Audit AWS Resources Using AWS Config
In my previous blog , I have explained on How you can setup a monitoring systems for tracking IAM users activity and the API usage in the AWS services, Check here.
In this guide , We will learn how to setup a auditing system for the AWS resources using AWS Config.
What Is AWS Config?
The public cloud providers such as AWS offers a variety of features such as High availability , Scaling , Serverless and much more.
But the most important thing is to ensure that the services we use are secure enough , That’s where AWS config has come in.
AWS Config is used for assessing , auditing and monitoring configuration changes in the AWS cloud.
It gives a detailed view of all the configurations of the AWS resources such as EBS , EC2 , VPC , security group and so on.
What AWS Config Can Do?
- It helps us to provide the configurations of one or more services in the aws account.
- Helps us to evaluate AWS resource configurations for desired settings.
- Provides the backup of the current settings applied to the AWS resources.
- Provides historical configurations of one or more resources.
- Send out a notification whenever a change happens such as create , delete and modify.
- Provide a information about the relationship between AWS services.
Different Ways To Use AWS Config
- Resource Administration
- Managing and troubleshooting configuration changes
- Auditing and Compliance
- Security Analysis
How AWS Config Works?
When the AWS config is enabled for the first time , It scans all the supported existing AWS resources and create a configuration item for each resources.
When there is a change in the existing resources or new resources are created , AWS config will also records the same and maintains a historical records for the configuration items.
We can either allow the AWS config to create configuration item for all the supported AWS resources or we can enable only for the particular AWS services.
Setting Up AWS Config Using Console
To setup AWS config , Login to AWS Config console.

and then click Get started
Lists of Supported Resource Types : API Gateway , Cloudwatch , Cloudfront , Dynamo DB , EBS , EC2 , Elasticsearch , Redshift , RDS , Quantum Ledger database , S3 , SQS , SNS , VPC , Auto scaling , ACM , Cloudformation , Cloudtrail , CodeBuild , CodePipeline , Elastic Beanstalk , IAM , KMS , Lambda , Secrets Manager , Shield , Service Catalog , Systems Manager , WAF , X-Ray and Elastic Load Balancing.
Under Settings , You can enable AWS config to record configurations for all the supported AWS resources or you can enable only for the particular AWS resources.
To enable for all resources , Choose All resources and to track global services such as IAM , Enable it.
I would suggest you to enable IAM to keep track of changes in the IAM users , groups , Roles and Policies.

To enable for particular resources , Under Specific types , Select the services

You can select the multiple AWS services.

Under Amazon S3 bucket , The S3 bucket will be used to stored the snapshot of all the configuration items and the configuration history which is recorded by the AWS config.
You can create a bucket from here on the go , Or you can use the existing S3 bucket. Check here for more detail
You can also store the AWS config snapshot in the S3 bucket which is in another AWS account.But Make sure the permission to store the configuration item is provide for the AWS config.
We can also use the folder / prefix within the bucket to store the configs.

Under Amazon SNS Topic , We can use SNS topic to alert us for the following cases such as Configuration history delivery , compliance , configuration snapshot delivery.
You can use existing topic or you can create an SNS topic with subscriber in your account.
We can also choose SNS topic from the another AWS account , But make sure the SNS topic has granted permission for the AWS config.

Under AWS Config role , Here we need to grant read only permission for the AWS config for all the supported AWS services .
Also we should grant permission to put config items to S3 and SNS access to sent notifications.
We can use the existing service-linked role , already created by AWS or you can create a role and assign the same to the AWS config.

and then click Next
For AWS Config rules , We can apply existing one or more rules against the AWS resources.
We can either apply the existing rule while creating the AWS config , or we can apply the existing rules after the AWS config is created.
We can also create our own custom rules and we can apply the same.
It will be highlighted If you select the rules.

and then Click Next
Review the Settings of the AWS config and then click Confirm.
It will take some time to setup the AWS config.

Once the AWS config is created , From the Dashboard , Click Status
You will get the status of the configurations.

Configuration Snapshot : It is the collection of configuration items for the supported AWS resources that exists in your account.
Configuration History : A collection of configuration items over a given period of time for the provided AWS resources.
Configuration Stream : It’s an automatically updated list of all the configuration items for the resources that AWS config is recording.
This is how the AWS config dashboard represents all the details.

It will take some time to discover all the resources.
Conclusion
We have successfully implemented an auditing system for the AWS resources using AWS config.
Hope you find it helpful.Please check out my other publications.