Config

AWS Config — A service that enables you to assess, audit, and evaluate the configurations of your AWS resources.

Overview

AWS Config continuously monitors and records your AWS resource configurations, allowing you to audit changes, evaluate compliance against rules, and maintain an inventory of your resources.

Key Insight: Config is like a “configuration camera” — it takes snapshots of your resource state over time, showing you exactly what changed, when it changed, and who changed it.

Core Config Concepts

Concept	Description	Key Point
Configuration Item	Record of a resource’s state at a point in time	JSON with all attributes
Configuration Recorder	Captures resource configurations	Can be continuous or on-demand
Rule	Evaluates configurations against desired state	Managed or custom rules
Conformance Pack	Collection of rules and remediation actions	Simplifies compliance
Aggregator	Multi-account/multi-region aggregation	Centralized view
Snapshot	Point-in-time configuration	Historical tracking

How Config Works

AWS Resource (e.g., EC2 instance created)
        │
        ▼
┌─────────────────────────────────────┐
│     AWS Config Service              │
│                                     │
│  1. Configuration Recorder captures │
│     resource configuration          │
│                                     │
│  2. Rule evaluates compliance       │
│                                     │
│  3. Stores as Configuration Item    │
└─────────────────────────────────────┘
        │
        ├──────────────┬──────────────┐
        ▼              ▼              ▼
   S3 Storage   CloudWatch   Config Console
   (history)     (metrics)    (compliance)

Key Features

Feature	Description
Configuration History	Timeline of configuration changes
Configuration Snapshot	Point-in-time state of all resources
Resource Relationships	Maps how resources connect to each other
Compliance Evaluation	Check resources against rules
Remediation Actions	Auto-fix non-compliant resources
Multi-Account Aggregation	Centralized view of all accounts
Advanced Queries	SQL-like queries on configurations

Config Rules

Managed Rules

AWS provides pre-built rules for common compliance scenarios.

Rule Name	Description	Resource Type
`s3-bucket-server-side-encryption-enabled`	Checks S3 bucket encryption	S3 Bucket
`ec2-instance-profile-attached`	Checks EC2 has IAM role	EC2 Instance
`rds-storage-encrypted`	Checks RDS encryption	RDS DB Instance
`vpc-flow-logs-enabled`	Checks VPC has flow logs	VPC
`iam-password-policy`	Checks IAM password policy	Account

Custom Rules

Write your own rules using AWS Lambda.

# Example: Ensure EC2 instance type is t3.micro
def evaluate_compliance(configuration_item):
    instance_type = configuration_item['configuration']['instanceType']
    if instance_type == 't3.micro':
        return 'COMPLIANT'
    else:
        return 'NON_COMPLIANT'

Use Cases

Use Case	Description
Compliance Auditing	Prove configurations meet standards (PCI DSS, HIPAA)
Change Management	Track who changed what and when
Security	Detect security misconfigurations (unencrypted S3, open security groups)
Resource Inventory	Know what resources exist in your account
Operational Troubleshooting	See configuration history for debugging
Cost Optimization	Find resources not compliant with cost policies

Pricing

Component	Price	Free Tier
Configuration Items	$0.003 per recording	7,500 free (first 30 days, new users)
Active Rules	Varies by rule type	Included in free tier
Advanced Queries	Per query	Not in free tier
Aggregation	Per account aggregated	N/A

⚠️ Pricing Disclaimer: AWS pricing is subject to change. Always verify current pricing at the official AWS Config pricing page.

Config vs CloudTrail

Aspect	AWS Config	CloudTrail
Focus	Resource state	API calls
Data	Current + historical configurations	Audit logs of actions
Query	SQL-like (advanced queries)	Log analysis (CloudTrail Logs)
Use Case	What’s configured now vs before	Who did what when

Use Both Together: CloudTrail shows you the API call; Config shows you the result of that call.

TL;DR

AWS Config = Continuous monitoring and recording of AWS resource configurations
Configuration Item = Snapshot of a resource’s state at a point in time
Rules = Evaluate resources against desired state (managed or custom)
Compliance = Check resources meet standards (security, cost, operational)
Pricing = $0.003 per configuration item (limited free tier for new users)
Use Cases = Compliance auditing, change management, security, inventory
Complementary to CloudTrail (Config = state; CloudTrail = actions)

Resources

AWS Config Documentation Complete Config user guide.

Config Rules Developing custom rules with Lambda.

Config Pricing Detailed pricing breakdown.

Lalit's Cloud & DevOps notes