AWS Config | General Flashcards
What is AWS Config?
General
AWS Config | Management Tools
AWS Config is a fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance. With AWS Config you can discover existing AWS resources, export a complete inventory of your AWS resources with all configuration details, and determine how a resource was configured at any point in time. These capabilities enable compliance auditing, security analysis, resource change tracking, and troubleshooting.
What is a Config Rule?
General
AWS Config | Management Tools
A Config Rule represents desired configurations for a resource and is evaluated against configuration changes on the relevant resources, as recorded by AWS Config. The results of evaluating a rule against the configuration of a resource are available on a dashboard. Using Config Rules, you can assess your overall compliance and risk status from a configuration perspective, view compliance trends over time and pinpoint which configuration change caused a resource to drift out of compliance with a rule.
What are the benefits of AWS Config?
General
AWS Config | Management Tools
AWS Config makes it easy to track your resource’s configuration without the need for up-front investments and avoiding the complexity of installing and updating agents for data collection or maintaining large databases. Once you enable AWS Config, you can view continuously updated details of all configuration attributes associated with AWS resources. You are notified via Amazon Simple Notification Service (SNS) of every configuration change.
How can AWS Config help with audits?
General
AWS Config | Management Tools
AWS Config gives you access to resource configuration history. You can relate configuration changes with AWS CloudTrail events that possibly contributed to the change in configuration. This information provides you full visibility, right from details, such as “Who made the change?”, “From what IP address?” to the effect of this change on AWS resources and related resources. You can use this information to generate reports to aid auditing and assessing compliance over a period of time.
Who should use AWS Config and Config Rules?
General
AWS Config | Management Tools
Any AWS customer looking to improve their security and governance posture on AWS by continuously evaluating the configuration of their resources would benefit from this capability. Administrators within larger organizations who recommend best practices for configuring resources can codify these rules as Config Rules, and enable self-governance among users. Information Security experts who monitor usage activity and configurations to detect vulnerabilities can benefit from Config Rules. Customers with workloads that need to comply with specific standards (e.g. PCI-DSS or HIPAA) can use this capability to assess compliance of their AWS infrastructure configurations, and generate reports for their auditors. Operators who manage large AWS infrastructure or components that change frequently can also benefit from Config Rules for troubleshooting.Customers who want to track changes to resources configuration, answer questions about resource configurations, demonstrate compliance, troubleshoot or perform security analysis should turn on AWS Config.
Does the service guarantee that my configurations are never out of compliance?
General
AWS Config | Management Tools
Config Rules provides information about whether your resources are compliant with configuration rules you specify. It will evaluate rules as soon as updated Configuration Items (CIs) for the resource are available within AWS Config. It does not guarantee that resources will be compliant or prevent users from taking non-compliant actions. Further, Config Rules does not automatically snap non-compliant resources back into compliance.
Does the service prevent users from taking non-compliant actions?
General
AWS Config | Management Tools
Config Rules does not directly affect how end-users consume AWS. It evaluates resource configurations only after a configuration change has been completed and recorded by AWS Config. Config Rules does not prevent the user from making changes that could be non-compliant. To control what a user can provision on AWS and configuration parameters allowed during provisioning, please use AWS Identity and Access Management (IAM) Policies and AWS Service Catalog respectively.
Can rules be evaluated prior to provisioning a resource?
General
AWS Config | Management Tools
Config Rules evaluates rules after the Configuration Item (CI) for the resource is captured by AWS Config. It does not evaluate rules prior to provisioning a resource or prior to making configuration changes on the resource.