“AWS Config is a fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance. With AWS Config you can discover existing AWS resources, export a complete inventory of your AWS resources with all configuration details, and determine how a resource was configured at any point in time. These capabilities enable compliance auditing, security analysis, resource change tracking, and troubleshooting,” the company explained
The system is designed to make configuration as simple and cheap as possible. One approach to that is the fact that the systems uses no agents. “Once you enable AWS Config, you can view continuously updated details of all configuration attributes associated with AWS resources. You are notified via Amazon Simple Notification Service (SNS) of every configuration change,” the company said.
One handy aspect of the tool is by tracking configuration changes, that data can used to perform audits. In fact, you can track who made what change and from what IP address. This can be especially important for organizations that fall under compliance regulations.
Integration with CloudTrail
AWS Config is tightly integrated with AWS CloudTrail, a system that tracks user API activities. “AWS CloudTrail records user API activity on your account and allows you to access information about this activity. You get full details about API actions, such as identity of the caller, the time of the API call, the request parameters, and the response elements returned by the AWS service. AWS Config records point-in-time configuration details for your AWS resources as Configuration Items (CIs). You can use a CI to answer “What did my AWS resource look like?” at a point in time. You can use AWS CloudTrail to answer “Who made an API call to modify this resource?” Amazon explained.
AWS Config has a broad reach, and can collect configuration data from multiple accounts.