DEV Community

Adeline Makokha for AWS Community Builders

Posted on • Edited on

Mastering AWS Config: Navigating Cloud Security with Confidence

AWS Config is a fully managed service that provides you with a configuration history, and configuration change notifications to enable security and governance.​

With AWS Config you can discover existing AWS resources, export a complete inventory of your AWS resources with all configuration details, and determine how a resource was configured at any point in time.

AWS CONFIG VS CLOUDTRAIL
AWS CloudTrail records user API activity on your account and allows you to access information about this activity.​

AWS Config records point-in-time configuration details for your AWS resources as Configuration Items (CIs).​

You can use an AWS Config to answer “What did my AWS resource look like?” at a point in time.​

You can use AWS CloudTrail to answer “Who made an API call to modify this resource?”​

CONFIG RULES

  • A Config Rule represents desired configurations for a resource and is evaluated against​
  • configuration changes on the relevant resources, as recorded by AWS Config.​
  • AWS Config Rules can check resources for certain desired conditions and if violations are found the resources are flagged as “noncompliant”​

Examples of Config Rules:​

A Config Rule represents desired configurations for a resource and is evaluated against​

configuration changes on the relevant resources, as recorded by AWS Config.​

AWS Config Rules can check resources for certain desired conditions and if violations are found the resources are flagged as “noncompliant”​

Examples of Config Rules:​

Is backup enabled on RDS?​

Is CloudTrail enabled on the AWS account?​

Are EBS volumes encrypted.

SSM Parameter Store
SSM Parameter Store provides a centralized store to manage your configuration data, whether plain-text data such as database strings or secrets such as passwords.​

This allows you to separate your secrets and configuration data from your code. Parameters can be tagged and organized into hierarchies, helping you manage parameters more easily.​

For example, you can use the same parameter name, “db-string”, with a different hierarchical path, “dev/db-string” or “prod/db-string”, to store different values.​

It is integrated with AWS Key Management Service (KMS), allowing you to automatically encrypt the data you store.​

You can also control user and resource access to parameters using AWS Identity and Access Management (IAM). Parameters can be referenced through other AWS services, such as Amazon Elastic Container Service, AWS Lambda, and AWS CloudFormation

OPSWORKS

AWS OpsWorks is a configuration management service that provides managed instances of Chef and Puppet two very popular automation platforms.​

So if an organization is already using chef and puppet and want to move to the cloud still using these types of Automation platforms.

KINESIS

Kinesis Data Streams, Kinesis Video Streams, Kinesis Data Firehose, Kinesis Data Analytics​

KINESIS DATA STREAMS​

Amazon Kinesis makes it easy to collect (ingest) real-time, streaming data so you can get timely insights and react quickly to new information.​

Producers send data into a Kinesis stream.​

Streams can scale from low to near infinite data rates​

It scales by using a shard architecture​

Streams Store a 24-hour moving window of data, can be extended to 7 days with extra cost​

Multiple consumers can access data from that moving window.

KINESIS VIDEO STREAMS
Kinesis Video Streams makes it easy to securely stream video from connected devices to AWS for analytics, machine learning (ML), and other processing.​

Durably stores, encrypts, and indexes video data streams, and allows access to data through easy-to-use APIs.​

Stores data for 24 hours by default, up to 7 days.

KINESIS DATA FIREHOSE

Kinesis Data Firehose is the easiest way to load streaming data into data stores and analytics tools.​

Kinesis Data Streams can be used as the source(s) to Kinesis Data Firehose.​

Firehose Destinations include:​

Amazon S3​

Amazon Redshift​

Amazon Elasticsearch Service​

Splunk

KINESIS DATA ANALYTICS

Amazon Kinesis Data Analytics is the easiest way to process and analyze real-time, streaming data.​

Provides real-time analysis.​

Can ingest data from Kinesis Streams and Kinesis Firehose.​

Output to S3, RedShift, Elasticsearch and Kinesis Data Streams.​

Use Cases​

Feed real-time dashboards.​

Create real-time alerts and notifications.

Is CloudTrail enabled on the AWS account?​

Are EBS volumes encrypted.

Top comments (0)