AWS Config
Developer Guide

Recording Software Configuration for Managed Instances

You can use AWS Config to record software inventory changes on EC2 instances and on-premises servers. This enables you to see the historical changes to software configuration. For example, when a new Windows update is installed on a managed Windows instance, AWS Config records the changes and then sends the changes to your delivery channels, so that you are notified about the change. With AWS Config, you can see the history of when Windows updates were installed for the managed instance and how they changed over time.

You must complete the following steps to record software configuration changes:

  • Turn on recording for the managed instance inventory resource type in AWS Config

  • Configure EC2 and on-premises instances as managed instances

  • Initiate collection of software inventory from your managed instances

You can also use AWS Config rules to monitor software configuration changes and be notified whether the changes are compliant or noncompliant against your rules. For example, if you create a rule that checks whether your managed instances have a specified application, and an instance doesn't have that application installed, AWS Config flags that instance as noncompliant against your rule. For a list of AWS Config managed rules, see List of AWS Config Managed Rules.

To enable recording of software configuration changes in AWS Config:

  1. Turn on recording for all supported resource types or selectively record the managed instance inventory resource type in AWS Config. For more information, see Selecting Which Resources AWS Config Records.

  2. Launch an Amazon EC2 instance with an IAM role and the AmazonEC2RoleforSSM policy. You may also need to install an SSM Agent. For more information, see Systems Manager Prerequisites in the Amazon EC2 User Guide for Linux Instances or Systems Manager Prerequisites in the Amazon EC2 User Guide for Windows Instances.

  3. Initiate inventory collection as described in Configuring Inventory Collection in the Amazon EC2 User Guide for Linux Instances. The procedures are the same for Linux and Windows instances.

    AWS Config can record configuration changes for the following inventory types:

    • Applications – A list of applications for managed instances, such as antivirus software.

    • AWS components – A list of AWS components for managed instances, such as the AWS CLI and SDKs.

    • Instance information – Instance information such as OS name and version, domain, and firewall status.

    • Network configuration – Configuration information such as IP address, gateway, and subnet mask.

    • Windows Updates – A list of Windows updates for managed instances (Windows instances only).

    Note

    AWS Config doesn't support recording the custom inventory type at this time.

Inventory collection is one of many Amazon EC2 Systems Manager capabilities, which also includes applying operating system patches and configuring instances at scale. For more information, see Amazon EC2 Systems Manager in the Amazon EC2 User Guide for Linux Instances or Amazon EC2 Systems Manager in the Amazon EC2 User Guide for Windows Instances.