Evaluating Config Rules
Once the rules have been configured in the account and the specified triggers have been set, the AWS Config service will flag the resources that do not comply with those rules. As you initially set your rules, especially in the case of custom rules, you may have to review the items that have been flagged and make modifications to the rule to ensure that the rule is acting in the way you envisioned. This could include only running the rule against specific resources with a specified tag.
The rules from the AWS Config service are evaluated in two modes: proactive mode and detective mode. With the proactive mode, resources are evaluated as soon as they are deployed or provisioned. This means that, once a resource has been provisioned, the AWS Config service runs the rule and determines whether that new resource is compliant. On the other hand, with detective mode, AWS Config is running rules against resources that have already been deployed.
AWS Config Conformance Packs
Collections of AWS Config rules come in what are known as conformance packs. You can apply conformance packs either in the particular Region in which you are using AWS Config or, if you are using an aggregator (which will be discussed in just a bit), to combine the information from multiple Regions or multiple accounts. You can apply those same sets of rules across everything with a one-click setup.
Conformance packs make it simple to implement operational best practices for a number of AWS services, industries, and security controls, all with minimal effort. Sample packs for items ranging from Criminal Justice Information Services to HIPAA Security Rule are available.
Note
Although the different conformance packs will not be questioned directly in the exam, it is suggested that you explore the various titles available so that you know what resources are available in your day-to-day duties. To do so, have a look at the following URL: https://packt.link/PbCDa.
The configuration history is useful for audits and provides a complete record of all the changes made to a resource. By collating the configuration items for a resource, AWS Config can assemble a history of the modifications made to that resource. The history of your resource can be accessed via the AWS CLI or the AWS Management Console. Also, as part of the process, AWS Config will store a configuration history file of each resource type in the S3 bucket selected during the configuration of AWS Config.
You can select any changes using the AWS Management Console and dive deeper to understand what elements changed. Suppose there was a security incident or outage. In that case, this history would be beneficial to determine the timeline of events that led to the incident to help you resolve it quickly and efficiently.
AWS provides you the ability to take an automated approach to fix out-of-compliance resources as evaluated by Config rules. System Manager Automation runbooks carry out these actions.
There are several predefined automated remediations that you can choose from, or you can create custom remediations to suit your organization’s needs.