AWS Config enables users to be up to date with their resources, not only in the cloud on AWS, but other clouds, and on-premises resources as well. The service continually assesses, audits, and evaluates the configurations and relationships of the user’s resources.
Businesses have to comply with corporate standards, industry guidelines, or other internal policies, and it is important to remain in compliance. AWS Config can be utilized to manage, evaluate, and simplify compliance and troubleshooting of resources. The service provides a detailed inventory of your AWS resources and their current configuration, while continuously recording changes. Not only does AWS Config track configuration changes and keep an inventory of your resources, but it also allows for auditing and analysis of these configurations. AWS Config enables the user to notice changes in compliance and helps take remedial action.
AWS Config also allows for codifying desired configurations for resources utilizing what is known as Config Rules. The user has total control over what AWS Config is checking for. AWS has many managed rules and allows for the creation of custom rules as well. Even with custom rules, AWS will monitor and evaluate compliance for resources based on that rule - it does not need to be one of AWS’s predefined rules. If resources drift from these settings, AWS Config can notify you, for example, if your Amazon S3 bucket doesn’t have versioning enabled, or an AWS IAM role is allowing full access to a service. Furthermore, you can create a collection of these rules, called a Conformance Pack. These are a collection of AWS Config rules and remediation actions that can easily be deployed as a single entity in an account and region and are useful for managing compliance at scale across accounts and regions. These packs help standardize configuration if you manage multiple accounts. They can be AWS-managed or custom-defined using YAML files.
The service can also be utilized to show relationships between resources, such as if a new Amazon EC2 security group is associated with an Amazon EC2 instance, and can be helpful for impact analysis if a resource changes or gets deleted. AWS Config also integrates very well with a variety of AWS services, such as AWS CloudTrail, for a comprehensive view of activity. AWS Config can also trigger lambda functions for automating the remediation of resources out of compliance with the rules set.
General use cases for AWS Config consist of streamlining operational troubleshooting and change management, deploying a compliance-as-code framework, and continually auditing security monitoring and analysis. In addition to standard pricing for any other services you may use in conjunction with AWS Config, like Amazon S3, Amazon SNS, or AWS Lambda, pricing is based on a few things. Firstly, rule evaluations – rule evaluation pricing can be as low as $0.00005 per evaluation and never higher than $0.001 per evaluation, all depending on how many evaluations you perform in a month. Pricing is also based on the number of configuration items recorded. Whenever a change is made to a recorded resource, AWS Config creates a configuration item that details what was changed. For each configuration item recorded, you are charged $0.003 – keep in mind that this could add up quickly if there are a lot of monitored resources that change frequently (e.g. dev deployments or overly sensitive scaling groups) in your AWS environment.