AWS Config: A Configuration Manager To Save The Day
Part 1: Why AWS Config Serves as a Backbone to Your Existing AWS Architecture
What keeps CIOs in compliance-heavy industries up at night? Audits. AWS Config is helping them sleep better by providing an easier way to confirm and return to the last known state. We show you how it works in practice in this fictional example.
“ABC Medisoft Solutions” CIO “Ashok Kumar” used to be woken up in the middle of the night by an irrecoverable server crash. The biggest challenge for him wasn’t to simply restore the server, but also to know the last state in which the server was functional with all its security configurations, relationships to other instances, etc.
Earlier, when Ashok had to prepare for his annual audit meeting with his external security auditors for the entire production environment, the word ‘hectic’ hardly described what he went through. It was simply impossible to provide precise answers for those “history” questions regarding the entire gamut of production systems in AWS he had managed to set up. “I simply cannot find a way to deal with this,” he would vent.
For ABC Medisoft Solution to remain prevalent and relevant among the top three medical solutions companies in the market, it was necessary to follow certain compliance policies, like HIPAA. Though the company was showcasing such compliance on its official website, Ashok found it difficult to track day by day, record and store the ever-increasing and never-ending streams of configuration information that flowed in from every possible dimension.
If his lieutenant issued an erroneous AWS API command which caused changes to his production system, Ashok had to rely on the spoken word and had no means to cross-check what his team members claimed to have changed or how they went about doing it. It didn’t happen often, but he did find situations difficult to double-check the truth without betraying the confidence his team had in him.
Worst of all, Ashok was terrified to risk changing his system or environment for the fear of losing track of the driver of optimal performance.
AWS Config, which Flux7 now offers as a standard configuration in our implementation service, changed all that.
What is AWS Config?
“AWS Config is a fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance.” – Amazon Web Service, http://aws.amazon.com/config/
Basically, AWS Config is a service that picks out a detailed account of what happens with your AWS configuration while giving you the critical ability to go back in time and verify or check the state your AWS resources were at a given point of time. All this can be operated through AWS Management Console, CLI or Python, Ruby, .Net, PHP or Java SDK. This information can be stored on an AWS S3 resource to keep a track of AWS resource states that existed at a given point in time.
So then, what is an AWS resource? Amazon terms an AWS resource as an entity it provides that you can work with, e.g. Amazon EC2, S3, Elastic IP, RDS, VPC or even CloudFormation. With AWS Config, you can check, verify or track the configuration details of each resource now or at a previous point in time.
The core reason AWS Config exists is to provide a backbone to your existing AWS architecture by taking a snapshot of your configuration and optionally saving it to an S3 instance after picking up the details you find important among the stream of AWS configuration change information flowing through your AWS systems. This information could be used by as simple as a start-up to know who changed what and when on its AWS resources, or something as complicated as saving the entire configurations state of all 350 production instances, the state of their VPC, the state of their Security Groups, etc. The AWS Config does not, at any point, deal with the operating system state, the user application state or any such state that is not controlled by AWS API.