📖 What is AWS Config?
AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. It continuously monitors and records resource configuration changes, allowing you to track compliance against desired settings over time.
"Think of AWS Config as a 'flight recorder' for your infrastructure. It tells you what changed, when it changed, and if it violates your rules."
📚 Certification: AWS Certified Cloud Practitioner (CLF-C02)
🔑 What are the Key Concepts of AWS Config?
- ▸ Configuration History: Tracks changes over time, allowing users to see exactly how a resource was configured at a specific point in the past.
- ▸ AWS Config Rules: Predefined or custom rules that automatically evaluate resource configurations to check for compliance with organizational policies.
- ▸ Compliance Monitoring: Flags resources as 'compliant' or 'non-compliant' based on rules, enabling quick identification of security risks or misconfigurations.
- ▸ Resource Relationship Mapping: Visualizes how resources are connected, helping administrators understand the impact of changes across the entire AWS environment.
- ▸ Continuous Auditing: Automates the process of auditing infrastructure, replacing manual checks with real-time monitoring of configuration changes.
🎯 How does AWS Config appear on the CLF-C02 Exam?
You may be asked to identify the service that provides a detailed history of configuration changes for an EC2 instance to determine exactly when a specific security group rule was modified.
A scenario might describe a company needing to ensure all S3 buckets remain encrypted; you must select the service that automatically monitors resource states and reports any non-compliant buckets.
Expect questions where you must differentiate between a service that logs API calls to see who made a change (CloudTrail) and a service that tracks configuration states (AWS Config).
❓ Frequently Asked Questions
How does AWS Config differ from AWS CloudTrail?
CloudTrail records 'who' did 'what' by logging API calls, whereas AWS Config records 'what' the resource looks like and 'how' its configuration changed over time. Think of CloudTrail as the activity log and Config as the state history.
Can AWS Config automatically fix a non-compliant resource?
Yes, by using AWS Config Rules in conjunction with AWS Systems Manager Automation documents, you can trigger automatic remediation to bring a non-compliant resource back into a compliant state without manual intervention.