Config
Persistence:
3 minute read
Introduction
AWS Config is a service provided by Amazon Web Services (AWS) that enables you to assess, audit, and manage the configuration state of your AWS resources. Config provides a comprehensive view of the resource configuration across your AWS environment, helping you ensure compliance with security policies, track changes, and troubleshoot operational issues. Config continuously records configuration changes and allows you to retain a historical record of these changes.
LocalStack allows you to use the Config APIs in your local environment to assesses resource configurations and notifies you of any non-compliant items to mitigate potential security risks. The supported APIs are available on our API coverage page, which provides information on the extent of Config’s integration with LocalStack.
Getting started
This guide is designed for users new to Config and assumes basic knowledge of the AWS CLI and our awslocal
wrapper script.
Start your LocalStack container using your preferred method. We will demonstrate how to specify the resource types you want Config to record and grant it the needful permissions to access an S3 bucket and SNS topic with the AWS CLI.
Create an S3 bucket and SNS topic
The S3 bucket will be used to receive a configuration snapshot on request and configuration history. The SNS topic will be used to notify you when a configuration snapshot is available. You can create a new S3 bucket and SNS topic using the AWS CLI:
$ awslocal s3 mb s3://config-test
$ awslocal sns create-topic --name config-test-topic
Create a new configuration recorder
You can now create a new configuration recorder to record configuration changes for specified resource types, using the PutConfigurationRecorder
API.
Run the following command to create a new configuration recorder:
$ awslocal configservice put-configuration-recorder \
--configuration-recorder name=default,roleARN=arn:aws:iam::000000000000:role/config-role
We have specified the roleARN
parameter to grant the configuration recorder the needful permissions to access the S3 bucket and SNS topic.
In LocalStack, IAM roles are not enforced, so you can specify any role ARN you like.
The name
parameter has been set to default
, and you can optionally specify a recordingGroup
parameter to specify the resource types you want to record.
Create a delivery channel
You can now create a delivery channel object to deliver configuration information to an S3 bucket and an SNS topic.
You have already created the S3 bucket and SNS topic, so you can now create the delivery channel object using the PutDeliveryChannel
API.
We’re going to create a delivery channel with the following configuration.
You can inline the JSON into the awslocal
command.
{
"name": "default",
"s3BucketName": "config-test",
"snsTopicARN": "arn:aws:sns:us-east-1:000000000000",
"configSnapshotDeliveryProperties": {
"deliveryFrequency": "Twelve_Hours"
}
}
Run the following command to create the delivery channel:
$ awslocal configservice put-delivery-channel \
--delivery-channel '{
"name": "default",
"s3BucketName": "config-test",
"snsTopicARN": "arn:aws:sns:us-east-1:000000000000",
"configSnapshotDeliveryProperties": {
"deliveryFrequency": "Twelve_Hours"
}
}'
Start the configuration recorder
You can now start recording configurations of the local AWS resources you have selected to record in your running LocalStack container.
You can use the StartConfigurationRecorder
API to start the configuration recorder.
Run the following command to start the configuration recorder:
$ awslocal configservice start-configuration-recorder \
--configuration-recorder-name default
You can list the delivery channels and configuration recorders using the DescribeDeliveryChannels
and DescribeConfigurationRecorderStatus
APIs respectively.
$ awslocal configservice describe-delivery-channels
$ awslocal configservice describe-configuration-recorder-status
Current Limitations
AWS Config is currently mocked in LocalStack. You can create, read, update, and delete AWS Config resources (like delivery channels or configuration recorders), but LocalStack will currently not record any configuration changes to service resources. If you need this feature, please consider opening a feature request on GitHub.