AWS Config features

Configuration history of resources

AWS Config records details of changes to your resources to provide you with a configuration history. You can use the AWS Management Console, API, or CLI to obtain details of what a resource’s configuration looked like at any point in the past. AWS Config will also automatically deliver a configuration history file to the Amazon Simple Storage Service (S3) bucket that you specify. You can customize the AWS Config recorder to deliver configuration items at two different frequencies or by changing the scope of which resources are included or excluded. You can also record configurations for third-party resources or custom resource types, such as on-premises servers, software as a service (SaaS) monitoring tools, and version control systems, by following the AWS Config Developer Guide: Record Configurations for Third-Party Resources.

Configuration history of software

AWS Config helps you record software configuration changes within your Amazon Elastic Compute Cloud (EC2) instances and servers running on-premises, as well as servers and virtual machines in environments provided by other cloud providers. With AWS Config, you gain visibility into operating system (OS) configurations, system-level updates, installed applications, network configuration and more. AWS Config also provides a history of OS and system-level configuration changes alongside infrastructure configuration changes recorded for Amazon EC2 instances.

Resource relationships tracking

AWS Config discovers, maps, and tracks AWS resource relationships in your account. For example, if a new EC2 security group is associated with an EC2 instance, AWS Config records the updated configurations of both the EC2 security group and the EC2 instance.

Configurable and customizable rules

AWS Config provides you with pre-built rules evaluating the configurations of your cloud resources, as well as software within managed instances, including EC2 instances, and resources outside AWS like servers running on premises, before and after provisioning. You can customize pre-built rules to evaluate your AWS resource configurations and configuration changes, or create custom rules on AWS Lambda that define your internal best practices and guidelines for resource configurations. Using AWS Config, you can assess your resource configurations and resource changes for compliance against the built-in or custom rules.

Conformance packs

Conformance packs help you manage compliance of your AWS resource configuration at scale (from policy definition to auditing and aggregated reporting) using a common framework and packaging model. Conformance packs are integrated with AWS Organizations. Using conformance packs as your compliance framework, you can package a collection of AWS Config rules and remediation actions into a single entity (known as a conformance pack) and deploy it across an entire organization. This is useful if you must quickly establish a common baseline for resource configuration policies and best practices across multiple accounts in your organization in a scalable and efficient way.

Conformance packs also provide compliance scores. A compliance score is a percentage-based score that helps you quickly discern the level to which your resources are compliant for a set of requirements that are captured within the scope of a conformance pack. A compliance score is calculated based on the number of rule-to-resource combinations that are compliant within the scope of a conformance pack. For example, a conformance pack with five rules applying to five resources has 25 possible rule-resource combinations. If two resources are not compliant with two rules, then the compliance score would be 84%, indicating that 21 out of 25 rule-resource combinations are currently in compliance. Also, compliance scores are emitted to Amazon CloudWatch metrics, which create tracking over time. Compliance scores offer a consistent measurement to track remediation progress, perform comparisons across different sets of requirements, and show the impact that a specific change or deployment has on your compliance posture.

Multi-account, multi-Region data aggregation

AWS Config aggregators enable centralized auditing and governance that provides an enterprise-wide view of your AWS resource configuration metadata and AWS Config rule compliance status. You can set up AWS Config aggregators for "single account and multi-Regions," "multi-account and multi-Regions," or "all the accounts in an AWS Organization that have AWS Config enabled."

Querying configuration state

AWS Config advanced queries enable you to search the current configuration state of AWS resources based on configuration properties. With advanced queries you can search within a single account and AWS Region or query against an AWS Config aggregator to search from a central account across accounts, AWS Regions, or an AWS Organization. This enables you to perform ad hoc, property-based queries against current AWS resource state metadata without needing to do AWS service-specific API calls. AWS Config uses a subset of structured query language (SQL) SELECT syntax to perform property-based queries. These queries can vary in complexity, ranging from basic searches based on tags or resource identifiers to more intricate queries, like identifying all Amazon S3 buckets with versioning disabled. To start using advanced queries today, visit our documentation.

AWS Config also provides generative AI-based natural language querying (available in preview), simplifying resource configuration investigations and saving you time when troubleshooting. You can search your resource configurations by asking questions in plain language, such as "Show me all EC2 instances that have the security group sg-12345" or "Show me all unused EBS volumes." AWS Config generates an advanced query based on your question that you can execute as-is or further fine-tune to retrieve precise data. To learn more about this feature, visit our documentation. 

Extensibility

AWS Config supports extensibility by helping you publish the configuration of third-party resources into AWS Config using our public API operations. Examples of third-party resources include version control systems such as GitHub, Microsoft Active Directory resources, or any on-premises server. AWS Config helps you view and monitor the resource inventory and configuration history of these third-party resources using the AWS Config console and API operations, like you do for AWS resources. You can also create AWS Config rules or conformance packs to evaluate these third-party resources against best practices, internal policies, and regulatory policies.

