AWS Config
AWS Config is a regional service that monitors an account for changes, but cannot prevent configuration changes.
It can be configured for cross-region and cross-account monitoring and can generate SNS notifications and near-realtime events via EvengBridge or Lambda.
Two main functions:
-
Record configuration changes on resource over time in an AWS Account: every time a configuration or relationship (with other resources) change is made, a
Configurationitem is created, which contains:-
The configuration of the resource before and after that point in time
-
The relationship with other resources
-
Who made the change (you get a CloudTrail link)
-
-
Create compliance configurations and report whenever those are violated.
Config stores the configuration data and changes in an S3 Bucket, which is visible and can be accessed. This is useful if you want to analyze data using Athena.
Config Rules
They’re pieces of configuration templates resources are evaluated against.
AWS Managed rules are available but Custom Rules can be created using Lambda.
In the case of Custom Rules a Lambda Function performs the evaluation that you code and returns the result to AWS Config.
Rules evaluation can either happen:
-
On a configuration change
-
On a schedule
Billing
You pay per configuration item delivered (whenever a resource undergoes a configuration change or a relationship change) in your AWS account per AWS Region + Per rule evaluation per region.
Configuration item delivered:
-
Scheduled recording: $0.012
-
Continuous recording: $0.003
Rule evaluation: $0.001