CMDB is the cornerstone of automated operations and the foundation for building ITIL processes. AWS Config is a managed service that serves as a CMDB for resources in the AWS cloud. It can maintain the configuration history of AWS resources and evaluate configurations based on best practices and internal policies. You can use this information for operational troubleshooting, audit, and compliance use cases.

AWS Config Principles

After turning on AWS Config, it first looks for supported AWS resources in your account and generates a configuration item for each resource. AWS Config also generates configuration items when a resource's configuration changes, and retains the history of configuration items after you start the configuration recorder. If you use AWS Config rules, AWS Config continuously evaluates whether your AWS resources have the desired settings. When a resource's compliance status changes, AWS Config sends a notification to your Amazon SNS topic.

Use Cases

Resource Management

To better manage your resource configurations and detect resource misconfigurations, you need to have detailed knowledge about what resources exist and how they are configured at any time. AWS Config can send you notifications when resources are created, modified, or deleted, without needing to poll individual resources to monitor these resource changes.

You can use AWS Config rules to evaluate your AWS resource configuration settings. When AWS Config detects a resource that doesn't meet the conditions in a rule, AWS Config marks it as a non-compliant resource and sends a notification. AWS Config continuously evaluates your resources when they are created, changed, or deleted.

Audit and Compliance

Your data may require frequent audits to ensure it complies with internal policies and best practices. To demonstrate compliance, you need to understand the historical configuration of resources. AWS Config can provide this information.

Managing and Troubleshooting Configuration Changes

When you use multiple interdependent AWS resources, a configuration change to one resource may have unintended consequences for related resources. With AWS Config, you can view how the resource you're preparing to modify relates to other resources and assess the impact of the change.

You can also use the historical resource configuration provided by AWS Config to troubleshoot problems and identify the last known good configuration of a problematic resource.

Security Analysis

To analyze potential security vulnerabilities, you need detailed historical information about your AWS resource configurations, such as AWS Identity and Access Management (IAM) permissions granted to your users or Amazon EC2 security group rules controlling access to resources.

You can use AWS Config to view the IAM policies assigned to IAM users, groups, or roles that AWS Config is recording at any time. This information can help you determine what permissions a user had at a specific time: for example, you can view whether user John Doe had permission to modify Amazon VPC settings on January 1, 2015.

You can also use AWS Config to view your EC2 security group configurations, including port rules opened at specific times. This information can help you determine whether a security group will block incoming TCP traffic to a specific port.

Pricing

With AWS Config, you pay based on the number of configuration items recorded in your account, the number of active AWS Config rule evaluations, and the number of conformance pack evaluations. A configuration item is a record of the state of your AWS resource's configuration in your AWS account. An AWS Config rule evaluation is a compliance status evaluation of a resource by an AWS Config rule in your AWS account, and a conformance pack evaluation is an evaluation of a resource by an AWS Config rule within a conformance pack.

Pricing Example

Assume your usage in a given month in the US East (N. Virginia) region is as follows:

10,000 recorded configuration items of various resource types

50,000 Config rule evaluations for all individual Config rules in your account

5 conformance packs, each containing 10 Config rules, with 300 rule evaluations per Config rule (i.e., 5*10*300 = 15,000 total evaluations)

Configuration item cost

10,000 * $0.003 = $30

Config rule cost

First 100,000 evaluations ($0.001 per evaluation) = $50

Conformance pack cost

First 1,000,000 conformance pack evaluations ($0.0012 per evaluation) = $18

Total Config bill

$30 + $55 + $18 = $98

For further assistance or services, please leave a message. Taiyue Cloud Business will provide automation tools and professional services.