AWS appconfig documentation change
Summary
Updated AWS AppConfig documentation with expanded explanations of feature flags, experimentation capabilities, safety features, and workflow. Added details about A/B testing, gradual rollouts, configuration management benefits, and enhanced security integration descriptions.
Security assessment
The changes enhance documentation of existing security features (validators, IAM integration, KMS encryption, CloudTrail auditing) but don't address specific vulnerabilities. New text emphasizes safety controls like automatic rollback and internal validation processes, improving security awareness without indicating incident response.
Diff
diff --git a/appconfig/latest/userguide/what-is-appconfig.md b/appconfig/latest/userguide/what-is-appconfig.md index 143c6c6e7..fb057a141 100644 --- a//appconfig/latest/userguide/what-is-appconfig.md +++ b//appconfig/latest/userguide/what-is-appconfig.md @@ -11 +11 @@ Get started with AWS AppConfigAWS AppConfig use casesBenefits overviewHow AWS Ap -AWS AppConfig feature flags and dynamic configurations help software builders quickly and securely adjust application behavior in production environments without full code deployments. AWS AppConfig speeds up software release frequency, improves application resiliency, and helps you address emergent issues more quickly. +AWS AppConfig helps you safely change application behavior in production without redeploying code. Using feature flags and dynamic free-form configurations, you can control how your application runs in real time. This approach reduces risk, accelerates releases, and enables faster responses to issues. You can gradually roll out new features to specific users, monitor their impact, and expand availability with confidence. You can also update block lists, allow lists, throttling limits, and logging levels instantly, allowing you to mitigate issues and fine-tune performance without a deployment. @@ -13 +13 @@ AWS AppConfig feature flags and dynamic configurations help software builders qu -With feature flags, you can gradually release new capabilities to users and measure the impact of those changes before fully deploying the new capabilities to all users. With operational flags and dynamic configurations, you can update block lists, allow lists, throttling limits, logging verbosity, and perform other operational tuning to quickly respond to issues in production environments. +AWS AppConfig experimentation enables software teams to run A/B tests and gradual feature rollouts using production traffic. Built on Amazon's 25+ years of software experimentation expertise (including on Amazon.com), the service integrates experimentation directly into your existing AWS AppConfig feature flag workflows. Teams can define hypotheses, target specific audiences, split traffic between treatments, and gradually increase exposure while monitoring operational metrics using CloudWatch or other preferred monitoring tools. AWS AppConfig experimentation works with any compute environment supported by the AWS AppConfig Agent, including Amazon EC2, AWS Lambda, Amazon ECS, and Amazon EKS. Teams can export experiment assignment data to data warehouses such as Amazon Redshift, Snowflake, or Databricks for results analysis. As AI continues to accelerate how teams build and iterate on software, AWS AppConfig experimentation provides a way to validate AI-driven changes with measurable production data and reduced operational risk. @@ -29 +29 @@ AWS AppConfig supports a broad spectrum of use cases: - * **Feature flags and toggles** – Safely release new capabilities to your customers in a controlled environment. Instantly roll back changes if you experience a problem. + * **Application experimentation** – Safely evaluate application changes in production using controlled audience exposure and feature flag-based treatments. @@ -31 +31 @@ AWS AppConfig supports a broad spectrum of use cases: - * **Application tuning** – Carefully introduce application changes while testing the impact of those changes with users in production environments. + * **Feature flags and toggles** – Gradually release new capabilities to targeted users, monitor impact, and instantly roll back changes if issues occur. @@ -33 +33 @@ AWS AppConfig supports a broad spectrum of use cases: - * **Allow list or block list** – Control access to premium features or instantly block specific users without deploying new code. + * **Application tuning** – Introduce changes safely in production, measure their effects, and refine behavior without redeploying code. @@ -35 +35,3 @@ AWS AppConfig supports a broad spectrum of use cases: - * **Centralized configuration storage** – Keep your configuration data organized and consistent across all of your workloads. You can use AWS AppConfig to deploy configuration data stored in the AWS AppConfig hosted configuration store, AWS Secrets Manager, Systems Manager Parameter Store, or Amazon S3. + * **Allow list or block list** – Control access to features or restrict specific users in real time, without modifying application code. + + * **Centralized configuration storage** – Manage configuration data consistently across workloads. AWS AppConfig can deploy configuration from the AWS AppConfig hosted configuration store, AWS Secrets Manager, Systems Manager Parameter Store, or Amazon S3. @@ -47 +49 @@ The following brief overview outlines the benefits of using AWS AppConfig. -Using feature flags with new capabilities speeds up the process of releasing changes to production environments. Instead of relying on long-lived development branches that require complicated merges before a release, feature flags enable you to write software using trunk-based development. Feature flags enable you to safely roll out pre-release code in a CI/CD pipeline that is hidden from users. When you are ready to release the changes, you can update the feature flag without deploying new code. After the launch is complete, the flag can still function as a block switch to disable a new feature or capability without the need to roll back the code deployment. +Feature flags help you release changes to production more quickly and with less risk. Instead of managing long-lived development branches and complex merges, you can adopt trunk-based development