Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

What Is Amazon Config?

Amazon Config provides a detailed view of the configuration of Amazon resources in your Amazon account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.

An Amazon resource is an entity you can work with in Amazon, such as an Amazon Elastic Compute Cloud (EC2) instance, an Amazon Elastic Block Store (EBS) volume, a security group, or an Amazon Virtual Private Cloud (VPC). For a complete list of Amazon resources supported by Amazon Config, see Supported Resource Types.

Ways to Use Amazon Config

When you run your applications on Amazon, you usually use Amazon resources, which you must create and manage collectively. As the demand for your application keeps growing, so does your need to keep track of your Amazon resources. Amazon Config is designed to help you oversee your application resources in the following scenarios:

Resource Administration

To exercise better governance over your resource configurations and to detect resource misconfigurations, you need fine-grained visibility into what resources exist and how these resources are configured at any time. You can use Amazon Config to notify you whenever resources are created, modified, or deleted without having to monitor these changes by polling the calls made to each resource.

You can use Amazon Config rules to evaluate the configuration settings of your Amazon resources. When Amazon Config detects that a resource violates the conditions in one of your rules, Amazon Config flags the resource as noncompliant and sends a notification. Amazon Config continuously evaluates your resources as they are created, changed, or deleted.

Auditing and Compliance

You might be working with data that requires frequent audits to ensure compliance with internal policies and best practices. To demonstrate compliance, you need access to the historical configurations of your resources. This information is provided by Amazon Config.

Managing and Troubleshooting Configuration Changes

When you use multiple Amazon resources that depend on one another, a change in the configuration of one resource might have unintended consequences on related resources. With Amazon Config, you can view how the resource you intend to modify is related to other resources and assess the impact of your change.

You can also use the historical configurations of your resources provided by Amazon Config to troubleshoot issues and to access the last known good configuration of a problem resource.

Security Analysis

To analyze potential security weaknesses, you need detailed historical information about your Amazon resource configurations, such as the Amazon Identity and Access Management (IAM) permissions that are granted to your users, or the Amazon EC2 security group rules that control access to your resources.

You can use Amazon Config to view the IAM policy that was assigned to a user, group, or role at any time in which Amazon Config was recording. This information can help you determine the permissions that belonged to a user at a specific time: for example, you can view whether the user John Doe had permission to modify Amazon VPC settings on Jan 1, 2015.

You can also use Amazon Config to view the configuration of your EC2 security groups, including the port rules that were open at a specific time. This information can help you determine whether a security group blocked incoming TCP traffic to a specific port.