blog post cover

AWS Config Alternative: A Different Take on Cloud Visibility

Table of contents

AWS Config provides a detailed view of your AWS resource configurations, snapshots, and their relationships. This will allow you to detect unwanted changes in your resource configurations and maintain the security of AWS resources.

The problem is, though, that it doesn't provide reporting and alerting. To make it clear, AWS Config doesn't save you from using at least one more AWS service to get that data or integrate it with an existing one.

You can use CloudTrail logs to get that data, but it's not real-time data; it's historical data. It doesn't show what you have now but rather what you had at some point in time in the past. And sure, you can use SNS for notifications, but then again, too much effort and too many services with even more configurations added to the “rag-bag.”

It can be cumbersome to get a full picture through cloud services alone. That’s why it might be time to consider AWS Config alternatives like Resmo to get a simpler and more comprehensive solution. Let’s take it from the top.

What is AWS Config?

how aws config works
(source: AWS)

We’ll go back to square one for a moment. For those unfamiliar, AWS Config is an AWS service that allows you to audit, evaluate, and assess your AWS resource configurations. You need to enable AWS Config rules in single or multiple accounts to check if your configuration settings comply with best practices or desired settings.

In other words, its primary use cases are to:

  • Discover AWS resources inventory
  • Record configuration changes
  • Receive notifications on changes through SNS
  • Run compliance checks
  • Operate security analysis

AWS Config supports 275 managed rules at the time of this writing. These rules provide the groundwork for a configuration audit. However, you'll find that not all rules or use cases suit every environment and the service adds to the cost per configuration item recorded.

Bonus: What is AWS Resource Explorer? Learn more about the latest resource-related AWS service.

Storytime: Why we don’t use AWS Config

As ex Opsgenie engineers, the co-founders of Resmo have spent a great deal of time working with Amazon Web Services over the years. Early on in the Resmo ideation process, they analyzed the security and visibility issues that they encountered. The challenge they encountered along the way was the inadequacy of existing native cloud solutions like AWS Config, which provides resource inventory, configuration history, and governance functions.

The somewhat inadequacy stems from a few reasons, including:

  • The ever-increasing adoption of multi-cloud
  • Lack of contextual understanding of AWS resources and their relationships 
  • Need for a more comprehensive service that will bring insight into not only AWS resources but also other cloud and SaaS assets
  • AWS Config lacks full coverage of AWS services
Relying on a single cloud vendor is no longer a necessity or that common. Studies show that an organization today uses 130 SaaS apps on average. To give it more perspective, the multi-cloud trend is also the de facto standard among modern companies, with 89%.

It's no secret that most companies have more cyber assets than ever, with each having its own configuration, which means more attack surfaces to map. That’s why it might be time for you to look for an AWS Config alternative instead. But don’t take our word on it yet; let’s proceed step by step toward the “why” bit.

Here’s why we don't use AWS Config ourselves and how Resmo can be the answer for both SaaS and cloud configuration visibility.

Why Resmo can be your better alternative to AWS Config

1. Lower cost for more capabilities 

aws config rule evaluation prices
(source: AWS)

For per configuration item recorded in your AWS account per AWS Region, AWS Config costs you $0.003. Given that it records a configuration item whenever a resource changes, the cost may outweigh the benefit you'll reap in the long run. On top of that, many organizations are hopping on to the multi-cloud trend, making consolidating and monitoring all resource configurations even more challenging. 

(source: AWS)

While AWS Config can collect resources from many AWS services, its support for third-party resources is far from practical. You'll need to publish the configuration of third-party resources to assess them with the platform. 

Needless to say, the process will require time, money, and effort. Considering that in today's modern software environment, especially for startups needing agility, AWS config can quickly become a shackle, so to speak, rather than leverage for developers and security teams.

Instead: Seek a Cost-Effective Solution for Expanded Digital Assets

Compared to AWS Config, an all-in-one cyber asset attack surface management system that covers most of AWS Config queries and rules, if not all, and resources of popular third-party services, would be efficient.

Resmo AWS resource configuration security

Resmo integrates with AWS and covers Amazon EC2, S3, Amazon VPC, Lambda, and more. It offers: 

  • Over 100 ready-to-use queries
  • 300+ resources
  • The ability to create custom rules
  • In addition to AWS, you can integrate it with popular SaaS tools like Slack, GitHub, Opsgenie, and Google Cloud Platform.

2. Centralized cloud asset visibility

AWS Config doesn't support many third-party services, which are integral to modern digital environments. Organizations using multiple cloud providers or SaaS solutions besides AWS services would need to apply for additional security and visibility services. This, in return, scatters assets even more, causing vulnerabilities, risks, and required security efforts to increase exponentially. 

Instead: Manage All Asset Configurations and Resources in One Place

Consolidating all digital asset resources in a centralized place is advantageous in avoiding potential security gaps and increasing the efficiency of security teams' operations.

3. No maintenance required for queries and alerts

Security teams must detect configuration changes in time to close gaps and avoid vulnerabilities. To set up automated notifications with AWS Config, you need to configure Amazon Simple Notification Service (SNS) and Amazon CloudWatch. CloudWatch receives the findings of audits, and then SNS sends out the notifications.

  • AWS Config sends a configuration history file about resource changes that occurred in six-hour periods.

Drawback: Undergoing long configuration processes as such increases the complexity, not to mention that you'll also have to visit the dashboard. Over and above, many organizations implement more than one security control.

Imagine doing the same for each individual control system. That would be time-consuming and impractical.

Instead: Simpler and Faster Way to Query and Get Alerts

Modern software teams with expanded digital landscapes look for more automation and less manual work. The better alternative practice to what AWS Config offers with queries and alerts would be more flexible tuning with queries and a more straightforward notification system integrated with multiple channels.

Resmo security notification channels

Resmo alerts on notification rule breaches in real-time and connects with multiple notification channels like webhooks, email, Slack, and Opsgenie. 

  • Takes a few minutes to set up notification rules
  • Assesses continuously without any manual work on your behalf

4. Compliance hand in hand with resource security

AWS Config mainly focuses on assessing your resource configurations based on a set of security rules. But if you want to enjoy the best of both worlds, you can use Resmo for compliance as well as resource monitoring and security.

Resmo brings together different AWS compliance packs, including:

  • AWS CIS 1.5.0 Level 1 Benchmark
  • AWS Foundational Security Best Practices
  • AWS Partner Hosted Foundational Technical Review
  • AWS Startup Security Baseline (AWS SSB)

Compliance packs are made of a set of security controls that evaluate your resource configurations, giving you a compliance score and detailed remediation instructions. 

Bottom Line

AWS Config offers a neat configuration audit system for AWS services, and it certainly has come a long way since AWS first launched the service. It provides 200+ rules and allows custom ones up to a certain limit. However, it may not be ideal if:

  • You use multiple cloud providers,
  • You already have other control systems implemented,
  • You need configuration monitoring, querying, and alerting for services other than AWS,
  • You’re looking for a more affordable, flexible, or simpler solution.

What Resmo offers, on the other hand, is SQL querying across multiple clouds and SaaS resources, automating security checks with rules, and continuous compliance. You can set up integrations in minutes and start aggregating assets with ease.

Know what needs to be detected in real-time and secure your digital environments. 

Continue Reading

next article

17 Best SIEM Tools to Try in 2024

Sign up for our Newsletter