In my previous blog , I have explained on How you can setup a monitoring systems for tracking IAM users activity and the API usage in the AWS services, Check here.
In this guide , We will learn how to setup a auditing system for the AWS resources using AWS Config.
What is AWS Config?
The public cloud providers such as AWS offers a variety of features such as High availability , Scaling , Serverless and much more.
But the most important thing is to ensure that the services we use are secure enough , That’s where AWS config has come in.
AWS Config is used for assessing , auditing and monitoring configuration changes in the AWS cloud.
It gives a detailed view of all the configurations of the AWS resources such as EBS , EC2 , VPC , security group and so on.
What AWS Config can do?
It helps us to provide the configurations of one or more services in the aws account.
Helps us to evaluate AWS resource configurations for desired settings.
Provides the backup of the current settings applied to the AWS resources.
Provides historical configurations of one or more resources.
Send out a notification whenever a change happens such as create , delete and modify.
Provide a information about the relationship between AWS services.
Different Ways to Use AWS Config
Resource Administration
Managing and troubleshooting configuration changes
Auditing and Compliance
Security Analysis
How AWS Config Works?
When the AWS config is enabled for the first time , It scans all the supported existing AWS resources and create a configuration item for each resources.
When there is a change in the existing resources or new resources are created , AWS config will also records the same and maintains a historical records for the configuration items.
We can either allow the AWS config to create configuration item for all the supported AWS resources or we can enable only for the particular AWS services.
Setting Up AWS Config using Console
To setup AWS config , Login to AWS Config console.
and then click Get started
Lists of Supported Resource Types : API Gateway , Cloudwatch , Cloudfront , Dynamo DB , EBS , EC2 , Elasticsearch , Redshift , RDS , Quantum Ledger database , S3 , SQS , SNS , VPC , Auto scaling , ACM , Cloudformation , Cloudtrail , CodeBuild , CodePipeline , Elastic Beanstalk , IAM , KMS , Lambda , Secrets Manager , Shield , Service Catalog , Systems Manager , WAF , X-Ray and Elastic Load Balancing.
Under Settings , You can enable AWS config to record configurations for all the supported AWS resources or you can enable only for the particular AWS resources.
To enable for all resources , Choose All resources and to track global services such as IAM , Enable it.
I would suggest you to enable IAM to keep track of changes in the IAM users , groups , Roles and Policies.
To enable for particular resources , Under Specific types , Select the services
You can select the multiple AWS services.
Under Amazon S3 bucket , The S3 bucket will be used to stored the snapshot of all the configuration items and the configuration history which is recorded by the AWS config.
You can create a bucket from here on the go , Or you can use the existing S3 bucket. Check here for more detail
You can also store the AWS config snapshot in the S3 bucket which is in another AWS account.But Make sure the permission to store the configuration item is provide for the AWS config.
We can also use the folder / prefix within the bucket to store the configs.
Under Amazon SNS Topic , We can use SNS topic to alert us for the following cases such as Configuration history delivery , compliance , configuration snapshot delivery.