AWS Config Configuration Changes

"StartConfigRulesEvaluation" - Performs an on-demand evaluation for the specified AWS Config rules against the last known configuration state of the resources.

"StartConfigurationRecorder" - Starts recording configurations of the resources that you have selected to record within your AWS account.

"StopConfigurationRecorder" - Stops recording configurations of the resources that you have selected to record in your AWS account.

"PutConfigurationRecorder" - Launch a new configuration recorder to record the selected AWS resource configurations.

"PutConfigurationAggregator" - Creates and updates the configuration aggregator with the selected source accounts (individual accounts or an organization) and regions.

"PutAggregationAuthorization" - Authorizes the aggregator account to collect data from the selected source account and region.

"PutConfigRule" - Adds or updates an Amazon Config rule for evaluating whether your AWS resources comply with your desired configurations.

"PutDeliveryChannel" - Sets up a delivery channel object to deliver configuration information to an AWS S3 bucket and an AWS SNS topic.

"DeleteConfigurationRecorder" - Deletes the configuration recorder.

"DeleteAggregationAuthorization" - Deletes the authorization granted to the specified configuration aggregator account in a specified AWS region.

"DeleteConfigRule" - Deletes the specified AWS Config rule and all of its existing evaluation results.

"DeleteConfigurationAggregator" - Deletes the specified configuration aggregator and all the data associated with the selected aggregator.

"DeleteDeliveryChannel" - Deletes the delivery channel object.

"DeleteEvaluationResults" - Deletes the evaluation results for the specified Amazon Config rule.

"DeletePendingAggregationRequest" - Deletes pending authorization requests for a certain aggregator account in a specified AWS region.

The Config service is often used by Operations or DevOps teams to avoid misconfigurations at the AWS service/resource level and close security gaps. Because of its important role within an AWS cloud environment, Cloud Conformity strongly recommends that you avoid as much as possible to provide your non-privileged IAM users the permission to change the AWS Config service configuration within your Amazon Web Services account. The communication channels required for sending RTMA notifications can be configured in your Cloud Conformity account. The list of supported communication channels that you can use to receive configuration change alerts for AWS Config are SMS, Email, Slack, PagerDuty, ServiceNow and Zendesk.

The visibility into your Amazon Web Services account activity is a key aspect of security and operational best practices. Using Cloud Conformity RTMA to detect AWS Config configuration changes can help you prevent any accidental or intentional modifications that may lead to unauthorized access or other security breaches. You use AWS Config to get the current and historical configurations of each AWS resource provisioned in your account and to get information about the relationship between the resources. Therefore, monitoring any configuration change made at the Config service level is critical for keeping your AWS cloud environment secure.