Monday, September 29, 2025

AWS Config Resources | Overview.

AWS Config Resources - Overview.

Scope:

  • Intro,
  • Key features and components include,
  • AWS config management (How to manage AWS Config),
  • The primary resources, documentation categories for managing and auditing any Integrated environment,
  • The Concept of Config Resource (deep dive),
  • Attributes of EC2 Instance CI ( configuration Item),
  • Supported Resource Types  (Hundreds of resource types),
  • Configuration Item (CI) Anatomy (Parts of Each CI),
  • Architecture,
  • Resource Lifecycle in Config,
  • Sample CI (EC2 Instance) policy,
  • Querying Resource Data
  • Real-World Use Cases,
  • Best Practices,
  • Final Takeaway.

 Intro:

    • AWS Config is a service that enables twtech to assess, audit, and evaluate the configurations of your AWS resources
    • AWS Config service continuously monitors and records twtech AWS resource configurations 
    • AWS Config  service allows twtech to automate the evaluation of recorded configurations against desired configurations. 

NB:

  • This is the foundation of what AWS Config monitors & Auditing.

Key features and components include:
    • Configuration Items (CI): A point-in-time record of the attributes of an AWS resource.
    • Configuration History: A collection of configuration items for a given resource over any period of time.
    • AWS Config Rules: Predefined or custom rules used to evaluate whether twtech resource configurations comply with common best practices.
    • Conformance Packs: A collection of AWS Config rules and remediation actions that can be easily deployed as a single entity in an account and a region, or across an entire organization.
    • Configuration Snapshot: A collection of configuration items for all resources in twtech account.
    • Aggregator: A resource type that collects AWS Config configuration and compliance data from multiple accounts and regions into a single account. 
NB:
AWS config management (How to manage AWS Config):
  • Common use cases involve compliance auditing, security analysis, change management, and operational troubleshooting.
  • Again, AWS Config provides a detailed view of the resources in twtech AWS account and how they are configured
The primary resources , documentation categories for managing and auditing twtech Integrated environment:
    • Supported Resource Types: AWS Config tracks a wide variety of resources, including Amazon EC2 instances, Amazon S3 buckets, IAM users, and VPCs.
    • Configuration Items: A point-in-time record of a resource's configuration attributes, relationships, and tags.
    • AWS Config Rules: Evaluates twtech resource configurations against desired settings. 
    • twtech can use Managed Rules provided by AWS or create Custom Rules using AWS Lambda.
    • Conformance Packs: A collection of AWS Config rules and remediation actions that can be deployed as a single entity across an entire organization.
    • Resource Recording Exclusions: twtech can customize its configuration recorder to exclude specific resource types from being tracked to focus on critical compliance needs or manage costs.
    • Developer Resources: For implementation details, refer to the AWS Config Developer Guide or the AWS Config Resources page for whitepapers and blog posts. 
1. The Concept of Config Resource (deep dive)
    • A Config Resource is any AWS resource type that AWS Config can discover, record, Configure Store, alert, track over time and Evaluate.
    • Each resource is represented as a Configuration Item (CI) 
    •  A Configuration Item (CI) is a JSON object containing its metadata, configuration, relationships, and compliance status.
    • Config continuously records changes and stores those changes in S3 + exposes them via APIs.

#  Attributes of EC2 Instance CI (configuration Item):

    • Instance ID, 
    • AMI, 
    • tags, 
    • Security groups, 
    • Subnet, 
    • IAM role, 
    • And more.

 2. Supported Resource Types  (Hundreds of resource types):

    • Compute EC2, Auto Scaling Groups, Lambda.
    • Networking VPC, Subnets, Route Tables, Security Groups.
    • Storage S3, EBS, EFS.
    • Identity & Security IAM Roles, Users, Policies, KMS Keys.
    • Databases RDS, DynamoDB, Redshift.
    • Containers EKS, ECS.
    • Others CloudTrail, Config itself, CloudFront.

NB:

  • Not every AWS service is supported. 
  • For gaps, twtech can use Custom Resources (via CloudFormation + Config).

 3. Configuration Item (CI) Anatomy (Parts of Each CI):

  1. Resource Metadata
    • Type (e.g., AWS::EC2::Instance), ARN, ID, region, tags.
  2. Configuration
    • JSON snapshot of the resource’s state (e.g., EC2 AMI, VPC, security groups).
  3. Relationships
    • Links to other resources (e.g., EC2 instance attached EBS volumes, security group IDs).
  4. Compliance State
    • Last compliance result (COMPLIANT | NON_COMPLIANT).
  5. Change Details
    • Timestamps of creation/modification/deletion.

#NB:

  •   This makes AWS Config a single source of truth for resource state + compliance history.
Architecture



4. Resource Lifecycle in Config

  1. Discovery
    • When twtech enables AWS Config, it discovers existing resources.
  2. Recording
    • The Config Recorder captures all changes (config + relationships).
  3. Configuration Item Stored
    • New snapshot delivered to S3 + SNS if enabled.
  4. Compliance Evaluation
    • Rules check CI for compliance.
  5. History & Timeline
    • twtech can query resource state at any point in time (great for auditing/debugging).

 5. Sample CI (EC2 Instance) policy

# json

{

  "configurationItemStatus": "OK",

  "resourceType": "AWS::EC2::Instance",

  "resourceId": "i-123456789xxxxxxx",

  "resourceName": "twtechWebServer01",

  "awsRegion": "us-east-2",

  "availabilityZone": "us-east-2a",

  "tags": {

    "Environment": "Prod",

    "Owner": "twtechTeamA"

  },

  "configuration": {

    "amiId": "ami-0abcdxxxxxxx",

    "instanceType": "t3.medium",

    "vpcId": "vpc-1234axxxx",

    "subnetId": "subnet-abcdxxxx",

    "securityGroups": ["sg-11112222xxxxx"],

    "iamRole": "twtechEC2AppRole"

  },

  "relationships": [

    {"resourceType": "AWS::EC2::SecurityGroup", "resourceId": "sg-11112222xxxxx"},

    {"resourceType": "AWS::EC2::Subnet", "resourceId": "subnet-abcdxxxx"}

  ]

}

 6. Querying Resource Data

  • Console Resource Inventory, Resource Timeline.
  • CLI
    • aws configservice list-discovered-resources
    • aws configservice get-resource-config-history
  • Advanced Queries (SQL-like)
    • Example:

o   SELECT resourceId, resourceType, tags.Environment

o   WHERE resourceType = 'AWS::EC2::Instance'

o   AND tags.Environment = 'Prod'

 7. Real-World Use Cases

    • Audit “Show me the history of this IAM policy” (who/when/what changed).
    • Security “Which Security Groups are open to 0.0.0.0/0?”
    • Inventory “List all resources with tag Owner=Finance.”
    • Incident Response Reconstruct state of resources at the time of an incident.
    • Cost Optimization Query unused/underutilized resources.

 8. Best Practices

    1. Scope Recording Only track resource types relevant for compliance/security.
    2. Aggregate Data Use multi-account aggregators for org-wide visibility.
    3. Combine with CloudTrail Who changed + what changed.
    4. Secure twtech S3 Bucket Config delivers snapshots here.
    5. Use Advanced Queries For reporting, inventory, and audits.

Final Takeaway:

    • AWS Config Resources is the raw data layer. 
    • Rules and Conformance  "Pack-sit-on-top" of those raw datat layers to enforce compliance.
    • Remediation enforces self-healing.



at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Amazon EventBridge | Overview.

Amazon EventBridge - Overview. Scope: Intro, Core Concepts, Key Benefits, Link to official documentation, Insights. Intro: Amazon EventBridg...