Using AWS Config for Security and Governance: Part 3

By 31 January 2017Tech Tips

AWS ConfigBy Carl Durrant, Senior Consultant, Avocado

Throughout this three part series, I have gone through the key concepts of Amazon Web Services (AWS) Config, and its ability to maintain visibility, security and control in the frequently changing cloud environment.

If you have not already, take a look at how visibility is gained every time a configuration item is changed, the five features in which AWS Config is built upon and how to adapt it specifically to your needs in Part One of this series. In Part Two I delved deeper into the key concepts of the service, the AWS Config timeline and AWS Config Rules.

In this final post, I will discuss how AWS has worked with many different partners to allow integration of data between systems and the AWS Config’s ability to address security issues. 

Partner integration

There is a growing ecosystem of partners around the AWS Config service. Splunk’s app for AWS takes data from AWS Config as well as data from sources such as AWS CloudTrail, Amazon Inspector, Amazon VPC Flow Logs, Amazon CloudWatch, AWS ELB (Elastic Load Balancing), Amazon Cloudfront, Amazon S3 (Simple Storage Service) and AWS Billing. This gives you some really powerful visualisation and dashboards as well as insights into your AWS environment and its health. 

Are we safe?

I hope you can see the scope and capability of the AWS Config Service. I believe it is something that organisations should turn on by default if not for security analysis and audit compliance for change management and troubleshooting capabilities.

If key security rules are defined, this tool gives a security analyst the perspective of ‘are we safe’ and provides the evidence of it. For upcoming changes, it provides a window into the relationship of resources and which ones will be affected. Most importantly, this tool can form part of a self-healing security architecture whereby defined rules trigger workflows to close security holes. The state of compliance can be viewed from a single dashboard.

A common security concern is an AWS EC2 instance that is open to the world. A simple Config Rule could detect this invalid security configuration and automatically take the instance offline or another defined action. Traditional audit events were a big headache for IT. Always-on recording from AWS Config could also address this headache. The defined security policy ensures what is running really should be. I also like the fact that not only can AWS Config report what is in your account but it also records what has been deleted from your account.

Finally, AWS Config can report on AWS Identity and Access Management (IAM). This opens up the capability of auditing these services for queries such as what permissions did a user have on a specific date. The service is available in the AWS Sydney region and also has API access like most other AWS services. You only pay once for each Configuration Item recorded and a fee for each active Config Rule per month. 

I hope this series has helped you to better understand the role and value of AWS Config. It is an incredibly powerful service that can be used not only for security analysis and audit compliance but for change management and troubleshooting capabilities.


Avocado is a trusted partner of AWS with highly experienced consultants holding a wealth of knowledge in AWS applications. To talk to one of our Solution Managers in further detail, contact us today.

Share this on:

Related Posts