We can set up and use AWS Config as follows:
- Go to the Config service in the console.
- If we are logging in for the first time, we will see a Getting started page. Click on Get started. We will be taken to the Settings page.
- In the Resource types to record section, against All resources, select Record all resources supported in this region and Include global resources (for example, AWS IAM resources).
- In the Amazon S3 bucket section, select Create a bucket. We will also use the default bucket name that we populated in the Bucket name field.
- In the Amazon SNS topic section, select Stream configuration changes and notifications to an Amazon SNS topic. For topic, select Choose a topic from your account and select the topic we created in the Getting ready section.
- In the AWS Config role section, select Create AWS Config service-linked role.
- Click Next. We will be taken to the AWS Config rules page.
- Search for and select the iam-user-mfa-enabled rule. Click Next.
We can add more rules if we want. We can also add rules after completing the setup process.
- On the Review page, review the changes and click Confirm. We will be redirected to the Config Dashboard. After waiting for some time, the left-hand side of the dashboard should show all the services being monitored. The right-hand side should show the compliance status graph and list of non-complaint rules. We can drill down on these rules for more information:
Currently, I have the option to try out the newly redesigned AWS Config Console. Once I click on the Try it out now link, I can view the new dashboard, which contains the Resource inventory, which contains the resources that are monitored on top, followed by compliance details. The exact display options on the console may change from time to time, but the concepts remain the same.