AWS Config Configuration
AWS Config continuously monitors and records resource configurations across an AWS account. It enables compliance auditing, configuration change tracking, and drift detection. This guide covers configuration recording, Config Rules, and integration with other security services.
Quick Start
Enable AWS Config with default settings:
bash
# Create configuration recorder
aws configservice put-configuration-recorder \
--configuration-recorder name=default,roleARN=arn:aws:iam::ACCOUNT_ID:role/config-role \
--recording-group allSupported=true,includeGlobalResourceTypes=true
# Start recording
aws configservice start-configuration-recorder --configuration-recorder-name defaultAWS Config begins recording resource configurations immediately. A delivery channel (S3 bucket) is required before starting the recorder. See the AWS Config documentation for complete setup details.
Core Components
AWS Config consists of four main components:
Configuration Recorder Records resource configurations and changes
Delivery Channel Sends configuration data to S3 and SNS
Config Rules Evaluates configurations against desired state
Conformance Packs Collections of Config Rules for compliance frameworks
Configuration Recorder
The configuration recorder tracks resource configurations:
hcl
resource "aws_config_configuration_recorder" "main" {
name = "config-recorder"
role_arn = aws_iam_role.config.arn
recording_group {
all_supported = true
include_global_resource_types = true
}
}
resource "aws_config_configuration_recorder_status" "main" {
name = aws_config_configuration_recorder.main.name
is_enabled = true
depends_on = [aws_config_delivery_channel.main]
}Recording Options
| Option | Description | Recommendation |
|---|---|---|
all_supported | Record all supported resource types | Enable for compliance |
include_global_resource_types | Include IAM users, groups, roles, policies | Enable in one region only |
resource_types | Specific resource types to record | Use for cost optimization |
Global Resources: Only enable
include_global_resource_types in one region (typically the primary region). Enabling in multiple regions causes duplicate recordings and increased costs.
Delivery Channel
The delivery channel specifies where configuration data is stored:
hcl
resource "aws_config_delivery_channel" "main" {
name = "config-delivery"
s3_bucket_name = aws_s3_bucket.config_logs.id
sns_topic_arn = aws_sns_topic.config_notifications.arn
snapshot_delivery_properties {
delivery_frequency = "Six_Hours"
}
depends_on = [aws_config_configuration_recorder.main]
}Delivery Channel Requirements
S3 Bucket Required. Stores configuration snapshots and history. Enable versioning and encryption.
SNS Topic Optional. Receives notifications for configuration changes and rule evaluations.
IAM Role Required. Grants Config permission to access S3, SNS, and describe resources.
Snapshot Delivery Frequency
| Frequency | Use Case |
|---|---|
| One_Hour | High-change environments requiring frequent snapshots |
| Three_Hours | Moderate-change environments |
| Six_Hours | Standard environments (recommended default) |
| Twelve_Hours | Stable environments with minimal changes |
| TwentyFour_Hours | Cost-optimized for low-change environments |
Config Rules
Config Rules evaluate resource configurations against desired state:
hcl
resource "aws_config_config_rule" "s3_bucket_public_read_prohibited" {
name = "s3-bucket-public-read-prohibited"
source {
owner = "AWS"
source_identifier = "S3_BUCKET_PUBLIC_READ_PROHIBITED"
}
depends_on = [aws_config_configuration_recorder.main]
}Rule Types
AWS Managed Rules Pre-built rules maintained by AWS (300+ available)
Custom Rules Lambda-based rules for organization-specific requirements
Common Managed Rules
| Rule | Description |
|---|---|
S3_BUCKET_PUBLIC_READ_PROHIBITED | S3 buckets do not allow public read access |
ENCRYPTED_VOLUMES | EBS volumes are encrypted |
ROOT_ACCOUNT_MFA_ENABLED | Root account has MFA enabled |
IAM_PASSWORD_POLICY | IAM password policy meets requirements |
VPC_FLOW_LOGS_ENABLED | VPC flow logs are enabled |
CLOUDTRAIL_ENABLED | CloudTrail is enabled in all regions |
Conformance Packs
Conformance packs group Config Rules for compliance frameworks:
| Conformance Pack | Rules | Use Case |
|---|---|---|
| CIS AWS Foundations Benchmark | ~50 | Industry-standard security baseline |
| AWS Operational Best Practices | ~100 | General AWS best practices |
| PCI DSS | ~120 | Payment card compliance |
| HIPAA | ~80 | Healthcare data compliance |
| NIST 800-53 | ~150 | Federal security requirements |
Security Hub Integration: Security Hub standards use AWS Config rules for compliance checks. Enable Config before enabling Security Hub standards to ensure accurate compliance scoring.
Multi-Account Setup
For AWS Organizations, use an aggregator to collect configuration data across accounts:
bash
# Create organization aggregator
aws configservice put-configuration-aggregator \
--configuration-aggregator-name org-aggregator \
--organization-aggregation-source RoleArn=arn:aws:iam::ACCOUNT_ID:role/config-aggregator-role,AllAwsRegions=trueAggregator Architecture
- Aggregator Account: Central account collecting configuration data
- Source Accounts: Member accounts with Config enabled
- Cross-Region: Single aggregator can collect from all regions
Prerequisite: Config must be enabled in each source account and region before data appears in the aggregator. Aggregators collect data; they do not enable Config remotely.
Cost Considerations
AWS Config pricing is based on:
| Component | Pricing | Notes |
|---|---|---|
| Configuration items recorded | $0.003 per item | Each resource change creates an item |
| Config Rule evaluations | $0.001 per evaluation | Per rule per resource per region |
| Conformance pack evaluations | $0.001 per evaluation | Same as individual rules |
Cost Optimization
Selective Recording Record only required resource types in non-production environments.
Global Resources Enable global resource recording in one region only.
Rule Selection Enable only rules relevant to compliance requirements.
Typical Costs: Small environments (1-5 accounts): $20-100/month. Medium environments (5-20 accounts): $100-500/month. Cost scales with resource count and change frequency.
Integration Points
AWS Config integrates with other security services for comprehensive compliance monitoring:
Security Hub Uses Config Rules for compliance standards and aggregates compliance findings
GuardDuty Complements Config with behavioral threat detection beyond configuration compliance
EventBridge Routes Config rule compliance change events to notification and remediation workflows
CloudTrail Logs Config API calls and provides change context for configuration items
Architecture Pattern: AWS Config records configurations and evaluates compliance. Security Hub aggregates Config findings with other services. EventBridge routes compliance changes to SNS for notifications or Lambda for auto-remediation.
Next Steps
- Enable CloudTrail for API activity context
- Configure Security Hub standards that use Config Rules
- Set up EventBridge rules for compliance change notifications
- Enable conformance packs aligned with compliance requirements