Understanding AWS Config: A Comprehensive Guide to Resource Configuration and Compliance
By Matt Houle, Solution Architect
AWS Config provides a detailed, real-time view of the configuration of AWS resources within your account. An “AWS resource” refers to any item you’ve provisioned in your AWS environment, such as EC2 instances, EBS volumes, S3 buckets, and more.
When AWS Config is first enabled, it scans all resources in your account and begins maintaining a history of their configuration states. If a resource changes over time—whether it’s a configuration update, addition, or removal—AWS Config will record these changes. For example, if you modify the ingress or egress rules of a VPC security group, AWS Config will capture that change in its history.
Beyond Tracking: AWS Config Rules
AWS Config doesn’t just track the configurations of resources; it also helps enforce and maintain desired configurations. This is accomplished through AWS Config Rules, which can be set up to trigger AWS Lambda functions. These functions compare the actual configuration of a resource with the desired configuration and flag any discrepancies.
One example of a managed AWS Config rule is alb-waf-enabled. This rule checks all application load balancers (ALBs) in your account to ensure they are fronted by a web application firewall (WAF). If an ALB isn’t properly configured with a WAF, it will be marked as non-compliant.
AWS offers many managed rules out of the box, allowing organizations to quickly start using AWS Config without the need for custom development. A full list of AWS-managed rules can be found in the official AWS documentation.
The Power of Custom Config Rules
While managed rules are a great starting point, the true flexibility of AWS Config shines when you create custom Lambda functions to build your own Config rules. Custom rules can be executed on a regular schedule or triggered by specific API calls (e.g., when route tables are updated or S3 files are deleted).
Your Lambda code compares the actual configuration of a resource with its desired state. If there’s a mismatch, the resource will be marked as non-compliant in AWS Config.
Monitoring Compliance and Visibility
Using AWS Config rules, whether managed or custom, you can track the compliance of all your AWS resources. Resources are classified into three compliance states:
- COMPLIANT
- NON-COMPLIANT
- NON-APPLICABLE
This provides an excellent observability tool to monitor the health of your AWS environment and ensure that resources are in line with your desired configuration and compliance requirements.
Learn more about our AWS professional services here!
About the Author
Matt Houle has over 18 years experience in the IT field starting immediately after graduating highschool and becoming the network administrator due to their passion for technology. Over the years they worked many general IT positions in technical support to always help the customer and business to achieve the best outcome possible. Matt Houle worked with Scripps Networks (FoodNetwork, HGTV, CookingChannel, TravelChannel, etc) as a System Administrator where they ended up being the team lead and architected a single pane of glass monitoring platform for the organization utilizing Solarwinds. After ScrippsNetworks was acquired by Discovery Networks, Matt Houle made a transition to Amazon Web Services as a system development engineer for the team AMS (AWS Managed Services). During his time at AWS Matt Houle lead multiple projects as its lead engineer including automation of full Multi Account Landing Zone account build outs. His passion for networking and security allowed him to build out a fully automated Palo Alto firewall provisioning service utilizing (Lambda, S3, Stepfunctions, DynamoDB) that would help secure customers egress based traffic, and finally Matt Houle led multiple efforts that handled all host authentication for both customers and AWS operators. Matt Houle is very focused in the cyber security space and has attended the annual hacker and cybersecurity convention Defcon for the past three years.