Introduction

Like in many other domains, change is the only constant when it comes to cloud operations. Finding the right balance between speed and control becomes essential in high paced, large AWS environments where multiple changes get pushed on an hourly basis. To manage these dynamic environments, we all need to be able to provision cloud resources quickly for your applications. At the same time, we need to follow regulatory, security, and operational best practices, depending on our industry.

Keeping the tabs on configuration changes, monitoring for security & compliance, auditing and reporting and resource optimization are all daily tasks for most cloud teams managing sizeable AWS environments today.  

These operational tasks can be done with the native tools provided by AWS, or by using third party tools. In this post, we’ll introduce AWS Config, a native change management tool from AWS, and how your teams can use it. We’ll also share what we believe is a more capable, scalable and cost-effective alternative: using the Stream Security platform for AWS change management at scale.  

What is AWS Config?

AWS Config is a fully managed service by AWS that provides monitoring and assessment of AWS resource configurations to support compliance auditing, change management and troubleshooting, with resource histories and comparison of historical configurations against planned configurations.

Although AWS Config is a native AWS tool, it is not included in the base platform subscription. It is an additional cost that’s billed based on consumption. The billed cost of AWS Config for your organization depends on multiple consumption parameters including:  

• The number of active AWS Config rules,  
• The number configuration changes that are evaluated,  
• The number of resources that are monitored.

It's also worth noting that if you use AWS Config in conjunction with other AWS services, you may be charged for those additional services as well. For example, if you use AWS Config with Amazon Simple Notification Service (SNS) to send notifications, you will be charged for AWS Config and SNS usage. You can view the pricing for this service on the AWS Config web page.

How AWS Config Works

AWS Config keeps track of the changes to your resources (aka the what – what did we change?) by invoking the Describe or the List API call for each monitored resource in your AWS account.

For example, removing an egress rule from a VPC security group causes AWS Config to invoke a “Describe API call” on the security group. AWS Config then invokes a Describe API call on all of the instances associated with the security group. The updated configurations of the security group (the resource) and of each instance (the related resources) are recorded as configuration items and delivered in a configuration stream to an Amazon S3 bucket.

Resource Timeline view:

View of a configuration change in JSON format via SNS topic (Integrated with Slack):

Using AWS Config conformance rules, you can continuously evaluate your AWS resource configurations for desired settings. Depending on the rule, AWS Config evaluates your resources either in response to configuration changes or periodically. Each rule is associated with an AWS Lambda function, which contains the evaluation logic for the rule. When AWS Config evaluates your resources, it invokes the rule's AWS Lambda function. The function returns the compliance status of the evaluated resources. If a resource violates the conditions of a rule, AWS Config flags the resource and the rule as non-compliant. So in simple terms, all checks throw a pass (compliant) or fail (non-compliant) flag as a result.

When the compliance status of a resource changes, AWS Config sends a notification to your Amazon SNS topic.

AWS Config rules page view:

Limitations of AWS Config

The capabilities listed above enable compliance auditing, security analysis, resource change tracking, and troubleshooting, and AWS Config can be a one-stop shop AWS change monitoring solution for small environments.

Yet, AWS Config comes with limitations including:

• Getting started is complicated and the learning curve is steep for a new admin to operate AWS Config.
• Conformance rules configuration is hard to comprehend and arrange as these require a good understanding of environments, configuration parameters and Lambda functions.
• Conformance rule results indicate compliance or non-compliance only. There's no reference to a compliance framework or benchmark. Neither are there severity levels that can help with prioritization and fixes.
• Resource configuration change and rule compliance checks are static checks and deliver results without the complete context of your environment. This makes AWS Config prone to creating false positive alerts by design. For example, a rule checking for port exposure doesn’t take into account other ACL or firewall rules that may be blocking that exposure or access. Although static checks are not unique to AWS Config (this method is commonly used by infrastructure as code and cloud security vendors), false positives surely are annoying and don’t help with troubleshooting.
• Understanding the root cause of non-compliant status is inherently difficult since the changes that triggered the non-compliant status aren’t directly referenced. The output shows which resource is non-compliant, but doesn’t speak to the why and how. This makes troubleshooting labor intensive and time consuming.
• Understanding cross-account or cross-region impact is non-existent, given AWS Config focuses on individual affected resources only.
• Complex user interface and configuration options.
• The cost of AWS Config builds up exponentially as the rule set you’re using grows and the number of configuration changes your teams introduce increase on a daily basis. This cost can become hard to predict and justify in dynamic environments at scale.

In customer reviews on G2, AWS Config customers called out (as of 2023-01-04):

• The UI is missing resource names (AWS Config only shows resource IDs), making finding the resource troublesome.
• Monthly cost of this service can become too high.
• Sometimes the system is laggy or they lose data.
• Difficult to parse the output of alerts. Requires the use of Lambda or similar process to make alerts human friendly.
  
