Understanding Your AWS Environment through AWS ConfigĀ – Managing Your Environment with AWS Config – SCS-C02 Study Guide

Understanding Your AWS Environment through AWS Config

With the number of services rising each year in AWS, it can be difficult to understand what resources might be running within your environment. How can you keep up with what instances you have running and where, what they are running, and whether the resources are still needed? You might be running some infrastructure that is no longer required but got overlooked among thousands of other virtual devices in production.

With a vast network of resources running within your account, do you have a clear understanding as to which resource is connected to which? What ENI is connected to which instance? Which subnet is that instance running in? Which subnets are connected to which VPCs? Do you have a logical mapping of infrastructure that quickly and easily allows you to identify a blast radius should an incident occur or visibility into resource dependencies should you change your configuration?

On top of that, do you know the current state of configuration? Are you certain the latest patches are implemented, or is there a chance that some of your infrastructure is exposed and has been left vulnerable to potential security threats?

If someone makes a change to your infrastructure and environment, do you have an accurate record of that change, what changed, and when it changed?

Returning to compliance, how can you be assured that the resources you are deploying and maintaining meet the compliance needs dictated by your internal and external control processes?

Answers to all the preceding questions are generally required when performing audits. However, gaining this information can be very cumbersome in traditional IT deployments, let alone cloud environments, which are far more dynamic and are subject to a far higher rate of change. However, AWS is aware of these audit and compliance requirements and has an AWS service called AWS Config to help you address many of these questions in an automated, auditable, and compliant way.

AWS Config is available in all Regions and continuously monitors your configurations. It permits you to automate the configurations of your current resources against your desired configuration settings.

Now that you have a basic understanding of the AWS Config service, you can go through a brief overview of its capabilities before further exploring the different components.

Capabilities of AWS Config

Within the AWS Config service, the following capabilities are presented to you:

  • You can assess the AWS resource configurations to see whether they conform to the desired settings of the account.
  • You can save the current configuration settings as a snapshot for supported resources.
  • You can retrieve the historical configuration(s) for one or multiple supported resources.
  • You gain a view of the relationships that exist between resources.
  • You can use AWS Config to detect and catalog resources being initialized in an AWS account quickly and easily.
  • You can reduce diagnostic time when trying to fix issues by comparing the last known good state to the current state and seeing what has changed.

Having understood the basic capabilities of AWS Config, you can now proceed to the following section, which discusses the various components of AWS Config.