AWS Config is a key service for maintaining configuration compliance and security posture across your AWS environment.
AWS Config is a service that assesses, audits, and evaluates the configurations of your AWS resources. It tracks configuration changes and assesses compliance against desired configurations. Its purpose is to check the compliance status of resources using rules, acting as a 'one-stop shop' for what has changed.
AWS Config offers several features to help manage and maintain the security and compliance of your AWS resources.
Configuration Assessment and Auditing
AWS Config assesses, audits, and evaluates the configurations of your AWS resources. It tracks configuration changes and assesses compliance against desired configurations. This includes identifying changes to resource settings.
Use Cases:
- Identifying untagged resources
- Checking volume encryption
- Security group rule permissiveness
Compliance Monitoring and Remediation
AWS Config checks the compliance status of resources using rules. It can trigger remediation actions automatically by using automation documents (e.g., triggered by AWS Lambda functions) when issues are detected, acting as a 'one-stop shop' for what has changed.
Security Policy Enforcement
AWS Config is utilized to automate security best practices by enforcing rules and tracking security policies. This ensures that resources adhere to defined security standards.
To manage and monitor resources effectively, AWS Config requires appropriate IAM permissions for users and services.
When configuring a non-admin IAM user and group for AWS Systems Manager in a hybrid environment, the group's policies must include 'AWS Config user access'. This grants the necessary permissions for the user to interact with AWS Config.