In a standard AWS account, the resources that make up that account constantly change in one form or another. Instances are started, stopped, created, or destroyed as part of an autoscaling event. An admin or developer might add or remove a port to or from a security group for access or testing purposes to ensure that the correct protocols are communicating with various software and services.
Once you start the service, AWS Config scans your account for supported services/resources by default. As it finds these resources, it crafts a configuration item for each one.
The configuration recorder generates and records a new configuration item as the resource changes take place.
Figure 5.1 shows the process flow of the components of the Config service. These include the overall service itself, which depends on the configuration recorder to capture the events. Config then uses various sources, such as CloudTrail Logs for monitoring. These events are sent to a delivery channel and saved as configuration snapshots over time.
Figure 5.1: Process flow of the AWS Config service
Some other items in the Config service do not appear in Figure 5.1. These include the following:
These will be discussed in greater detail in the following section to give you an understanding of all aspects of the AWS Config components.
When it comes to taking the AWS Certified Specialty exam, the ability to distinguish between two services with similar yet distinct functions is crucial to your success.
The two AWS services, Config and CloudTrail, have many similar traits. They are both services that monitor your AWS resources and provide a recorded history of what happens in your AWS account. Furthermore, they both provide information that can be used for compliance and auditing purposes.
The main concept to remember with AWS Config is that it captures WHAT has changed in the resource at a certain point in time.
This is in contrast to AWS CloudTrail, which captures WHO changed WHICH resource from WHERE, as well as the RESPONSE.
Consider Table 5.1 for an example of when you would use which tool to find the correct information:
AWS Config | AWS CloudTrail | |
Detect the creation of the security group | ü | ü |
Who created the security group? | ü | |
What IP did they use to create the security group? | ü | |
Port change on the security group | ü | |
Who made the port change? | ü | |
Was the change successful? | ü | |
When did the change occur? | ü | ü |
Ports opened now versus before | ü |
Table 5.1: Comparison of data captured by CloudTrail versus Config
You can now clearly differentiate between AWS Config and AWS CloudTrail and can take a closer look at the components that make up the Config service, the first component being configuration Items.