Using AWS Config for Security and Governance: Part 1

By 17 January 2017Tech Tips

AWS ConfigBy Carl Durrant, Senior Consultant, Avocado

In the cloud, change is frequent, automated and impactful. What options do you have for maintaining visibility, security and control?

In this three part series, I will take you through Amazon Web Services (AWS) Config – how to adapt the service to your needs, the key concepts, timelines, Config rules and partner integration. I will discuss the overall scope for its ability to be used not only for security analysis and audit compliance but for change management and troubleshooting capabilities. 

AWS Config – a lesser known service from AWS, acts as a ‘VCR’. It records everything changed in AWS and normalises them into a common format known as a Configuration Item. This data is stored in Amazon S3 (Amazon Simple Storage Service) and builds an SNS (Simple Notification Service) Configuration Stream. It means that you have visibility every time a configuration item changes. This is very powerful.

A second and newer part to AWS Config is AWS Config Rules. This allows you to setup rules to check against configuration of the resources that were recorded. There are pre-defined rules as well as the ability to create your own based on your objectives. AWS Config is built upon five features:

  • Recording configuration
  • Normalising those configuration changes or items into a standard format
  • Storing that data in AWS for analysis
  • Checking rules
  • Delivering data

All of this information is available in a dashboard so you can visualise and ultimately review for compliance, identifying offending and unauthorised changes.

Adapting to your needs

By default, AWS Config records everything to S3. However, if you are not interested in everything, you can be more selective. You can choose not to record changes made to instances and only changes made to things you specifically care about such as Security Groups, for example. You can select an S3 bucket of your choice. This can even be done in another account if you are looking to consolidate the configuration information from multiple AWS accounts (even in different regions) into a centralised account. If you do this, be aware that the S3 Bucket Policy must allow you to do this. The service requires Identity-based (IAM) permissions in order to read your data (read-only is required). The service integrates with Amazon SNS allowing you to stream the changes to an existing or new SNS Topic. If you are considering a multi-region deployment then best practice is to create an SNS Topic in each region, aggregating them to a common SQS (Simple Queue Service) queue in your home region.

AWS config

In part two of this post, I will further explore AWS Config through the key concepts of the service, the AWS Config timeline (my favourite part of this tool) and the Config rules for building up the base capability of recording all changes.


Avocado is a trusted partner of AWS with highly experienced consultants holding a wealth of knowledge in AWS applications. To talk to one of our Solution Managers in further detail, contact us today.

Share this on:

Related Posts