
NB:
Think of it as the “black box recorder + compliance
engine” for AWS resources.
2. Core Components
- Configuration Recorder
- Captures changes to resource
configurations (e.g., EC2 instance
type modified, IAM role updated).
- Can be set to track all supported
resources or a subset.
- Delivery Channel
- Delivers configuration snapshots and
history files to S3.
- Optionally streams configuration changes
to SNS.
- Config Rules
- Managed Rules: AWS-provided checks (e.g., s3-bucket-public-read-prohibited).
- Custom Rules: Built using Lambda functions to
define custom compliance logic.
- Conformance Packs
- Bundles of Config rules + remediation
actions for common compliance frameworks (e.g., CIS, PCI DSS, HIPAA).
- YAML/JSON definition.
- Remediation
- Automated fixes triggered when a rule is
non-compliant (e.g., an S3 bucket
ACL too permissive → auto-remediate with an SSM Automation Document).
- Aggregation
- Aggregate configuration + compliance
data across accounts/regions into a central account.
3. Data Flow
- A
supported AWS resource changes state (e.g., user changes a Security Group).
- AWS Config Recorder captures the new config item.
- The
config item is delivered to the S3
bucket + optional SNS topic.
- Config runs rules against the new state:
- If compliant → record as compliant.
- If non-compliant → record violation + trigger remediation
(optional).
- Make
sure all history is queryable via the Config
Console, CLI, or APIs.
4. Integrations
- CloudTrail → Tracks who made the change;
Config tracks what changed.
- Security Hub → Pulls Config compliance findings.
- EventBridge → React to Config compliance state changes in near real-time.
- Systems Manager Automation → Used for remediation actions.
- Audit Manager → Map Config findings into compliance evidence.
5. Pricing
AWS Config costs can add up fast:
- Configuration Items
Recorded – pay per resource recorded.
- Config Rule Evaluations – per compliance check.
- Conformance Packs – per account/region per pack.
- Tip: Use aggregation + scoped recording to control costs.
6. Best Practices
- Start with Managed Rules – don’t reinvent the wheel.
- Use Conformance Packs – to align with standards quickly.
- Aggregate Data – for multi-account setups (typically with AWS Organizations).
- Automate Remediation – prevent security drift.
- Pair with CloudTrail – full picture: who + what.
- Scope Wisely – don’t record every resource in dev/test if you don’t need to.
7. Sample: Enforcing S3
Bucket Policy
- Rule: s3-bucket-public-read-prohibited
- Non-compliant
event → EventBridge
→ SSM Automation Doc → Removes
public ACL (access control list) → Sends
Slack/Email alert via SNS.
8. Real-World Use Cases
- CIS Benchmark enforcement
(e.g., IAM root MFA enabled).
- Security Drift detection
(SG allowing 0.0.0.0/0 on port 22).
- Change auditing
for regulated workloads (PCI, HIPAA, FedRAMP).
- Multi-account governance (centralized compliance dashboard).
Project: Hands-On
- How twtech creates and use aws config to managed service for configuration tracking and compliance auditing.
Search for aws service: aws config
How AWS Config works:
- Benefits and Features of: aws config
- Use Cases of: aws config
- Get Started woth: AWS Config
Settings
Recording method: Recording strategy
- twtech may Customize AWS Config to record configuration changes for all supported resource types.
- Or twtech may Customize AWS Config for only the supported resource types that are relevant to its environment.
- Global resource types (RDS global clusters and IAM users, groups, roles, and customer managed policies) might be recorded in more than this Region.
- twtech is charged based on the number of configuration items (CI) recorded.
Override settings: Resource types to
override
- Override the recording frequency
for specific resource types, or exclude specific resource types from recording.
- If twtech changes the recording
frequency for a resource type or stop recording a resource type, the
configuration items that were already recorded will remain unchanged.
Data governance
Delivery channel: S3Bucket
Amazon SNS topic: Stream Notification.
Rules:AWS Managed Rules (574)
- Review twtech AWS Config
setup details.
- twtech can go back to edit changes for each section.
- Choose Confirm to finish setting up AWS Config.
NB:
- It takes a couple of minutes for: twtech resources to be
discovered
How twtech View its Resources: aws config
Resource Inventory:
- Search existing or deleted resources recorded by AWS
Config.
- By
default, AWS Config only displays resources twtech is currently recording.
- If twtech uses the resource type filter, AWS
displays both currently recorded and previously recorded resources.
- For a specific resource, twtech may view the resource details
or resource timeline.
- The resource timeline allows twtech to view all the
configuration items captured over time for a specific resource and the
compliance status changes.
- For accurate reporting on the compliance status, twtech must record the AWS Config ResourceCompliance resource type.
To query twtech resource configurations: use the advanced SQL query editor.
Query editor:
- Query
twtech AWS resource configuration using the following SQL query editor.
- A
list of properties and their data types is available in GitHub.
