Skip to content

AWS Config

Ahh got it โ€” you're asking about AWS Config, the service โ€” not the CLI command aws configure.

๐Ÿ“˜ What is AWS Config?

AWS Config is a service that monitors, records, and evaluates the configurations of your AWS resources. It helps you track resource changes and check compliance with rules over time.

๐Ÿงฐ Use Cases

  • Auditing and compliance

  • Security analysis

  • Resource change tracking

  • Operational troubleshooting

๐Ÿ”ง How AWS Config Works

  1. Recorder: Tracks changes in selected resources.

  2. Delivery Channel: Sends logs to an S3 bucket.

  3. Rules (optional): Validate resource compliance using AWS-managed or custom rules.

  4. Aggregator (optional): Collects data across accounts and regions.

๐Ÿ“ฆ Example Setup via Console or CLI

Let's set up AWS Config with:

  • Resource recording for all resources

  • Delivery to an S3 bucket (aws-config-logs-bucket)

  • Optional SNS topic for notifications

  • One AWS-managed rule (s3-bucket-public-read-prohibited)

๐Ÿ’ป CLI Setup Example

# 1. Create an S3 bucket for storing config logs
aws s3 mb s3://aws-config-logs-bucket

# 2. Create an IAM Role for AWS Config (skip if already done)
aws iam create-role --role-name AWSConfigRole \
  --assume-role-policy-document file://trust-policy.json

# trust-policy.json should contain:
# {
#   "Version": "2012-10-17",
#   "Statement": [{
#     "Effect": "Allow",
#     "Principal": { "Service": "config.amazonaws.com" },
#     "Action": "sts:AssumeRole"
#   }]
# }

# Attach required policy to the role
aws iam attach-role-policy --role-name AWSConfigRole \
  --policy-arn arn:aws:iam::aws:policy/service-role/AWSConfigRole

# 3. Set up the delivery channel
aws configservice put-delivery-channel \
  --delivery-channel-name default \
  --s3-bucket-name aws-config-logs-bucket

# 4. Start the configuration recorder
aws configservice start-configuration-recorder \
  --configuration-recorder-name default \
  --role-arn arn:aws:iam::<ACCOUNT_ID>:role/AWSConfigRole

# 5. (Optional) Add a managed AWS Config rule
aws configservice put-config-rule \
  --config-rule file://s3-rule.json

# s3-rule.json:
# {
#   "ConfigRuleName": "s3-bucket-public-read-prohibited",
#   "Source": {
#     "Owner": "AWS",
#     "SourceIdentifier": "S3_BUCKET_PUBLIC_READ_PROHIBITED"
#   }
# }

๐Ÿ“Š After Setup

  • Go to AWS Config Console to view:

    • Timeline of resource changes

    • Compliance reports

    • Rule violations

  • You can set up SNS notifications for alerts

๐Ÿ“‹ AWS Config Setup โ€“ Full Guide (Console + CLI)

๐Ÿ–ฅ๏ธ 1. Console Method (Step-by-step)

โœ… Prerequisites:

  • IAM permissions to create roles and use AWS Config

  • An S3 bucket (you can create it during the process)

๐Ÿงญ Steps:

  1. Go to AWS Config Console

    • Navigate to AWS Console > AWS Config.

    • Click โ€œGet startedโ€ if itโ€™s your first time.

  2. Specify resource recording

    • Select Record all resources supported in this region (recommended).

    • Or choose specific resource types.

  3. Create or choose an S3 bucket

    • Use โ€œCreate a bucketโ€ or select an existing bucket (e.g., aws-config-logs-bucket).

    • This is where AWS Config stores configuration snapshots and compliance results.

  4. Set up an IAM role

    • Choose โ€œCreate AWS Config service-linked roleโ€ (easiest option).

    • Or specify your custom IAM role.

  5. Set up an SNS topic (optional)

    • For receiving notifications (e.g., compliance changes).

    • You can skip this for basic setup.

  6. Enable AWS Config Rules (Optional)

    • Choose AWS managed rules, like:

      • s3-bucket-public-read-prohibited

      • ec2-instance-no-public-ip

    • Or skip for now and add rules later.

  7. Review and confirm

    • Review your settings and click โ€œConfirmโ€.

๐Ÿ“ Result:

  • AWS Config starts recording resource changes.

  • Sends logs to S3.

  • Evaluates rules (if configured).

๐Ÿ’ป 2. CLI Method (Quick Recap with Example)

โœ… Prerequisites:

  • AWS CLI installed & configured

  • S3 bucket (e.g., aws-config-logs-bucket)

  • IAM role with AWSConfigRole policy

# Create a delivery channel
aws configservice put-delivery-channel \
  --delivery-channel-name default \
  --s3-bucket-name aws-config-logs-bucket

# Start the configuration recorder
aws configservice start-configuration-recorder \
  --configuration-recorder-name default \
  --role-arn arn:aws:iam::<ACCOUNT_ID>:role/AWSConfigRole

# Add a managed AWS Config rule (e.g., block public S3 buckets)
aws configservice put-config-rule \
  --config-rule file://s3-rule.json

Example s3-rule.json:

{
  "ConfigRuleName": "s3-bucket-public-read-prohibited",
  "Source": {
    "Owner": "AWS",
    "SourceIdentifier": "S3_BUCKET_PUBLIC_READ_PROHIBITED"
  }
}

๐ŸŽฏ Common Managed Rules Examples

Rule Name Description
S3_BUCKET_PUBLIC_READ_PROHIBITED Ensures S3 buckets aren't publicly readable
EC2_INSTANCE_NO_PUBLIC_IP Ensures EC2s don't have public IPs
ENCRYPTED_VOLUMES Checks if EBS volumes are encrypted
IAM_PASSWORD_POLICY Validates strong IAM password policies