AWS Config
Definition
AWS service for monitoring and evaluating AWS resource configurations. Like having an audit system that tracks all changes to your cloud infrastructure.
Use Cases
- Expedia Group: Continuous compliance monitoring across many AWS accounts to reduce security risk from configuration drift. — Enabled AWS Config across accounts, aggregated configuration and compliance data centrally using AWS Config aggregators, and evaluated resources with managed rules (for example, checks around public access and encryption). Integrated findings into internal security workflows for remediation. (Improved visibility into configuration changes and compliance status across accounts, faster detection of misconfigurations, and more consistent governance at scale.)
- Capital One: Auditing and tracking configuration changes to support security controls and compliance requirements in AWS. — Used AWS Config to record configuration history and evaluate resources with rules, then used the recorded timeline of changes to support investigations and compliance evidence collection alongside other security tooling. (Stronger auditability of infrastructure changes, quicker root-cause analysis during incidents, and easier production of compliance evidence due to recorded configuration history.)
Provider Equivalents
- AWS: AWS Config
- Azure: Azure Policy
- GCP: Organization Policy Service
- OCI: OCI Cloud Guard
Frequently Asked Questions
- What's the difference between AWS Config and AWS CloudTrail?
- AWS Config tracks the state of your resources over time (what a resource’s configuration looked like and how it changed). AWS CloudTrail records API activity (who/what made a call, from where, and when). In practice, Config answers “what changed on the resource,” while CloudTrail helps answer “who changed it and via which API call.” They are often used together for auditing and investigations.
- When should I use AWS Config?
- Use AWS Config when you need continuous visibility into resource configuration changes, compliance checks against rules (for example, “S3 buckets must not be public” or “EBS volumes must be encrypted”), and an audit-friendly history of how infrastructure changed over time. It’s especially useful in multi-account environments, regulated workloads, and anywhere configuration drift can create security or reliability issues.
- How much does AWS Config cost?
- AWS Config pricing is primarily based on what you record and evaluate. Common cost drivers include: (1) configuration items recorded for supported resource types (more resources and more frequent changes increase cost), (2) rule evaluations (managed or custom rules evaluated per resource), and (3) optional conformance packs and aggregators (which can add evaluation and data processing costs). You’ll also typically pay for related services you integrate with, such as Amazon S3 for storing configuration snapshots and Amazon SNS for notifications. For exact rates, use the AWS Config pricing page and estimate based on number of resources, change frequency, and number of rules.
Category: software
Difficulty: advanced
Related Terms
See Also