AWS Config | Config Rules Flashcards
What time and timezones are displayed in the timeline view of a resource? What about daylight savings?
Config Rules
AWS Config | Management Tools
AWS Config displays the time at which Configuration Items (CIs) were recorded for a resource on a timeline. All times are captured in Coordinated Universal Time (UTC). When the timeline is visualized on the management console, the services uses the current time zone (adjusted for daylight savings, if relevant) to display all times in the timeline view.
What is a resource’s configuration?
Config Rules
AWS Config | Management Tools
Configuration of a resource is defined by the data included in the Configuration Item (CI) of AWS Config. The initial release of Config Rules makes the CI for a resource available to relevant rules. Config Rules can use this information along with any other relevant information such as other attached resource, business hours, etc. to evaluate compliance of a resource’s configuration.
What is a rule?
Config Rules
AWS Config | Management Tools
A rule represents desired Configuration Item (CI) attribute values for resources and are evaluated by comparing those attribute values with CIs recorded by AWS Config. There are two types of rules:
AWS managed rules: AWS managed rules are pre-built and managed by AWS. You simply choose the rule you want to enable, then supply a few configuration parameters to get started. Learn more »
Customer managed rules: Customer managed rules are custom rules, defined and built by you. You can create a function in AWS Lambda that can be invoked as part of a custom rule and these functions execute in your account. Learn more »
The quickest way to get started with AWS Config is to use the AWS Management Console. You can turn on AWS Config in a few clicks. For additional details, see the Getting Started documentation.
How are rules created?
Config Rules
AWS Config | Management Tools
Rules are typically set up by the AWS account administrator. They can be created by leveraging AWS managed rules – a predefined set of rules provided by AWS or through customer managed rules. With AWS managed rules updates to the rule are automatically applied to any account using that rule. In the customer-managed model, the customer has a full copy of the rule, and executes the rule within his/her own account. These rules are maintained by the customer.
How many rules can I create?
Config Rules
AWS Config | Management Tools
You can create up to 50 rules in your AWS account by default. Additionally, you can request an increase for the limit on the number of rules in your account by visiting the AWS Service Limits page.
How are rules evaluated?
Config Rules
AWS Config | Management Tools
Any rule can be setup as a change-triggered rule or as a periodic rule. A change-triggered rule is executed when AWS Config records a configuration change for any of the resources specified. Additionally, one of the following must be specified:
Tag Key:(optional Value): A tag key:value implies any configuration changes recorded for resources with the specified tag key:value will trigger an evaluation of the rule.
Resource type(s): Any configuration changes recorded for any resource within the specified resource type(s) will trigger an evaluation the rule.
Resource ID: Any changes recorded to the resource specified by the resource type and resource ID will trigger an evaluation of the rule.
A periodic rule is triggered at a specified frequency. Available frequencies are 1hr, 3hr, 6hr, 12hr or 24hrs. A periodic rule has a full snapshot of current Configuration Items (CIs) for all resources available to the rule.
What is an evaluation?
Config Rules
AWS Config | Management Tools
Evaluation of a rule determines whether a rule is compliant with a resource at a particular point in time. It is the result of evaluating a rule against the configuration of a resource. Config Rules will capture and store the result of each evaluation. This result will include the resource, rule, time of evaluation and a link to Configuration Item (CI) that caused non-compliance.
What does compliance mean?
Config Rules
AWS Config | Management Tools
A resource is compliant if complies with all rules that apply to it. Otherwise it is noncompliant. Similarly, a rule is compliant if all resources evaluated by the rule comply with the rule. Otherwise it is noncompliant. In some cases, such as when inadequate permissions are available to the rule, an evaluation may not exist for the resource, leading to a state of insufficient data. This state is excluded from determining the compliance status of a resource or rule.
