AWSConfig

Question 1

What is the purpose of AWS config?

Answer 1

It enables you to track changes in your account’s resources over time.

Question 2

Where does AWSConfig push the configuration changes to?

Answer 2

Changes are pushed to S3 bucket.

Question 3

I need to ensure my resources are compliant for both business and regulatory rules, what options do I have?

Answer 3

You cna use AWSConfig with Rules to check for non-complience.

Question 4

I am building a multi-region cloud virtual data centre, I want to ensure compliance, can I have one AWSConfig of all regions, if not, what options do I have?

Answer 4

AWSConfig is a single region resource, but you can have sperate AWSConfigs, one for each region, but have each push configs to one bucket.

Question 5

I need to understand what resources change in my application over time, how can I do this?

Answer 5

You cna use AWSConfig and get a history.

Question 6

What AWSConfig is been set up, do you need to grant some kind of permissions, if so what and how?

Answer 6

You need to either automatically or manually create a role with read-only permissions to all resources.

Question 7

I have an application and I want to receive every change to every resource in AWS in every region, how cna I do this?

Answer 7

You can set up an AWSConfig in every region and set each of the AWSConfig so that it SNS config points at the Application.

Question 8

Is AWSConfig realtime?

Answer 8

No, it takes up to 10min to received changes

Question 9

To ensure my organization is compliant, I need to set up a set of rules that will ensure infrastructure is compliant, what are my options?

Answer 9

Set up AWS config and create a set of rules

Question 10

I want to monitor if anyone creates a port on a set of restricted ports in my AWS environment, how cna I do this?

Answer 10

You can setup AWSConfig and some rules detect anyone creating a restricted port.

Question 11

If you wnat more detailed information about changes, what options do you have?

Answer 11

You need to enable cloudtrail to work with AWSConfig.

Question 12

I want to send notifications for changes in the resource infrastructures, what are my options?

Answer 12

You can use SNS with AWSConbfig, you can set up a rule and have it send you a message.

Question 13

What is the high-level architecture of AWS config?

Answer 13

• AWS Config tracks resource changes and writes to S3, it also validates again rules for compliant and non-compliant.

Question 14

Do I need an IAM role to allow AWSConfig access to all services?

Answer 14

Yes

Question 15

Is AWS Config a global service?

Answer 15

No, but you can configure each region to log to a centre al S3 bucket.

Question 16

What is a configuration item?

Answer 16

Is a record of a resource at a point in time.

Question 17

What is a configuration history?

Answer 17

It is a set of configuration items, it shows you the configuration of a resource over time.

Question 18

Is every resource type in AWS supported for AWS Config?

Answer 18

No, only selected resource types are supported.

Question 19

Where does AWS Config store the changes to resources?

Answer 19

In an S3 bucket, you can also add a bucket prefix.

Question 20

I wnat to stream configuration changes out of AWS Config, what options do I have?

Answer 20

You cna use SNS to stream changes.

Question 21

What do I need to associate with AWS Config to ensure AWS Config can access other services?

Answer 21

A role.

Question 22

What are AWS Config rules used for?

Answer 22

They enable you to check and ensure a resource is adhering to a configuration.

Question 23

Can you create your own custom AWS Config rule?

Answer 23

Yes 100%, they are created using Lambda.

Question 24

Will the AWS Config record in realtime?

Answer 24

No, it records and data becomes available in about 10min period.

Question 25

Describe a config item?

Answer 25

It is how the resource looked at a point in time,

• Volumes
• Status like running
• AZ
• Relationships like VPC, Subnets, SecurityGroups, Network interfaces

Question 26

How would I analyze if additional ports have been added to security groups?

Answer 26

You can use AWS config rule to create a list of ports to be blocked

Question 27

When using AWS Config rules, what options do I have as triggers?

Answer 27

• Config changes

- Periodic, where the rule is checked periodically again the resources.

Question 28

When would I use AWS Config?

Answer 28

When I need to track for audit purpose or compliance purpose the past and present configuration state of my resources in AWS.

Question 29

What is tracked by AWS Configuration?

Answer 29

The configuration state of the resources, both past and current.

Question 30

With AWS Config can I get a list of inventory?

Answer 30

Yes in the resources section you can get a list of inventory.

Question 31

Yesterday we had an outage, it is suspected this was due to a configuration change, how cna I quickly understand what changed in the solution?

Answer 31

Using AWS Config, provided it was enabled. We can look at the resolution resource to understand what has changed.