Configuration snapshots

AWS Config can provide you with a configuration snapshot, which is a point-in-time capture of all your resources and their configurations. Configuration snapshots are generated on demand by using the AWS CLI or API and delivered to the Amazon S3 bucket that you specify.

Cloud governance dashboard

AWS Config provides three types of dashboards. First, an AWS account- and AWS Region-specific dashboard that displays your resources' compliance posture, enabling your IT administrators, security experts, and compliance officers to quickly spot noncompliance resources and take appropriate action. Second, AWS Config provides a high-level dashboard per aggregator that shows insights such as total count of non-compliant rules across your AWS Organization, the top five non-compliant rules by number of resources, and the top five AWS accounts that have the highest number of non-compliant rules. Third, AWS Config provides detailed dashboards for each aggregator that dive deep into inventory and compliance details, such as compliance summary by resources, top 10 accounts with non-compliant resources, top 10 accounts by noncompliant rules across conformance packs, comparison of running vs. stopped EC2 instances by type, and EBS volumes by volume type and size. You can also access the underlying AWS Config advanced queries for each widget in all three types of dashboards, enabling you to dive deeper into resource details. You can use all of the available dashboards to gain insights into your resource configuration metadata. You can learn more by visiting our Viewing Compliance and Inventory Data in the Aggregator Dashboard documentation. 

Partner solutions

You can choose from numerous AWS Partner Network (APN) partners who provide solutions that integrate with AWS Config for resource discovery, change management, compliance, or security. Learn more about AWS Config APN Partners here.

Integrations

You can use AWS Organizations to define the accounts to use for AWS Config’s multi-account, multi-Region data aggregation capability. AWS Organizations is an account management service that helps you consolidate multiple AWS accounts into an organization that you create and centrally manage. By providing your AWS Organizations details, you can monitor the compliance status across your organization.

AWS Config integrates with AWS CloudTrail to correlate configuration changes to particular events in your account. You can use the CloudTrail logs to obtain the details of the event that invoked the change, including who made the request, at what time, and from which IP address. You can navigate to the AWS Config timeline from the CloudTrail console to view the configuration changes related to your AWS API activities. To learn more about this feature, read our documentation here.

IT Service Management (ITSM) tools, such as Jira Service Desk, can connect with AWS Config to make it easier for ITSM users to request and manage AWS services and resources. The AWS Service Management Connector for Jira Service Desk provides Jira Service Desk administrators governance and oversight over their AWS products.

AWS Security Hub centralizes security checks from other AWS services, including AWS Config rules. Security Hub enables and controls AWS Config rules to verify your resource configurations are aligned to best practices. Enable AWS Config on all accounts in all Regions where Security Hub is to run security checks on your environment’s resources.

Audit Manager helps you continuously audit your AWS usage to simplify how you assess risk and compliance with regulations and industry. Audit Manager automates evidence collection, so you can configure a control data source, such as AWS Config, to collect automated evidence.

AWS Config integrates with Systems Manager to record configuration changes to software on your EC2 instances and servers in your on-premises environment. With this integration, you can gain visibility into operating system (OS) configurations, system-level updates, installed applications, network configuration, and more. AWS Config also provides a history of OS and system-level configuration changes alongside infrastructure configuration changes recorded for EC2 instances. You can navigate to the AWS Config timeline from the Systems Manager console to view the configuration changes of your managed EC2 instances. You can use AWS Config to view Systems Manager inventory history and track changes for all your managed instances.

To use Firewall Manager, you must enable AWS Config for each of your AWS Organizations member accounts. When new applications are created, Firewall Manager is the single service to build firewall rules, create security policies, and enforce them consistently.

AWS Config integrates with EC2 Dedicated Hosts to assess license compliance. AWS Config records when instances are launched, stopped, or shut down on a Dedicated Host, and pairs this information with host and instance level information relevant to software licensing, such as Host ID, Amazon Machine Image (AMI) IDs, number of sockets, and physical cores. This helps you use AWS Config as a data source for your license reporting. You can navigate to the AWS Config timeline from the EC2 Dedicated Hosts console to view the configuration changes of your EC2 Dedicated Hosts.

AWS Config integrates with the Elastic Load Balancing (ELB) service to record configuration changes to Application Load Balancers. AWS Config also includes relationships with associated EC2 security groups, VPCs, and subnets. You can use this information for security analysis and troubleshooting. For example, you can check which security groups are associated with your Application Load Balancer at any point in time. You can navigate to the AWS Config timeline from the ELB console to view the configuration changes of your Application Load Balancers.