Amazon Service Integrations with Amazon Config
Amazon Config supports integrations with several other Amazon services.
Amazon Organizations
You can use Amazon Organizations to define the accounts to use for Amazon Config’s multi-account, multi-Region data aggregation capability. Amazon Organizations is an account management service that helps you consolidate multiple Amazon Web Services accounts into an organization that you create and centrally manage. By providing your Amazon Organizations details, you can monitor the compliance status across your organization. For more information, Amazon Config and Amazon Organizations in the Amazon Organizations User Guide.
Amazon Control Tower
Amazon Control Tower enables Amazon Config on all enrolled accounts, so that it can monitor compliance through detective controls, record resource changes, and deliver resource change logs to the log archive account. For more information, see Monitor resource changes with Amazon Config in the Amazon Control Tower User Guide.
Amazon CloudTrail
Amazon Config integrates with Amazon CloudTrail to correlate configuration changes to particular events in your account. You can use the CloudTrail logs to obtain the details of the event that invoked the change, including who made the request, at what time, and from which IP address. You can navigate to the Amazon Config timeline from the CloudTrail console to view the configuration changes related to your Amazon API activities.
For more information, see Logging Amazon Config API Calls with Amazon CloudTrail in the Amazon Config Developer Guide and Create an event data store for Amazon Config configuration items with the console in the Amazon CloudTrail User Guide.
Amazon Security Hub
Amazon Security Hub centralizes security checks from other Amazon services, including Amazon Config rules. Security Hub enables and controls Amazon Config rules to verify your resource configurations are aligned to best practices. Enable Amazon Config on all accounts in all Regions where Security Hub is to run security checks on your environment’s resources. For more information, see Amazon services that send findings to Security Hub in the Amazon Security Hub User Guide.
Amazon Audit Manager
You can use Audit Manager to capture Amazon Config evaluations as evidence for audits. When you create or edit a custom control, you can specify one or more Amazon Config rules as a data source mapping for evidence collection. Amazon Config performs compliance checks based on these rules, and Audit Manager reports the results as compliance check evidence. For more information, see Amazon Config Rules supported by Amazon Audit Manager in the Amazon Audit Manager User Guide.
Amazon Systems Manager
Amazon Config integrates with Systems Manager to record configuration changes to software on your Amazon EC2 instances and servers in your on-premises environment. With this integration, you can gain visibility into operating system (OS) configurations, system-level updates, installed applications, network configuration, and more. Amazon Config also provides a history of OS and system-level configuration changes alongside infrastructure configuration changes recorded for Amazon EC2 instances. You can navigate to the Amazon Config timeline from the Systems Manager console to view the configuration changes of your managed Amazon EC2 instances. You can use Amazon Config to view Systems Manager inventory history and track changes for all your managed instances.
For more information, see Integration with Amazon services | Management and Governance, Amazon Config configuration recorder, and Amazon Config conformance pack deployment in the Amazon Systems Manager User Guide.
Amazon Firewall Manager
To use Firewall Manager, you must enable Amazon Config for each of your Amazon Organizations member accounts. When new applications are created, Firewall Manager is the single service to build firewall rules, create security policies, and enforce them consistently. For more information, see Enable Amazon Config in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide.
Note
Firewall Manager depends on continuous recording to monitor your resources. If you are using Firewall Manager, it is recommended that you set the recording frequency to Continuous. For more information on continuous recording and daily recording, see Recording Frequency.
Amazon EC2 Dedicated Hosts
Amazon Config integrates with Amazon EC2 Dedicated Hosts to assess license compliance. Amazon Config records when instances are launched, stopped, or shut down on a Dedicated Host, and pairs this information with host and instance level information relevant to software licensing, such as Host ID, Amazon Machine Image (AMI) IDs, number of sockets, and physical cores. This helps you use Amazon Config as a data source for your license reporting. You can navigate to the Amazon Config timeline from the Amazon EC2 Dedicated Hosts console to view the configuration changes of your Amazon EC2 Dedicated Hosts.
For more information, see Track configuration changes in the Amazon Elastic Compute Cloud User Guide for Linux Instances or Track configuration changes in the Amazon Elastic Compute Cloud User Guide for Windows Instances.
Application Load Balancers
Amazon Config integrates with the Elastic Load Balancing (ELB) service to record configuration changes to Application Load Balancers. Amazon Config also includes relationships with associated Amazon EC2 security groups, VPCs, and subnets. You can use this information for security analysis and troubleshooting. For example, you can check which security groups are associated with your Application Load Balancer at any point in time. You can navigate to the Amazon Config timeline from the ELB console to view the configuration changes of your Application Load Balancers.
Amazon CodeBuild
Amazon Configprovides an inventory of your Amazon resources and a history of configuration changes to these resources. Amazon Config supports Amazon CodeBuild; as an Amazon resource, which means the service can track your CodeBuild projects. For more information, see Use Amazon Config with CodeBuild sample in the Amazon CodeBuild User Guide.
Amazon X-Ray
Amazon X-Ray integrates with Amazon Config to record configuration changes made to your X-Ray encryption resources. You can use Amazon Config to inventory X-Ray encryption resources, audit the X-Ray configuration history, and send notifications based on resource changes. For more information, see Tracking X-Ray encryption configuration changes with Amazon Config in the Amazon X-Ray Developer Guide.
Amazon Service Management Connector
The Amazon Service Management Connector for ServiceNow can synchronize Amazon Config data from multiple accounts and Regions using an Aggregator. For more information, see Integrating Amazon Config in ServiceNow in the Amazon Service Management Connector Administrator Guide.
Amazon API Gateway
You can use Amazon Config to record configuration changes made to your API Gateway API resources and send notifications based on resource changes. Maintaining a configuration change history for API Gateway resources is useful for operational troubleshooting, audit, and compliance use cases. For more information, see Monitoring API Gateway API configuration with Amazon Config in the API Gateway Developer Guide.