Question 32

What is AWS Config keeping in the S3 bucket?

Answer 32

It is keeping the configuration snapshots.

Question 33

I wnat to log to an external HTTPS service I created when configuration changes in my AWS account, how can I do this?

Answer 33

You can set up an SNS topic with AWS Config and when we get a change in the AWS account to a resource configuration, we will get a notification send to SNS and where I have my HTTPS services registered with the SNS topic.

Question 34

I have multiple AWS accounts with multiple regions and I want to get an aggregated view of all my accounts and regions so I understand changes in configuration and also to audit for compliance, how cna I do this?

Answer 34

You can use one account as an AWS Config aggregator for other accounts and their regions. AWS Config has the concept of aggregators and these allow you to select accounts or even an orgnization where all the AWS Config will be aggregated into this one single account AWS Config.

Question 35

Where is AWS Config getting the information it needs to understand the configuration changed?

Answer 35

It is coming from cloudtrail.

Question 36

Where is AWS Config getting the information it needs to understand the configuration changed?

Answer 36

It is coming from AWS Cloudtrail.

Question 37

I have an orgnization, how can I understand if AWS resources are not compliant?

Answer 37

Configure to have the orgnization as part of an AWS Config aggregator so all the AWS configs form thet accounts are aggregated into this one single account.

Question 38

How cna I ensure my resources in my account are compliant?

Answer 38

You can use AWS Config rules.

Question 39

How cna I create an AWS Config rule?

Answer 39

put something here

Question 40

I have looked through the AWS riles available and what I wnat is not present, what options do I have?

Answer 40

I can create a custom rule (riles->Custum rule)

Question 41

I need to take an automatic action when an AWS Config rules are triggered, how can I do this?

Answer 41

Put something here

Question 42

Why does AWS Config need a service-link role or a role?

Answer 42

Because the AWS Config service needs to have permissions to read from services like CloudTrail.

Question 43

I require the ability to see configuration changes as part of my security SIEM, what options do I have to see resource config changes?

Answer 43

You can use AWS Config to monitor resource changes and to use the AWS Config Rules to evaluate complience and send notificatio to the SIEM via SNS HTTPs.

Question 44

I require the ability to see configuration changes as part of my security SIEM, what options do I have to see resource config changes?

Answer 44

You can use AWS Config to monitor resource changes and to use the AWS Config Rules to evaluate compliance and send notification to the SIEM via SNS HTTPs.

Question 45

Our orgnization has an audit in a months time, part of what the auditors are looking for is an inventory of resources and there configuration, how cna I create this?

Answer 45

AWS Config creates an inventory of resources, there historical and current configuration.

Question 46

We require the ability to see what happen to a resource configuration some months back, how cna we do this?

Answer 46

If AWS Config was enabled and configures, it will have a complete picture of what happened.

Question 47

What is a finding in AWS Config?

Answer 47

A finding is not used in AWS Config and is used in AWS GuardDuty, little trick question to make sure you are not asleep.

Question 48

I need to better understand the relationship between resources, how cna I do this?

Answer 48

AWS Config captures the relationship between resources.

Question 49

What is a configuration item?

Answer 49

A configuration item represents a point-in-time view of the supported AWS resource

Question 50

What is a configuration snapshot?

Answer 50

A configuration snapshot is a collection of the configuration items for the supported resources that exist in your account

Question 51

What is a configuration history?

Answer 51

A configuration history is a collection of the configuration items for a given resource over any time period

Question 52

What is the configuration timeline?

Answer 52

The same as configuration history and show a list of configuration items over time.

Question 53

How can I use a lambda function to remediate an issue a non-compliance rule belong to AWS Config?

Answer 53

Use AWS CloudWatch Events to receive the non-compliant event and then trigger the lambda function to remediate the issue.

Question 54

When using AWS Config rules and when a rule is triggered, how can I send an email message?

Answer 54

Rules have remediation configuration where you can use AWS Systems Manager Automation, AWS Systems Manager Automation has a preconfigured automation to send an SNS notification to a topic of your choice with a message. You can use this to send a message and have email SNS topic subscribers receive the message.

Question 55

When using AWS config rules how cna I remediate an issue triggered by a rule?

Answer 55

The rule has a remediation section where we can opt to use AWS Systems Manager Automation to solve the issue.

Question 56

I wnat to receive notification for all AWS Config rule non-compliant issues, what options do I have?

Answer 56

In the AWS Config, you have the option to use an SNS topic.