(sec315) new launch: get deep visibility into resource configurations | aws re:invent 2014

November 12, 2014

Prashant Prahlad, Amazon Web Services

Change /CHānj/ (v)….to make the form and future course

different from what it is or from what it would be if left alone

“Currently we are scanning AWS and collecting a set of resource configurations

and store those information in an in-our-data-center database – this is a giant

effort on our part.” – AWS Customer

“We poll critical resources, such as our production security groups, at a higher

frequency to ensure we don’t miss changes.” – AWS Customer

“Infrastructure configuration management is designed for infrequent, controlled

changes.”– AWS Customer

“Normalizing different resources just makes understanding them so much

simpler.”– AWS Customer

Continuous ChangeRecordingChanging

Resources

AWS Config

History

Stream

Snapshot (ex. 2014-11-05)

AWS Config

Infrastructure

Change Log

Audits

Regulatory

Compliance

Engine

Changes

Amazon EC2Instance, ENI...

Amazon EBSVolumes

AWS CloudTrailLog

Amazon VPCVPC, Subnet...

Resource Type Resource

Amazon EC2 EC2 Instance

EC2 Elastic IP (VPC only)

EC2 Security Group

EC2 Network Interface

Amazon EBS EBS Volume

Amazon VPC VPCs

Network ACLs

Route Table

Subnet

VPN Connection

Internet Gateway

Customer Gateway

VPN Gateway

AWS CloudTrail Trail

Resource Relationship Related Resource

CustomerGateway is attached to VPN Connection

Elastic IP (EIP) is attached to Network Interface

is attached to Instance

Instance contains Network Interface

is attached to ElasticIP (EIP)

is contained in Route Table

is associated with Security Group

is contained in Subnet

is attached to Volume

is contained in Virtual Private Cloud (VPC)

InternetGateway is attached to Virtual Private Cloud (VPC)

… …. …..

Component Description Contains

Metadata Information about this configuration item

Version ID, Configuration item ID,Time when the configuration item was captured, State ID indicating the ordering of the configuration items of a resource, MD5Hash, etc.

Common Attributes Resource attributes Resource ID, tags, Resource type. Amazon Resource Name (ARN)Availability Zone, etc.

Relationships How the resource is related to other resources associated with the account

EBS volume vol-1234567 is attached to an EC2 instance i-a1b2c3d4

Current Configuration Information returned through a call to the Describe or List API of the resource

e.g. for EBS VolumeState of DeleteOnTermination flagType of volume. For example, gp2, io1, or standard

Related Events The AWS CloudTrail events that are related to the current configuration of the resource

AWS CloudTrail event ID

Snapshot @ 2014-11-05,

11:30pm

Snapshot @ 2014-11-12,

2:30pm

Resource Type Resource

Amazon EC2 EC2 Instance

EC2 Elastic IP (VPC only)

EC2 Security Group

EC2 Network Interface

Amazon EBS EBS Volume

Amazon VPC VPCs

Network ACLs

Route Table

Subnet

VPN Connection

Internet Gateway

Customer Gateway

VPN Gateway

AWS CloudTrail Trail

http://bit.ly/awsevals