Best Practices for AWS Config


· · ·

AWS Config was introduced by Amazon Web Services in 2014 as an auditing tool to help consumers of AWS resources actively track and monitor AWS assets. The tool allows administrators to determine compliance with corporate and security standards. It also functions in determining changes to the cloud ecosystem which may have resulted in performance and functionality problems.

In this article, we’re going to look at AWS Config in more detail and cover best practices which you may consider implementing to make the most of this tool.

Setting Up AWS Config in Your Account

A significant time-saving benefit of AWS Config is that you don’t need to install or maintain agents on any of your cloud resources. AWS Config functions inside each region of your account and can be easily enabled through the AWS Management Console.

To enable AWS Config, log into the AWS Management Console and navigate to the Config home page.

Fig. 1 AWS Config Home Page

When you enable AWS Config, there are four pieces of information or configuration that you will need to provide.

  1. Resource types to record
    • You can elect to record all resources within the region (Default select)
    • You can choose to include global resources as well.
    • If your use case only involves the need to monitor resources of a specific type, you can also deselect the record all resources option, and specify only those resources you would like to track.
  2. Amazon S3 bucket
  3. Amazon SNS topic
  4. AWS Config role
    • If you choose to have a new role created, AWS automatically builds a role with read-only access to those resources specified for the configuration.

Let’s look at some best practices to adopt when using AWS Config for your resource management needs.

1: Centralize Administration

If you oversee multiple AWS accounts, it is wise to invest in some initial planning. Determine where you want to store the information and who will need access to it. When selecting the Amazon S3 bucket and SNS topic during the initial configuration, you can specify a bucket and topic in another account.

By consolidating your information, you’ll save a lot a time and headaches when the time comes for auditing and generating reports.

2: Standardize Tagging

Developing a tagging standard will take some effort, and you may experience some pushback from your development team, but the initial investment will pay you back in dividends many times over. Develop a tagging standard for your organization that includes information for each resource, such as:

  • Resource Owner – Team, Cost Center, or other taxonomic type information.
  • Environment – Production, Test, Development
  • Application/Service
  • Role – Web, Database, etc.

Tag anything you can and include as much information as is feasible. Most AWS resources support custom user tags, and with the help of your DevOps team, you may be able to automate most of the work in applying tags to resources as they are created and deployed into your AWS ecosystem.

The investment in defining and applying a tagging standard will be invaluable when you need to identify resources based on the environment, assign costing to specific teams and owners, or when you want to do detailed reports on resource usage within your organization.

3: Automate, Automate, Automate

The second step when enabling AWS Config is the inclusion of rules. In cloud environments where the number of resources appears to grow exponentially as your organization does, automation is your friend. By setting up automated processes to monitor your account for specific conditions, you’ll be able to keep up on configuration changes and be notified when updates to the environment fall outside of your organization’s security and configuration guidelines.

Fig. 2 Set up Rules to Monitor Your Configuration

Some of the rules that you may want to consider including are:

  • Ensure that required tagging is in place on all relevant resources
  • Validate that volumes are encrypted appropriately
  • Notifications are sent when certificates and keys are set to expire.

4: Trust But Verify

Once you have AWS Config enabled on your account, it’s a good idea to validate that everything is working as expected. Below are a couple of checks you can make to ensure that your AWS Config setup is working appropriately.

  • Validate that you have enabled AWS Config in all regions for your accounts.
  • The S3 bucket specified exists and that it is receiving logs as expected.
  • The SNS topic exists and is receiving notifications.
  • Global resources are included in your configuration setup.

Mike Mackrory is a Global citizen who has settled down in the Pacific Northwest - for now. By day he works as an Engineer Manager for a DevOps team, and by night he writes and tinkers with other technology projects. When he's not tapping on the keys, he can be found trail-running, hiking and exploring both the urban and the rural landscape with his kids. Always happy to help out another developer, he has a definite preference for helping those who bring gifts of gourmet donuts, craft beer and/or Single-malt Scotch.


Click on a tab to select how you'd like to leave your comment

Leave a Comment

Your email address will not be published.

Skip to toolbar