everythingpossible - Fotolia
How do AWS configuration management tools work?
When running AWS in our enterprise, it has been a challenge to keep tabs on active resources. Which native tools define and maintain configuration scripts?
AWS configuration management is a two-phased process that involves defining and maintaining configuration scripts and then ensuring deployed resources are configured as expected. And AWS offers two specific tools to help with both phases of the management process.
CloudFormation addresses the first phase of AWS configuration management by providing a way to specify resources, configuration parameters and dependencies for deploying applications. AWS Config monitors the state of deployed resources to ensure they are configured as expected. This AWS configuration management service is useful for maintaining compliance in the public cloud. And while it doesn't prevent misconfigurations from being implemented, it can detect such events and record details.
AWS Config performs a few key functions. It provides a repository of information about the state of deployed resources. The AWS configuration management service also monitors for changes, including records configuration changes, within the repository. Cloud administrators can use the repository to get a quick view at the state of cloud resources and receive alerts when configurations change. Data about configurations are stored in Amazon Simple Storage Service (S3); admins can access configuration data through the AWS Management Console, APIs or SDKs.
AWS Config currently supports a subset of AWS services, including: Elastic Compute Cloud instances, virtual private clouds, Elastic Block Store, CloudTrail and Identity and Access Management.
Through AWS Config snapshots, system administrators can capture point-in-time descriptions of the state of cloud resources. Snapshots are created using the command-line interface or an API; snapshot data is stored in JSON format in an S3 bucket.
AWS Config also supports rules for evaluating the state of configurations and posts information to the console when resources are out of configuration.
Billing for AWS Config is based on the number of resources it is monitoring and the number of configuration rules that are in place. Amazon charges a one-time fee of $0.003 per configuration item recorded. There is also a charge of $2.00 per rule per month for active Config rules, which includes up to 20,000 evaluations of the rule per month. After that, Amazon charges $0.10 per 1,000 evaluations during the month.
AWS monitoring tools have limitations
Streamline AWS resources with CloudFormation
Native, third-party logging tools help secure AWS
Dig Deeper on AWS infrastructure
Related Q&A from Dan Sullivan
What cloud security controls are best for due diligence?
With increasing use of cloud sending more enterprise data outside of the organization's control, due diligence is crucial. Expert Dan Sullivan offers... Continue Reading
When should I use Azure VM Scale Sets?
Microsoft Azure VM Scale Sets help cloud admins manage a collection of VMs as a single unit. But what workloads are they best suited for? Continue Reading
What's the best way to secure Amazon S3 buckets?
Our enterprise stores different types of data, including video and graphics, in Amazon S3. What options are available to secure Amazon S3 buckets and... Continue Reading