Getting started with AWS Config is a very simple process, and it usually takes about a minute or two to complete. Overall, you start off by specifying the resources that you want AWS Config to record, configure an Amazon SNS topic, and Amazon S3 bucket for notifications and storing the configuration history, and, finally, add some config rules to evaluate your resources:

1. To begin, access the AWS Config dashboard by filtering the service from the AWS Management Console or by navigating to https://console.aws.amazon.com/config/.
2. Since this is our first time configuring this, select the Get Started option to commence the Config's creation process.
3. In the Resource types to record section, select the type of AWS resource that you wish config to monitor. By default, config will record the activities of all supported AWS resources. You can optionally specify only the services which you want to monitor by typing in the Specific types field, as shown in the following screenshot. In this case, I've opted to go for the default values: Record all resources supported in this region and Include global resources:

4. Next, select a location to store your configuration history as well as your configuration snapshots. In this case, I've opted to create a new S3 bucket for AWS Config by providing a unique Bucket name.
5. Moving on, in the Amazon SNS topic section, you can choose to create a new SNS topic that will send email notifications to your specified mailbox, or choose a pre-existing topic from your account.

6. Finally, you will need to provide config with a Read-only access role so that it can record the particular configuration information as well as send that over to S3 and SNS. Based on your requirements, you can either Create a role or, alternatively, Choose a role from your account. Click Save to complete the basic configuration for your AWS Config.

With this step completed, we can now go ahead and add Config rules to our setup. To do so, from the AWS Config dashboard's navigation pane, select the Rules and click on the Add rule option.

7. In the AWS Config rules page, you can filter and view predefined rules using the filter provided. For this particular scenario, let's go ahead and add two rules for checking whether any of the account's S3 buckets have either public read prohibited or public write prohibited on them or not. To do so, simply type in S3-bucket in the filter and select either of the two config rules, as shown in the following screenshot:

• • Resources: When any resource that matches the evaluation criteria is either created, modified, or deleted
  • Tags: When any resource with the specified tag is created, modified, or deleted
  • All changes: When any resource recorded by AWS Config is created, modified, or deleted

8. Selecting a particular rule will pop up that rule's configuration page, where you can define the rule's trigger as well as its scope. Let's pick the s3-bucket-public-read-prohibited rule for starters and work with that.

9. In the Configure rule page, provide a suitable Name and Description for your new rule. Now, since this is a managed rule, you will not be provided with an option to change the Trigger type; however, when you create your own custom rules, you can specify whether you wish to trigger the rule based on a Configuration change event or using a Periodic check approach that uses a time frequency that you specify to evaluate the rules.
10. Next, you can also specify when you want the rule's evaluations to occur by selecting the appropriate options provided under the Scope of changes section. In this case, I've opted for the Resources scope and selected S3: Bucket as the resource, as depicted in the following screenshot:

11. Optionally, you can also provide the ARN of the resource that you wish config to monitor using the Resource identifier field. Click on Save once done.

Similarly, using the aforementioned steps, create another managed config rule called s3-bucket-public-write-prohibited.

With the rules in place, select the Resources option from the config's navigation pane to view the current set of resources that have been evaluated against the set compliance.

In my case, I have two S3 buckets present in my AWS environment: one that has public read enabled on it while the other doesn't. Here's what the Resources evaluated dashboard should look like for you:

Here, you can view the evaluated resources against a Config timeline by simply selecting the name of the resource from the column with the same name. This will bring up a time series of your particular resource's configuration state. You can choose between the different time series options to view the state changes, as well as toggle between the time periods using the Calendar icon. The best part of using this feature of config is that you can simultaneously change your resource's configuration by selecting the Manage resource option. Doing so will automatically open the S3 buckets configuration page, as in this case. You can alternatively select the Dashboard option from AWS Config navigation pane and obtain a visual summary of the current status of your overall compliance, as depicted in the following screenshot:

You can use the same concepts to create more such managed config rules for a variety of other AWS services, including EC2, EBS, Auto Scaling, DynamoDB, RDS, Redshift, CloudWatch, IAM, and much more! For a complete list of managed rules, check out http://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html.

With the managed config rules done, the last thing left to do is create a customized config rule, which is exactly what we will be covering in the next section.