Configuration items – Managing Your Environment with AWS Config – SCS-C02 Study Guide

Configuration items

As your resources change over time, there needs to be a way to capture those changes so they can be evaluated against both the rules set out in Config and the differences between the unchanged and changed resources themselves. A configuration item is a point-in-time snapshot stored in JSON format that holds that resource’s characteristics at that instant. The JSON file contains an array of information about the resource including metadata, attributes, relationships, current configuration, and related events. Most but not all resources are supported by AWS Config, and the complete list of supported resources can be found at http://packt.link/5LRkV.

A new configuration item is updated every time a change is made on a particular resource. This includes actions such as creating the resource or calling the update or delete API against the resource.

The following presents a quick overview of the components of configuration items:

  • The Metadata section contains information about the configuration item itself.
  • The Attributes section focuses on the resource data the configuration item relates to.
  • The Relationship section holds data related to any connected resource. For example, if the configuration item is related to a subnet, the relationship could contain data related to the associated VPC that the subnet was part of.
  • Current Configuration shows the same information generated as that displayed if you were to perform a describe or list API call made by the AWS CLI.

Now that you know how Config stores its information about resources into configuration items, you are ready to examine the essential element that captures the configuration items—the configuration recorder.

The Configuration Recorder

Within the AWS Config service, the configuration recorder is used to discover any changes in new or existing resources and then capture these changes as configuration items. It’s important to note that you must create a configuration recorder before AWS Config can monitor your resource configurations or enable you to remediate any configurations that do not meet your compliance standards using Config rules. This will be explained later in the section labeled AWS Config Rules.

There are multiple ways to set up the configuration recorder, including the AWS Management Console, the Command-Line Interface (CLI), or via Infrastructure as Code (IaC) using a system such as CloudFormation or Terraform. Setting up the configuration recorder using the AWS Management Console will create configuration items for all resources in your account by default. If you use another means to create your configuration recorder, such as the CLI or via IaC, you can specify exactly which resources you want Config to monitor.

Note

In the Exercises available with this book, there is a walk-through of setting up AWS Config, the configuration recorder, and a conformance pack.

As you go through the Basic Setup of Configuration Recorder example that shows you the method of setting up the configuration recorder, it is suggested you type the JSON policy files by hand. They are simple enough, and the more practice you get in reading and knowing these types of policy files, the more prepared you will be for the exam. There might be a few question-and-answer sets that require you to parse out JSON or pieces of IAM code in your head, and the best way to do this expediently is to have hands-on experience.