Need advice about which tool to choose?Ask the StackShare community!
AWS CloudFormation vs AWS Config: What are the differences?
Introduction
In this article, we will compare AWS CloudFormation and AWS Config, two powerful services provided by Amazon Web Services (AWS) for managing and monitoring your infrastructure in the cloud.
Key Difference 1: Infrastructure Management vs. Resource Configuration: AWS CloudFormation focuses on infrastructure management and provisioning by allowing you to define and deploy infrastructure resources as code using templates. It helps in automating the process of creating, updating, and deleting resources in a consistent and repeatable manner. On the other hand, AWS Config focuses on resource configuration management by continuously monitoring and recording changes to your AWS resources, providing a detailed inventory, and enabling compliance and security assessment.
Key Difference 2: Provisioning vs. Configuration: CloudFormation primarily deals with provisioning and orchestration of infrastructure resources based on the defined templates, ensuring the correct resource configuration and dependencies. It helps in creating and managing stacks of resources, including EC2 instances, RDS databases, S3 buckets, etc. In contrast, AWS Config focuses more on the configuration aspects of the resources, tracking their compliance with desired configurations, and detecting configuration drifts.
Key Difference 3: Declarative vs. Continuous Monitoring: CloudFormation operates in a declarative manner, allowing you to define the desired state of your infrastructure resources in templates. It takes care of provisioning resources and ensuring the infrastructure matches the defined state. AWS Config, on the other hand, provides continuous monitoring, capturing real-time configuration changes and maintaining a configuration history. It helps in identifying and addressing any deviations from the desired state.
Key Difference 4: Infrastructure as Code vs. Resource Configuration History: CloudFormation empowers you to treat infrastructure as code, enabling version control, change management, and reuse of templates across different environments. It allows you to easily create, update, and delete stacks of resources using the AWS Management Console, CLI, or API. AWS Config, in contrast, provides a detailed configuration history for resources, allowing you to see how their configurations have changed over time, enabling compliance auditing, and troubleshooting.
Key Difference 5: Scope of Management: CloudFormation provides a broader scope of infrastructure management, covering various AWS services and resource types. It allows you to create complex infrastructures using pre-defined templates and customize them as per your requirements. AWS Config, on the other hand, focuses on monitoring and managing individual resource configurations, providing detailed configuration item history, evaluating resource compliance, and detecting configuration drift.
Key Difference 6: Automation and Remediation vs. Compliance Assessment: CloudFormation offers the automation and remediation capabilities through changesets, which allow you to preview and apply changes to your stacks in a controlled manner. It provides automatic rollback in case of stack creation or update failures. AWS Config, on the other hand, focuses on compliance assessment and tracking of resource configuration changes, allowing you to configure rules and remediation actions to ensure compliant resource configurations.
In Summary, AWS CloudFormation primarily focuses on infrastructure provisioning and management through declarative templates, while AWS Config focuses on continuous monitoring and recording of resource configurations to ensure compliance and detect configuration drifts.
Because Pulumi uses real programming languages, you can actually write abstractions for your infrastructure code, which is incredibly empowering. You still 'describe' your desired state, but by having a programming language at your fingers, you can factor out patterns, and package it up for easier consumption.
We use Terraform to manage AWS cloud environment for the project. It is pretty complex, largely static, security-focused, and constantly evolving.
Terraform provides descriptive (declarative) way of defining the target configuration, where it can work out the dependencies between configuration elements and apply differences without re-provisioning the entire cloud stack.
AdvantagesTerraform is vendor-neutral in a way that it is using a common configuration language (HCL) with plugins (providers) for multiple cloud and service providers.
Terraform keeps track of the previous state of the deployment and applies incremental changes, resulting in faster deployment times.
Terraform allows us to share reusable modules between projects. We have built an impressive library of modules internally, which makes it very easy to assemble a new project from pre-fabricated building blocks.
DisadvantagesSoftware is imperfect, and Terraform is no exception. Occasionally we hit annoying bugs that we have to work around. The interaction with any underlying APIs is encapsulated inside 3rd party Terraform providers, and any bug fixes or new features require a provider release. Some providers have very poor coverage of the underlying APIs.
Terraform is not great for managing highly dynamic parts of cloud environments. That part is better delegated to other tools or scripts.
Terraform state may go out of sync with the target environment or with the source configuration, which often results in painful reconciliation.
I personally am not a huge fan of vendor lock in for multiple reasons:
- I've seen cost saving moves to the cloud end up costing a fortune and trapping companies due to over utilization of cloud specific features.
- I've seen S3 failures nearly take down half the internet.
- I've seen companies get stuck in the cloud because they aren't built cloud agnostic.
I choose to use terraform for my cloud provisioning for these reasons:
- It's cloud agnostic so I can use it no matter where I am.
- It isn't difficult to use and uses a relatively easy to read language.
- It tests infrastructure before running it, and enables me to see and keep changes up to date.
- It runs from the same CLI I do most of my CM work from.
Pros of AWS CloudFormation
- Automates infrastructure deployments43
- Declarative infrastructure and deployment21
- No more clicking around13
- Any Operative System you want3
- Atomic3
- Infrastructure as code3
- CDK makes it truly infrastructure-as-code1
- Automates Infrastructure Deployment1
- K8s0
Pros of AWS Config
- Backed by Amazon4
- One stop solution2
Sign up to add or upvote prosMake informed product decisions
Cons of AWS CloudFormation
- Brittle4
- No RBAC and policies in templates2
Cons of AWS Config
- Not user friendly2