AWS Config のアイコン

AWS Config Popular2014年〜

A service that records and evaluates AWS resource configuration changes and continuously monitors compliance

About 3 min read

What It Does

AWS Config is a service that continuously records the configuration of AWS resources and tracks the history of configuration changes. You can see "when, who, and what was changed" in chronological order, and it automatically evaluates whether resource configurations comply with security policies and compliance standards using rules. When resources that violate rules are detected, it can trigger notifications or automatic remediation actions.

Use Cases

Config is used to continuously monitor compliance with security policies such as "Are all S3 buckets blocking public access?" and "Are all EBS volumes encrypted?" It is also used for compliance audits where you need to submit "the history of security group changes over the past 6 months," and for detecting unintended configuration changes and triggering alerts.

Everyday Analogy

Think of it like a building safety inspection. An inspector (Config) patrols the building (AWS environment) and checks items like fire extinguisher placement, emergency exit availability, and electrical equipment status against a checklist (Config rules). Any areas that don't meet standards are reported with recommendations for improvement. Additionally, past inspection records are kept on file, so you can look back and see when something changed.

What Is Config?

AWS Config is a service that continuously records and evaluates the configuration of AWS resources. It automatically records the settings of resources such as EC2 instances, security groups, S3 buckets, and IAM policies. A snapshot is saved each time a resource's configuration changes, allowing you to review the configuration state at any point in time.

Compliance Evaluation with Config Rules

Config rules are a mechanism that automatically evaluates whether resource configurations meet specific conditions. With over 300 AWS-provided managed rules, you can start evaluating immediately with no setup. Examples include rules like "Is public access blocked on S3 buckets?" and "Do EC2 instances have specific tags?" When custom evaluation logic is needed, you can create custom rules using Lambda functions.

Automatic Remediation and Notifications

When resources that violate Config rules are detected, you can configure automatic remediation actions. For example, when an unencrypted EBS volume is detected, you can automatically run an SSM Automation document to enable encryption. You can also send notifications to an SNS topic to alert administrators. This enables rapid detection and correction of deviations from security policies. For practical tips on using automatic remediation and notifications, tech books on Amazon also cover this topic.

Getting Started

To get started with Config, run the setup wizard in the Config console. Select the resource types to record and specify an S3 bucket for storing configuration history. Then select and enable the Config rules you want to evaluate. Simply choosing managed rules that match your security policies starts continuous compliance monitoring.

Things to Watch Out For

  • Config is billed based on the number of recorded resources and Config rule evaluations. Optimize costs by limiting recording to the resource types you need
  • Config rule evaluation results are binary: "compliant" or "non-compliant." To identify the cause of non-compliance, you need to examine the resource's configuration details
  • Config can be integrated with AWS Organizations to centrally manage Config rules across the organization. In multi-account environments, use aggregators to consolidate compliance status from all accounts
共有するXB!

Related Services

AWS CloudTrail iconAWS CloudTrailA service that records and monitors API activity in your AWS accountAWS Security Hub iconAWS Security HubCentrally manage your AWS security posture and automatically check compliance with best practicesAWS Systems Manager iconAWS Systems ManagerAn operations management service for centrally managing AWS resources and on-premises serversAWS Organizations iconAWS OrganizationsA service for centrally managing multiple AWS accounts

Related Articles

Architecture Review - Systematically Evaluate Workloads with the AWS Well-Architected ToolLearn about architecture reviews using the AWS Well-Architected Tool. Covers evaluation based on the six pillars, improvement planning, and custom lens usage.Retrieving Compliance Reports with AWS Artifact - Audit Response and Agreement ManagementLearn how to retrieve SOC, PCI DSS, and ISO audit reports on demand and apply BAA and GDPR DPA agreements across your entire AWS Organizations structure.Automating Audits - Continuously Collecting Compliance Evidence with AWS Audit ManagerLearn how to automate audit evidence collection with AWS Audit Manager. This guide covers automated assessments based on frameworks such as SOC 2, PCI DSS, and GDPR, centralized evidence management, and audit report generation.Audit Log Design and Operations - Complete API Activity Recording with CloudTrailLearn how to design audit logs using AWS CloudTrail, including recording API activity, long-term storage in S3, and compliance automation through integration with AWS Config.Tag Design Determines Operations - Trivia and Practical Naming Conventions for AWS Resource Tagging StrategyWe explain why AWS resource tags are not just labels but the foundation for cost allocation, access control, and automation, covering tag key naming conventions, how to use the 50-tag limit, and governance through tag policies.

More in This Category

AWS AppFabric iconAWS AppFabric NewA service that standardizes and aggregates audit logs from SaaS applicationsAWS AppConfig iconAWS AppConfig SpecializedA service for safely deploying and managing application configurationAWS Chatbot iconAWS Chatbot SpecializedAn interactive agent that delivers AWS notifications and enables resource operations through Slack and Microsoft TeamsAWS CloudFormation iconAWS CloudFormation EssentialAn IaC service that defines and provisions AWS resources as code using templatesAWS CloudTrail iconAWS CloudTrail EssentialA service that records and monitors API activity in your AWS accountAmazon CloudWatch iconAmazon CloudWatch EssentialA service that provides monitoring, log management, and alarms for AWS resources and applicationsAWS Control Tower iconAWS Control Tower PopularA service that automates multi-account environment setup and governanceAmazon CloudWatch RUM iconAmazon CloudWatch RUM NewA real user monitoring service that collects client-side performance and error data from web applications

Similar Articles and Services

AWS ConfigA service that continuously records and evaluates AWS resource configuration changes, enabling automated compliance auditing and configuration history tracking based on defined rulesContinuous Compliance Monitoring with AWS Config - Rule Evaluation and Auto-RemediationLearn how to record resource configurations with AWS Config, evaluate compliance using Config rules, and set up auto-remediation actions.AWS Incident Response Toolchain - An Integrated Investigation Platform from CloudTrail to Security HubExplore the AWS incident response toolchain combining CloudTrail, Config, Detective, and Security Hub, and compare the investigation approach with Azure Sentinel.Audit Log Design and Operations - Complete API Activity Recording with CloudTrailLearn how to design audit logs using AWS CloudTrail, including recording API activity, long-term storage in S3, and compliance automation through integration with AWS Config.