everythingpossible - Fotolia

How do AWS configuration management tools work?

When running AWS in our enterprise, it has been a challenge to keep tabs on active resources. Which native tools define and maintain configuration scripts?

AWS configuration management is a two-phased process that involves defining and maintaining configuration scripts and then ensuring deployed resources are configured as expected. And AWS offers two specific tools to help with both phases of the management process.

CloudFormation addresses the first phase of AWS configuration management by providing a way to specify resources, configuration parameters and dependencies for deploying applications. AWS Config monitors the state of deployed resources to ensure they are configured as expected. This AWS configuration management service is useful for maintaining compliance in the public cloud. And while it doesn't prevent misconfigurations from being implemented, it can detect such events and record details.

AWS Config performs a few key functions. It provides a repository of information about the state of deployed resources. The AWS configuration management service also monitors for changes, including records configuration changes, within the repository. Cloud administrators can use the repository to get a quick view at the state of cloud resources and receive alerts when configurations change. Data about configurations are stored in Amazon Simple Storage Service (S3); admins can access configuration data through the AWS Management Console, APIs or SDKs.

AWS Config currently supports a subset of AWS services, including: Elastic Compute Cloud instances, virtual private clouds, Elastic Block Store, CloudTrail and Identity and Access Management.

Through AWS Config snapshots, system administrators can capture point-in-time descriptions of the state of cloud resources. Snapshots are created using the command-line interface or an API; snapshot data is stored in JSON format in an S3 bucket.

AWS Config also supports rules for evaluating the state of configurations and posts information to the console when resources are out of configuration.

Billing for AWS Config is based on the number of resources it is monitoring and the number of configuration rules that are in place. Amazon charges a one-time fee of $0.003 per configuration item recorded. There is also a charge of $2.00 per rule per month for active Config rules, which includes up to 20,000 evaluations of the rule per month. After that, Amazon charges $0.10 per 1,000 evaluations during the month.

Next Steps

AWS monitoring tools have limitations

Streamline AWS resources with CloudFormation

Native, third-party logging tools help secure AWS

Dig Deeper on AWS infrastructure