Feb 26, 2018 2:58:06 PM by Deepak Vohra
Consider the use case that multiple AWS resources are running to support applications running on AWS. (We shall mainly be concerned with the AWS databases RDS, Redshift, and DynamoDB.) An administrator would be interested in finding out if the applications are running at the desired configurations.
While it is possible to navigate to the AWS Management Console for each database and find out about configuration settings, a tool that monitors and records configurations on all AWS resources for continuous evaluation would be most desirable. AWS Config is such a tool. Using AWS Config, an administrator is able to perform the following configurations related tasks.
The typical methodology used by AWS Config is as follows.
AWS Config provides managed rules that are used to evaluate AWS resources. AWS Config managed rules are provides in several categories: Compute (AMIs, EC2, and EBS), Database (DynamoDB, RDS, and Redshift), Management Tools (CloudTrail, CloudWatch), Security (IAM), and Storage (S3). Custom Config rules, which may extend managed rules already available, may also be defined.
In this article we shall discuss using AWS Config to monitor configurations of databases on AWS and make evaluations and compliance auditing of the configurations. This two-article series has the following sections.
The only prerequisite is an AWS account, which may be created at https://aws.amazon.com/resources/create-account/ .
Open the AWS Config Console at https://aws.amazon.com/config/ and select Settings in the margin as shown in Figure 1. Recording is on by default. The Turn off button is provided to turn off the recording. By default Resource types to record is set to All resources, as shown in Figure 1.
Figure 1. AWS Config Settings
Select or create an Amazon S3 bucket to store configuration history and snapshot files with details for the resources that AWS Config records. Choose the config-bucket- prefixed bucket as shown in Figure 2.
Figure 2. Choosing a S3 Bucket
In Amazon SNS Topic choose the option Stream configuration changes and notifications to an Amazon SNS topic as shown in Figure 3. Select the option Choose a topic from your account and select the Topic name config-topic.
Figure 3. Configuring a SNS Topic for AWS Config
Select the option Choose a role from your account to grant AWS Config read-only access to AWS resources so that it may record configuration changes, and also grant Config permissions to send the configuration information to S3, as shown in Figure 4. Select the Role name config-role-us-east-1; the role name could be different for different users. Click on Save.
Figure 4. Selecting an AWS Config Role Name
The AWS Config Settings get saved, as shown in Figure 5 by the Success message.
Figure 5. AWS Config Settings Saved
Next, create AWS database resources on which to record the configuration changes. Create a few RDS Database instances, a DynamoDB instance and a Redshift instance. Within RDS some of the configurations are different for the different RDS engine types. Select from the different type of RDS Engines as shown in Figure 6.
Figure 6. Selecting a RDS Engine
Also, configurations are different for the different editions of an RDS Engine. As an example, the configurations are different for the different editions of Oracle Database: Oracle EE, Oracle SE, and Oracle SE One, as shown in Figure 7.
Figure 7. Selecting a Oracle Database Edition
The configurations are also different based on whether Production or Dev/Test is selected as the deployment mode, as shown in Figure 8.
Figure 8. Selection a Production or Dev/Test Deployment Mode
RDS Console with an Aurora DB cluster and replica, two Oracle DB instances, and a MySQL DB instance is shown in Figure 9. Different users may have different RDS databases.
Figure 9. RDS Console with DB Instances
Create a DynamoDB instance in the DynamoDB Console as shown in Figure 10.
Figure 10. DynamoDB Instance
Create a Redshift Cluster as shown in Figure 11. The procedure to create a Redshift cluster is discussed in an earlier article on using Redshift.
Figure 11. Redshift Cluster
AWS Config is used for evaluating compliance of AWS services with the configured settings. In this article we introduced AWS Config and set the environment by creating database instances for RDS, Redshift and DynamoDB. In a subsequent article we shall add AWS Config rules to evaluate databases.
Written by Deepak Vohra
Deepak Vohra is an Oracle Certified Associate, Oracle Database 10g, and Sun Certified Java Programmer. Deepak has published on OTN and in Oracle Magazine.