運用管理

AWS Config

A service that continuously records and evaluates AWS resource configuration changes, enabling automated compliance auditing and configuration history tracking based on defined rules

About 4 min read

Overview

AWS Config is a service that continuously records the configuration of AWS resources and automatically evaluates their compliance against defined rules. It tracks configuration changes across over 300 resource types including EC2 instances, security groups, S3 buckets, and IAM policies. A configuration snapshot is recorded each time a change occurs, allowing you to review the resource configuration at any point in time. Using AWS-provided managed rules (over 350) and custom rules implemented with Lambda, you can automatically evaluate compliance with your organization's security policies and regulatory requirements.

Configuration Recording and Change History

When Config is enabled, a Configuration Item (CI) is recorded each time a configuration change occurs on a monitored resource. A CI includes the resource type, ID, configuration details, related resources, and the timestamp of the change. This history lets you instantly answer questions like "When and who changed this security group rule?" or "When was encryption enabled on this S3 bucket?" Config's advanced query feature lets you search current resource configurations across your environment using SQL-like syntax. For example, you can instantly retrieve a list of S3 buckets with encryption disabled or security groups allowing public access. Configuration history is delivered to an S3 bucket for long-term storage and analysis with Athena.

Compliance Rules and Auto-Remediation

Config rules automatically evaluate whether resource configurations comply with defined conditions. Examples of managed rules include s3-bucket-server-side-encryption-enabled (checks if S3 bucket encryption is enabled), ec2-instance-no-public-ip (checks if EC2 instances have no public IP), and iam-password-policy (checks if the IAM password policy meets requirements). When non-compliant resources are detected, you can configure auto-remediation actions. Remediation actions are defined as Systems Manager Automation runbooks that automatically bring non-compliant resources into compliance. For example, if an S3 bucket with encryption disabled is detected, a remediation action can automatically enable encryption. The corresponding Azure service is Azure Policy, which similarly evaluates resource configuration compliance and executes auto-remediation.

Practical Usage Patterns

Config serves as the foundation for security auditing and compliance evidence. Regulatory requirements such as PCI DSS, HIPAA, and SOC 2 mandate tracking resource configuration changes and continuous compliance with security policies. Config's Conformance Packs are templates that bundle rule sets aligned with specific regulatory frameworks. Integration with Organizations lets you apply uniform Config rules across all accounts in your organization and manage compliance status from a centralized aggregated view. Config pricing is based on the number of Configuration Items recorded. In environments with many resources, costs can increase, so it is recommended to limit recording to only the resource types you need. To learn Config from basics to advanced topics, books (Amazon) offer a structured learning path.

共有するXB!

Related Terms

Amazon CloudWatchAmazon GuardDutyAWS IAM

Related Services

AWS Systems ManagerAWS Organizations

Related Articles

Continuous Compliance Monitoring with AWS Config - Rule Evaluation and Auto-RemediationLearn how to record resource configurations with AWS Config, evaluate compliance using Config rules, and set up auto-remediation actions.Implementing Feature Flags with AWS AppConfig - Safe Configuration Deployment and RollbackRoll out configuration changes independently from code deployments using Linear and Exponential strategies. Ensure safety with automatic rollback triggered by CloudWatch alarms.Retrieving Compliance Reports with AWS Artifact - Audit Response and Agreement ManagementLearn how to retrieve SOC, PCI DSS, and ISO audit reports on demand and apply BAA and GDPR DPA agreements across your entire AWS Organizations structure.The Hidden Structure of AWS Account IDs' 12 Digits - Why 12 Digits, and What Can You Infer?A trivia-style exploration of why AWS account IDs are 12-digit numbers, the design intent embedded in the ARN structure, and the security considerations around what can be inferred from an account ID.Tag Design Determines Operations - Trivia and Practical Naming Conventions for AWS Resource Tagging StrategyWe explain why AWS resource tags are not just labels but the foundation for cost allocation, access control, and automation, covering tag key naming conventions, how to use the 50-tag limit, and governance through tag policies.

Similar Terms and Articles

Continuous Compliance Monitoring with AWS Config - Rule Evaluation and Auto-RemediationLearn how to record resource configurations with AWS Config, evaluate compliance using Config rules, and set up auto-remediation actions.AWS ConfigA service that records and evaluates AWS resource configuration changes and continuously monitors complianceAudit Log Design and Operations - Complete API Activity Recording with CloudTrailLearn how to design audit logs using AWS CloudTrail, including recording API activity, long-term storage in S3, and compliance automation through integration with AWS Config.AWS Incident Response Toolchain - An Integrated Investigation Platform from CloudTrail to Security HubExplore the AWS incident response toolchain combining CloudTrail, Config, Detective, and Security Hub, and compare the investigation approach with Azure Sentinel.Centralized Security Posture Management with AWS Security Hub - Aggregating Findings and Automated ResponseAggregate findings from GuardDuty, Inspector, and Macie using ASFF, quantify your security score through automated security standard evaluations, and set up automated remediation via EventBridge.