📖 What is AWS Config?
AWS Config continuously monitors and records the configuration of your AWS resources. It provides a detailed history of resource changes, allowing you to assess, audit, and evaluate configurations against desired standards. This supports governance and compliance requirements.
"AWS Config Rules automate compliance checks. Understand the difference between mandatory and optional rules. Config Rules can trigger remediation actions via Systems Manager Automation. Exam questions often involve identifying non-compliant resources and using Config Rules to enforce policies."
📚 Certification: AWS Certified Solutions Architect - Associate (SAA-C03)
🔑 What are the Key Concepts of AWS Config?
- ▸ AWS Config Rules evaluate resource configurations against desired settings, flagging non-compliance and enabling automated remediation.
- ▸ Config stores resource configuration history as a timeline, allowing you to track changes and identify the root cause of issues.
- ▸ It integrates with other AWS services like Systems Manager Automation for automated corrective actions when non-compliance is detected.
- ▸ Config supports both AWS managed and custom rules, offering flexibility to enforce organization-specific policies and standards.
- ▸ Understanding Config's role in continuous compliance monitoring is crucial for security and governance in AWS environments.
🎯 How does AWS Config appear on the SAA-C03 Exam?
You may be asked to identify the AWS service best suited for tracking changes to security group rules over time and alerting on unauthorized modifications.
A scenario might describe a company needing to ensure all S3 buckets are encrypted at rest – determine how Config Rules can automatically verify this.
Expect questions about using Config to audit resource configurations against a specific compliance framework like PCI DSS or HIPAA.
❓ Frequently Asked Questions
Can AWS Config detect changes made *before* it was enabled?
No, Config only records changes from the moment it's enabled. Historical data is not retroactively collected. Plan your implementation accordingly to capture future changes.
What's the difference between AWS Config and AWS CloudTrail?
CloudTrail logs API calls, providing an audit trail of *who* did *what*. Config tracks *what* the configuration of your resources *is*, focusing on state and compliance.
How can I automatically fix non-compliant resources identified by Config Rules?
You can integrate Config Rules with AWS Systems Manager Automation to trigger remediation documents that automatically correct the configuration drift and bring resources back into compliance.