  

These limitations with AWS Config are exactly why we believe your teams can benefit from a more capable, scalable and cost-effective solution with Stream Security.

Manage AWS Changes at Scale with Stream Security

Stream Security provides a single collaborative solution for all teams who work on managing AWS changes. This helps teams identify and fix incidents caused by misconfigurations in minutes, investigate security incidents more efficiently and reduce point tools and cost for AWS environments.  

Upon connecting your AWS account to Stream, Stream will scan your cloud environment configurations across all the cloud-native stack, up to the data-plane layer, with the API-first, agent-less approach. This initial scan results in a real-time, deterministic mathematical model that represents your AWS environment across accounts, regions and availability zones. We call this the CloudTwin!

The CloudTwin engine dynamically correlates the dependencies between services and infrastructure by simulating the environment and all its dependencies in code.

Unlike other tools that scan your entire cloud configuration periodically to understand what has changed, Stream consumes cloud events in real-time. The result is an accurate real-time representation of your environment, at any given time.

Let's review Stream's capabilities and how they can provide a good alternative to AWS Config for you:

Achieve and Demonstrate Compliance with Architectural Standards

Stream Security's Architectural Standards enable cloud operation teams to incorporate their tribal knowledge into our platform in the form of predefined and custom rules to ensure the collective experience of the team is taken into consideration for any configuration change at any time.

• Rules are applied and enforced automatically after connecting your account - no manual actions or extra steps are required.
• Over 350 out-of-the-box posture based policies that are specific to your real-time cloud environment for Availability, Cost, Security & Compliance (capabilities you may find in CSPM, CIEM, KSPM solutions).
• These rules include finding severity (critical, high, medium, low) and compliance standard mapping out-of-the-box to make compliance and troubleshooting a breeze.
• Out-of-the-box rules and additional custom rules come at no extra cost for Stream Security's customers.

‍

• Rules cover use cases in Build to Realtime for AWS Changes. So your teams can troubleshoot or proactively evaluate changes before they’re deployed.
• Context-aware policies - Reduces time to fix, increases confidence and eliminates false alarms. Rules only trigger alerts (or findings) when the test case is reachable in your running configuration.

• Custom Policies - Easily create your own custom (Path or Resource Type) policies via a simple GUI query language to meet your organizational requirements and compliance needs.

• Violation Exclusion - Exclude resources that you don't want rules to be applied on. This prevents alert fatigue and helps your teams focus on the key objects that matter the most.

‍

‍

• The Stream Security team continuously updates and adds rules to meet industry compliance benchmarks (CIS, GDPR, NIST, PCI DSS, HIPAA, SOC2, ISO 27001, etc.) while you can create your own custom rules tailored to meet your organization's requirements.

‍

Track configurations changes in real-time with Events

Stream Security's Events tracks cloud configuration changes with exact, real-time model of your cloud environment and lets you get notified of changes in real-time to review changes with complete context and impact analysis.

With Events you can basically track the Who, What, Where, and When of every activity in your cloud environment.‍

• Track, investigate and troubleshoot configuration changes from most of your cloud services based on the actions users performed via the Management Console, CLI, SDKs/APIs, as well as services automated actions.

• View your resources configurations changes history and latest events over time.
• Review when a change occurred, who performed the activity, where it was executed from, the resources that were affected, and the impact it had on your cloud posture.
• Review the time at which the change occurred, who performed the activity, where it was executed from, the resources that were affected, and the impact it had on your cloud posture.

‍

• Understand New and Solved availability, security, compliance and cost violations of each resource configuration change event.

‍

New Violations

Solved Violations

‍

• Receive real-time clear notifications about configuration changes, audit and their impact on your cloud environment via Slack or Webhook for 3rd party integrations like PagerDuty, Opsgenie and Splunk.

‍

Conclusion

AWS Config offers basic capabilities for small AWS environments, but has limitations when it comes to complex and dynamic environments. We're obviously biased, and we believe your AWS environments require a more capable, scalable and cost-effective solution!

All in all, your teams can cover:

• Change tracking
• Security & compliance monitoring
• Resource optimization
• Auditing and reporting

in your dynamic AWS environments using Stream Security. We work with innovative customers including Sony, Kaltura, Neuron and many others to save operational effort and license cost in AWS environments.

As a sanity check, try answering these questions in your environment with AWS Config today:

1. Select a resource by its actual name, see recent traffic generated as a result of a config change?  
2. Find out which other AWS resources are impacted by the same config change? Across accounts? Regions?
3. Who made this change and how this new config compares to the previous version?  
4. Create a new enforcement rule to investigate a new pattern in less than 5 minutes!

We’d love to hear about how you handle AWS changes today and how we can help your team scale.

Get started with Stream Security for Free or book a demo with one of our cloud experts to hear more.