AWS Cloud Operations Blog

Unlock the Power of AWS Config: Centralized Compliance and Resource Management

In this post, we will highlight how AWS Config can be used to help organizations implement capabilities related to management and governance, security, and more. Have you ever wondered how to maintain a centralized inventory of resources across your AWS accounts? Do you need to quickly identify the unencrypted resources in your AWS environment? Do you need to view the historical changes made to your resources and automatically assess if they are compliant or not? Whether for centralized compliance, security, or comprehensive resource management, having complete visibility into your cloud environment is crucial and AWS Config can help accomplish this. The value of AWS Config extends beyond monitoring, as numerous AWS services including AWS Control Tower, AWS Security Hub, AWS Audit Manager, and others leverage AWS Config data to enhance their functionality.

AWS Config is a fully managed service that allows you to inventory your resources and track changes made to them. It provides a detailed set of configuration information for these resources enabling you to address a variety of business objectives:

  • Gain Visibility
    • Leverage AWS Config to discover resources within your AWS environment or third-party resources whose configuration data can be published into AWS Config.
  • Centralized Audit and Compliance
    • Use AWS Config to continuously evaluate AWS resource adherence to compliance standards (e.g. SOC, PCI, FedRAMP) as well as track any deviations over time. You can use AWS Config to automatically remediate any non-compliant resources as a part of a resource management solution.
  • Cost Optimization
    • Address cost optimization opportunities by using AWS Config to track resource configurations with undesired cost implications.
  • Security Intelligence
    • Build controls to uncover vulnerable resource configurations with AWS Config as well as look back at past resource configurations to determine security posture at a specific point in time.
  • Enabling Partner Solutions
    • Use output from AWS Config to integrate with numerous third-party solutions. For example, populating a third-party configuration management database (CMDB) such as ServiceNow with tools like the AWS Service Management Connector.

To highlight the ways AWS Config can address various customer needs, we’ll look at a few use cases and how AWS Config can assist.

How does AWS Config work

The first step in cloud management and governance is understanding what’s running in your environment. As teams run workloads on AWS, they consume resources. As the needs (and number) of these workloads grow, so does the need to keep track of them. The AWS Config recorder provides the mechanism for this inventorying capability. AWS Config accomplishes resource tracking by starting a recorder to capture the state of your resources across your AWS accounts. The recorder then detects any changes to these resources and generates a configuration item (CI), which is a point-in-time view of the configuration of that resource. A sample configuration item can be seen in Figure 1. The wealth of information within this snapshot is a key reason why several AWS services leverage the data produced by AWS Config.

Customers can flexibly manage the AWS Config recorder, including excluding specific resources and adjusting the tracking frequency, which is useful for bursty workloads or ephemeral resources.

Note: Collaborate with appropriate stakeholders such as security teams, on resource exclusion and recording frequency to ensure compliance. Also, consider any downstream dependencies with AWS services or partner offerings.

Example Configuration Item for an EC2 Volume (EBS)

EBS Volume Configuration Item

Figure 1: EBS Volume Configuration Item

This configuration item highlights key configuration information such as the resource relationship (this volume is attached to an EC2 instance), and potential risks (such as the volume currently being unencrypted).

Deploying the Right Controls

AWS Config provides compliance evaluations for resource management. Let’s imagine a customer needs to adhere to the NIST 800-53 compliance standard. This framework has controls that customer must meet to demonstrate compliance (see the NIST Control Catalog if interested). AWS Config offers multiple implementation options to evaluate resources across account and teams, with varying degrees of flexibility.

The first option is through AWS Config rules.  AWS Config rules evaluate resource compliance against your desired configuration settings for AWS resources. AWS Config compares the current state of your resources against these rules, flagging any non-compliant resources. AWS Config offers pre-built AWS Managed rules as well as the ability to create custom rules. Customer teams can bundle multiple config rules and remediation actions into a single, deployable entity called a conformance pack for efficient multi-account deployment. Instead of managing individual rules, customers can use the pre-built Operational Best Practices for NIST 800-53 Conformance Pack, which can be customized and deployed organization-wide for centralized compliance management.

Rules and Conformance Packs can be deployed via the AWS Console, AWS CloudFormation, APIs, or Systems Manager Quick Setup. To author custom config rules, it’s recommended to use AWS Lambda or AWS CloudFormation Guard.

The second option is leveraging Security Hub security standards within AWS Security Hub. These standards are fixed collections of rules that automatically provide best practice checks against your AWS resources. These standards use AWS Config rules to evaluate your resources and provide a streamlined way to get started. If the compliance standard you need is already present in Security Hub, then the fully managed Security Hub service is the easiest way to get started, but they are not customizable. If customization is needed, directly deploying AWS Config rules and conformance packs within AWS Config is the recommended approach.

