AWS Config security checks

AWS Config is a continuous monitoring and assessment service that records changes in the configuration of your AWS resources. You can view the current and past configurations of a resource and use this information to troubleshoot outages, conduct security attack analysis, and much more. You can view the configuration at time and use that information to reconfigure your resources and bring them into a steady state during an outage situation.

Using Config Rules, you can run continuous assessment checks on your resources to verify that they comply with your own security policies, industry best practices, and compliance regimes such as PCI/HIPAA. For example, AWS Config provides managed Config rules to ensure that encryption is turned on for all EBS volumes in your account. You can also write a custom Config rule to essentially codify your own corporate security policies. AWS Config send you alerts in real time when a resource is wrongly configured, or when a resource violates a particular security policy.

The following figure depicts various rule sets in AWS Config; these could be custom rules or rules provided out of the box by AWS: