Detective Controls of AWS
AWS Config (Continuous configuration auditor) provides a detailed view of the resources associated with your AWS account, including how they are configured, how they are related to one another, and how the configurations and their relationships have changed over time
How it Works
Benefits of AWS Config:
- Continuous Monitoring
With AWS Config, you are able to continuously monitor and record configuration changes of your AWS resources. - Continuous Assessment
AWS Config allows you to continuously audit and assesses the overall compliance of your AWS resource configurations with your organization’s policies and guidelines. - Change Management
With AWS Config, you are able to track the relationships among resources and review resource dependencies prior to making changes. - Operational TroubleShooting
With AWS Config, you can capture a comprehensive history of your AWS resource configuration changes to simplify troubleshooting of your operational issues.
Use Cases
Discovery
AWS Config will discover resources that exist in your account, record their current configuration, and capture any changes to these configurations. Config will also retain configuration details for resources that have been deleted. A comprehensive snapshot of all resources and their configuration attributes provides a complete inventory of resources in your account.
Change Management
When your resources are created, updated, or deleted, AWS Config streams these configuration changes to Amazon Simple Notification Service (SNS), so that you are notified of all the configuration changes. AWS Config represents relationships between resources so that you can assess how a change to one resource may impact other resources.
Continuous Audit and Compliance
AWS Config is designed to help you assess compliance with your internal policies and regulatory standards by providing you visibility into the configuration of your AWS resources as well as third-party resources, and evaluating resource configuration changes against your desired configurations on a continuous basis.
Compliance-as-code Framework
You can use AWS Config as your framework for creating and deploying governance and compliance rules across your AWS accounts and regions. You can codify your compliance requirements as AWS Config rules and author remediation actions using AWS Systems Manager Automation documents and package them together within a conformance pack that can be easily deployed across an organization. Therefore, using AWS Config, you can automate the assessment of your resource configurations and resource changes to help you ensure continuous compliance and self-governance across your AWS infrastructure.
Troubleshooting
Using AWS Config, you can quickly troubleshoot operational issues by identifying the recent configuration changes to your resources.
Security analysis
Data from AWS Config enables you to continuously monitor the configurations of your resources and evaluate these configurations for potential security weaknesses. Changes to your resource configurations can trigger Amazon Simple Notification Service (SNS) notifications, which can be sent to your security team to review and take action. After a potential security event, Config enables you to review the configuration history of your resources and examine your security posture.
Thank you for reading!
