Trupti Dekate — Published On August 24, 2022 and Last Modified On September 2nd, 2022
AWS Beginner Cloud Computing Data Engineering

This article was published as a part of the Data Science Blogathon.

Introduction to AWS Config

It can be easy to forget alerts in your AWS account’s health dashboard, even though you might want to check one particular alert. In particular, if you use AWS Config, the upcoming September 15, 2021, changes may stop supporting your cloud architecture components. Let’s take a look at the AWS statement below.

AWS Config
https://aws.amazon.com/config/
As part of our ongoing effort to optimize the costs associated with recording changes related to certain transient workloads, AWS Config is scheduled to release an update to relationships modeled within configuration items (CI) for 7 types of EC2 resources on September 15, 2021. Examples of transient workloads include changes to Amazon Elastic Compute Cloud (Amazon EC2) Spot Instances, Amazon Elastic MapReduce jobs, and Amazon EC2 Autoscaling. This update optimizes CI models for EC2 instance resource types, Security Group, Network Interface, Subnet, VPC, VPN Gateway, and Customer Gateway to record direct relationships and discard indirect relationships.
While you’ll find a breakdown of the announcements here, we’ll cover the basics of AWS Config, dive into upcoming changes, and offer examples of solutions your organization can implement throughout this post.

Configuration Concept

As you may know, AWS Config allows you to track current and historical resource configurations in your AWS account. AWS Config takes a snapshot of your deployed resources’ settings and stores them in a configuration item, which AWS refers to as a record of the settings of your specific resources at a specific time. These can be generated immediately when your resources are updated or on a schedule, such as every six hours.
A configuration item represents a point-in-time view of various attributes of a supported AWS resource in your account. Configuration item components include metadata, attributes, relationships, current configuration, and related events. AWS Config creates a configuration item whenever it detects a change in the type of resource it records. For example, if AWS Config logs Amazon S3 buckets, AWS Config creates a configuration entry whenever the bucket is created, updated, or deleted.
Configuration entries play a major role in AWS Config by serving as the source of truth for historical changes. AWS Config bases many things on these items; for example, when AWS Config gives you a timeline of the states of your resources, it uses configuration items in the background. This is how a configuration history of an I AM user looks. Each configuration item is represented by a gray rectangle highlighted in blue. Selecting one of these items can drill down into the relationships and changes associated with the AWS resource for the item’s timestamp.
configuration concept

https://aws.amazon.com/config/

 

Using the above example, we can dive into the changes of the IAM user on November 12, 2020, by selecting the Changes dropdown menu in the pink box above.
AWS Config creates configuration items with the same API calls as the AWS CLI. Specifically, they use CLI list and describe commands such as AWS ec2 describe_instances –filters Name=tag-name, Values=example-tag. For each configuration item created, AWS Config can make multiple API calls. Here’s a quick explanation, straight from AWS Support:
Types of relationships:
  • Direct
  • Indirect Relationships.
A direct relation is the one returned when the Describe API is called. For example, the security groups attached to the instance are returned when AWS Config [makes] the Describe Instances call.
An indirect relationship is not returned when you call the Describe API. This requires multiple calls to Describe. For example, when AWS Config calls [s] Describe Security Groups, the API call does *not* return* a list of instances to which the security group is attached. Config must make another API call to find this information. In short, the direct relationships of a resource configuration item can be created and documented using the description CLI command of the same resource service. On the other hand, indirect relationships for a resource are relationships that AWS Config creates by calling another service’s description CLI API.
It can be confusing as to what is considered indirect and direct, so let’s dive into a specific example. Looking at the sample AWS configuration item timeline below, we’ve highlighted information for indirect relationships in pink and direct relationships in green; however, a useful rule of thumb is that if the information you want does not come from a CLI command that is bound to the resource you are referring to, then the information comes from an indirect relationship. Please note that when you call describe-security groups, we get information about the ingress/egress rules and the VPC the security lives in.

What is changing?

To increase the scalability of AWS Config, AWS reduces the number of API calls that AWS Config makes on the backend. Because of these changes, AWS will end support for calling indirect relationships for seven different resource types. Here is a list of the indirect relationships of the affected resources:
  • Customer Gateway configuration items will no longer include VPN connections.
  • EC2 instance configuration entries will no longer include EIPs or routing tables associated with an EC2 instance.
  • Network interface configuration entries will no longer include the EIP or routing tables associated with the network interface.
  • Security group configuration entries will not include attached EC2 instances or network interfaces.
  • Subnet configuration entries will no longer include EC2 instances within the subnet, NACLs, network interfaces, and routing tables associated with the subnet.
  • VPC configuration items will no longer include EC2 instances inside VPC, Internet gateways, NACLs, network interfaces, routing tables, subnets, security groups, and VPN gateways.
  • Finally, VPN gateway configuration entries will no longer include associated routing tables or VPN connections.

To be clear, AWS has confirmed that there will be no impact on any current AWS configuration rules, only configuration items associated with resources. If you use AWS Config notifications for configuration item changes, this will affect you. Specifically, if you are using notifications for any of the above indirect relationship changes for your alerts or runbooks, your current setup will end on September 15, 2021.

Solution

If we need information for a rule currently configured, we can use AWS Config’s partially new advanced query feature to query this information using SQL. Using the example with security group sg-a1a1a1, we could see which EC2 instances are connected by either going to the EC2 console and manually checking each instance, or you can also use these queries.

solution | AWS Config

https://aws.amazon.com/config/

We’ve also expanded AWS’s documentation’s SQL queries to include additional queries to return indirect relationship information for the seven primary resources affected by upcoming AWS configuration changes.

https://aws.amazon.com/config/

Unfortunately, suppose you’re using SNS notifications for configuration item changes. In that case, this is a breaking change with no easy solution, so you’ll need to create your solution, such as spinning up a Lambda and generating the SNS notifications yourself.

Conclusion

AWS Config is scheduled to release an update to relationships modeled within configuration items (CI) for 7 types of EC2 resources on September 15, 2021. Examples of transient workloads include changes to Amazon Elastic Compute Cloud (Amazon EC2) Spot Instances, Amazon Elastic MapReduce jobs, and Amazon EC2 Autoscaling.

  • AWS has confirmed that there will be no impact on any current AWS configuration rules, only configuration items associated with resources. This will affect you if you use AWS Config notifications for configuration item changes
  • AWS Config takes a snapshot of your deployed resources’ settings and stores them in a configuration item, which is what AWS refers to as a record of the settings of your specific resources at a specific time.
  •  AWS reduces the number of API calls that AWS Config makes on the backend. Because of these changes, AWS will end support for calling indirect relationships for seven different resource types.

The media shown in this article is not owned by Analytics Vidhya and is used at the Author’s discretion. 

About the Author

Our Top Authors

Download Analytics Vidhya App for the Latest blog/Article

Leave a Reply Your email address will not be published. Required fields are marked *