Note: If enabling AWS Config and Security Hub, ensure there aren’t duplicate controls deployed between Security Hub standards and Config conformance packs or rules to reduce unnecessary costs.

AWS Config can also automatically remediate non-compliant resources to maintain security posture. AWS Config rule configuration can include manual or automated remediation. This automated workflow reduces time to remediate noncompliance. It can be helpful to gain visibility before taking corrective action. Customers can set up notification or ticketing mechanisms before enabling automated remediation. Once ready, check out this blog on remediating noncompliant AWS Config rules for guidance.

Gaining Centralized Visibility

AWS Config is a regional service. By default, the AWS Config data collected in an AWS account is only viewable within the account and region where it was collected. However, customers typically desire a centralized way to consume this data. This is made possible with AWS Config aggregators. Aggregators enable centralized viewing of configuration and compliance data across multiple AWS accounts, AWS Regions, or an entire AWS Organization.

Querying Your Account Environment

An organization’s compliance team may want additional insight into their current environment. For example, understanding the number of HAQM EC2 instances currently deployed or which security groups are allowing TCP connections? AWS Config Advanced Query provides an endpoint allowing you to query the current configuration state of your AWS resources. This can be done across a single account or multiple accounts and regions with aggregators. There are sample queries provided or you can write your own. To assist in the authoring process, the service offers a natural language query processor (in preview) removing the need to write SQL statements.

Some common use cases for advanced query include:

  • Inventory management (i.e. retrieving a list of HAQM EC2 instances of a particular size).
  • Security and operational intelligence (i.e retrieving a list of resources that have a specific configuration property enabled or disabled).
  • Cost optimization (i.e. identifying a list of HAQM EBS volumes that are not attached to any HAQM EC2 instance).
  • Incident response (i.e. understanding what resources were created after a certain date).

Monitoring your Compliance State

For governance visibility, teams can leverage AWS Config dashboards to provide an overview of recorded resources, rules and conformance packs, and their compliance states and scores at a glance. AWS Config is also integrated with HAQM CloudWatch allowing you to view AWS Config configuration items and other metrics directly in CloudWatch dashboards. CloudWatch dashboards can be used to build and share custom views of AWS Config usage.

Providing Risk Management Assurance

Manually gathering evidence to support an audit can be a cumbersome process, but AWS Config can help streamline this. The rule evaluations in AWS Config are evaluating resources and the results of these evaluations are then provided to AWS Audit Manager, a managed cloud audit service, as evidence. Audit Manager can then generate assessment reports for internal and external auditors. To support these controls, you must enable AWS Config in AWS Regions where resources are in scope for Audit Manager. Failing to enable AWS Config will result in no evidence being collected for various controls, resulting in an incomplete picture of your cloud environment.

Enabling AWS Config

There are a few options for deploying AWS Config depending on your environment:

  1. Infrastructure as code tools, like AWS CloudFormation and Terraform, can be used to provision resources across multiple AWS accounts and regions. You can deploy AWS Config to your AWS accounts by creating a template that references AWS Config CloudFormation resources. You can also refer to CloudFormation documentation to take advantage of sample StackSet templates provided by AWS. These examples include templates for deploying Config rules.
  2. AWS Systems Manager Quick Setup is a capability of AWS Systems Manager and allows customers to quickly configure frequently used AWS services and features with recommended best practices. One of the supported configurations is creating an AWS Configuration Recorder. This process will allow you to leverage Systems Manager to enable AWS Config across multiple accounts and regions or the entire organization.

Conclusion

In this post we demonstrated how AWS Config is a core service that organizations should consider enabling as a part of their cloud strategy. Not only does AWS Config provide inventorying, compliance, security, and integration capabilities, it also ensures customers are optimally leveraging and receiving maximum return on investment with other key security and compliance services.

About the authors:

Courtney Sampson

Courtney Sampson is a Solutions Architect at AWS. He works alongside Enterprise customers to provide best practices and guidance for building and operating successfully in the cloud.

Craig Edwards author photo

Craig Edwards

Craig Edwards is a World Wide Technologist with the Critical Capabilities team at AWS based out of Boston Massachusetts. He specializes in AWS Config, AWS CloudTrail, AWS Audit Manager and AWS Systems Manager. Craig is a United States Air Force Veteran and when he is not building cloud solutions, he enjoys being a Father and electric vehicles.

Nivas Durairaj

Nivas Durairaj is a senior business development manager for AWS Cloud Governance services. He enjoys guiding and helping customers on their cloud journeys. Outside of work, Nivas likes playing tennis, hiking, doing yoga and traveling around the world.