- Query the data against this AWS account or across multiple accounts and regions by choosing the query scope
How twtech verifies that setting is: Recording
NB:
It takes a couple of minutes for Resources to populate on the: aws config UI
NB:
All aws config resources can be seen the s3 buket created:
Details of bucker created by aws config: select the bucket (config-bucket-98xxxxxx) and click open
Click open the directory (AWSLogs/) to see more detail from the account: 98xxxxxxxxxxxxx
Then click open account: 98xxxxxxxxxxx/
Then click open account: Config/
Within the Cofig directory, two other folders are created:
- ConfigWritabilityCheckFile
- us-east-2/
The director created in the region (us-east-2) has more details: select and click open
Click open the directory with year (2025) create: to see more details
Further into AWSLogs directory is found another directory for: ConfigHistery
ConfigHistory/: Objects (38)
Objects are the fundamental entities stored in Amazon S3.- twtech can use Amazon S3 inventory to get
a list of all objects in its s3 bucket.(twtechs3).
How twtech accesses the logs of the object in from configHistry from tab: Open
NB:
- For other twtechUsers to access twtechs3 objects, twtechAdmin needs to explicitly grant them permissions... respecting the PoLP (Policy of least Privilleges) for security concerns.
- Seclect the Oject and click to acces the: Object URL
Permission needed for: security reasons
AWS S3 Buckets from: Config Resources
How twtech accesses the configuration of aws config Resource: filter-search the resource and click open.
Navigate (scroll) down to: View
Configuration Item (JSON)
How twtech accesses the: Resource Timeline
Timeline
- The
resource timeline allows twtech to view all the configuration items captured
over time for a specific resource and the compliance status changes.
- For accurate reporting on the compliance status, twtech must record the AWS Config ResourceCompliance resource type.
General details
How twtech gets more details of: Resource (twtechs3) Timeline
configuration change.
Timeline Events that occurs to the Resources (twtechs3):
All times herein are in America/New_York (UTC-04:00)…Time-zone
can be configured.
View Configuration Item (JSON)
How twtech finds out whether its resource (twtechs3) is Compliant or Non-Compliant via: aws config
Rules.
Add rule: Name = s3-bucket-public-read-prohibited
- Checks that
twtech Amazon S3 buckets (config-bucket-98xxxxx) do not allow
public read access.
- The rule checks the Block Public Access settings, the bucket policy, and the bucket access control list (ACL).
Configure rule: Customize any of the following fields
Evaluation
mode
Parameters
- Rule
parameters define attributes that twtech resources must adhere to for
compliance with the rule.
- Example
attributes include a required tag or a specified S3 bucket.
- Optional parameters that are not valid, such as missing a key or a
value, will not be saved.
Review and create: Review this rule before adding it to twtech account
Select the rule and click open to access: s3-bucket-public-read-prohibited.
Rule: s3-bucket-public-read-prohibited
Resources in sope: Noncompliant: twtechs3 has
access(permission granted) to other twtechUser.
- Therefore, the s3 bucket (twtechs3) is Noncompliant to this rule
(prohibits public access)
Therefore, the s3 bucket (config-bucket-98xxxx) meets
the requirement set forth for this rule ( non-public-access)
How twtech sees all the resource with: Compliant and Noncomplian together.
How twtech manages Noncompliant Resources in twtech-s3
- Select resource and click open to: manage resource
- Manage resource: twtechs3
Twtech needs to Edit bucket (twtechs3) Permissions: to also
prohibit public-GetObject Access
First: Block public access from bucket UI
From:
To:
- Confirm changes: to Prohibit public access.
- Next: Edit bucket policy with Policy generator
AWS Policy Generator:
The AWS Policy Generator is a tool that enables twtech to create policies that control access.
Add
statement(s)
- A statement is the
formal description of a single permission: Deniy access to
everything (*) in Resource
twtechss3
NB:
Alternatively, twtech May Add-Statement(s) with Policy Generator settings: the following rather allows
public access to s3-bucket.
# Json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::twtechs3/*"
}
]
}
Return to:
- Generate policy: that blocks public access
- A policy is a document (written in the Access Policy Language) that acts as a container for one or more statements.
twtech needs to return to bucket UI to Edit the policy: Paste the
new policy generated, then save changes.
From:
To:
# json
{
"Version":
"2012-10-17",
"Statement": [
{
"Sid":
"Statement1",
"Effect":
"Deny",
"Principal": "*",
"Action":
"s3:*",
"Resource":
"arn:aws:s3:::twtechs3/*"
}
]
}
twtech need to verify whether the policy also refuse
public access to its all ohjects with:
object URL
- Select bucket and click open: twtechs3
Yes:
- Successfully twtech has managed a bucket policy to prohibit public access.
Finally:
- twtech needs to go back to config resources UI, refresh and see whether bucket (twtechs3) now meets the Config Rule created to: prohibit public access.
From:
To:
Yes: Now twtechs3 also meets the config rule added.
twtech can also track all configuration change for it resources: Resource Timeline
How twtech remediated its resources in aws config : s3-bucket-public-read-prohibited.
Select rule and go to: Action tab
- From Action, select: Manage remediation:
Edit Remediation action: number of times to make retry to auto fix issues.
- What this document does.
Save changes:
How twtech can use Aws config settings to Edit:
- Data and delivery: Data retention period and delivery channel
settings apply to both the customer managed recorder and all service-linked
recorders with paid configuration items.
- Recorder.
- Create Amazon CloudWatch Events rule
No comments:
Post a Comment