and control feature availability through flags. This approach allows you to deploy code that remains hidden from users until you are ready to release it. When the feature is ready, enable it without redeploying code. If issues occur after release, you can disable the feature immediately without rolling back the deployment. @@ -52 +54 @@ Using feature flags with new capabilities speeds up the process of releasing cha -AWS AppConfig offers the following safety features to help you avoid enabling feature flags or updating configuration data that could cause application failures. +AWS AppConfig includes safety features that help prevent configuration changes from causing application failures: @@ -54 +56 @@ AWS AppConfig offers the following safety features to help you avoid enabling fe - * **Validators** : A validator ensures that your configuration data is syntactically and semantically correct before deploying the changes to production environments. + * **Validators** : Ensure that configuration data is syntactically and semantically correct before deployment. @@ -56 +58 @@ AWS AppConfig offers the following safety features to help you avoid enabling fe - * **Deployment strategies** : A deployment strategy enables you to slowly release changes to production environments over minutes or hours. + * **Deployment strategies** : Gradually roll out changes over a defined period of time to reduce risk. @@ -58 +60 @@ AWS AppConfig offers the following safety features to help you avoid enabling fe - * **Monitoring and automatic rollback** : AWS AppConfig integrates with Amazon CloudWatch to monitor changes to your applications. If your application becomes unhealthy because of a bad configuration change and that change triggers an alarm in CloudWatch, AWS AppConfig automatically rolls back the change to minimize impact on your application users. + * **Monitoring and automatic rollback** : AWS AppConfig integrates with Amazon CloudWatch to monitor application health. If a configuration change triggers an alarm, AWS AppConfig automatically rolls back the change to minimize impact. @@ -66 +68,3 @@ AWS AppConfig offers the following safety features to help you avoid enabling fe -AWS AppConfig integrates with AWS Identity and Access Management (IAM) to provide fine-grain, role-based access to the service. AWS AppConfig also integrates with AWS Key Management Service (AWS KMS) for encryption and AWS CloudTrail for auditing. Before being released to external customers, all AWS AppConfig safety controls were initially developed with and validated by internal customers that use the service at scale. +AWS AppConfig integrates with AWS Identity and Access Management (IAM) to provide fine-grain, role-based access control. It also integrates with AWS Key Management Service (AWS KMS) for encryption and AWS CloudTrail for auditing. + +AWS developed and validated AWS AppConfig safety controls with internal teams that operate at scale before making them available to external customers. This foundation helps ensure the service is secure, reliable, and ready for production workloads. @@ -74 +78 @@ This section provides a high-level description of how AWS AppConfig works. -**1\. Identify configuration values in code you want to manage in AWS AppConfig** +**1\. Identify configuration data to manage in AWS AppConfig** @@ -77 +81 @@ This section provides a high-level description of how AWS AppConfig works. -Before you create a configuration profile in AWS AppConfig, we recommend you identify configuration data in your code that you want to dynamically manage using AWS AppConfig. Good examples include feature flags or toggles, allow and block lists, logging verbosity, service limits, and throttling rules, to name a few. These types of configuration change frequently and can cause problems if not correct. +Before creating a configuration profile, identify the configuration data in your code that you want to manage dynamically using AWS AppConfig. Common examples include feature flags, allow and block lists, logging levels, service limits, and throttling rules. These values tend to change frequently and can cause issues if misconfigured. @@ -79 +83 @@ Before you create a configuration profile in AWS AppConfig, we recommend you ide -If your configuration data already exists in the cloud, for example in Parameter Store or Amazon S3, you can take advantage of AWS AppConfig validation, deployment, and extension features to further streamline configuration data management. +If your configuration data already exists in cloud services such as SSM Parameter Store or Amazon S3, you can use AWS AppConfig to validate, deploy, and manage that data more effectively. @@ -84 +88,12 @@ If your configuration data already exists in the cloud, for example in Parameter -A configuration profile includes, among other things, a URI that enables AWS AppConfig to locate your configuration data in its stored location and a profile type. AWS AppConfig supports two configuration profile types: feature flags and freeform configurations. Both types can reduce the risk and complexity of software development and deployment by decoupling feature releases from code deployments. They also enable continuous delivery and risk mitigation through staged rollouts. Additionally, feature flags enable testing in production with real users, while freeform configurations enable you to retrieve configuration data from other AWS services. Both profile types allow for faster iteration, experimentation, personalization, and efficient management of the software lifecycle. For more information about creating a configuration profile, see [Creating a configuration profile in AWS AppConfig](./appconfig-creating-configuration-profile.html). +A configuration profile defines how AWS AppConfig locates and manages your configuration data. It includes a URI that points to the data source and a profile type. + +AWS AppConfig supports two profile types + + * **Feature flags** – Enable controlled feature releases, gradual rollouts, and testing in production. + + * **Free-form configurations** – Store and retrieve configuration data from external sources and update it without redeploying code. + + + + +Both profile types help decouple configuration from code, support continuous delivery, and reduce deployment risk. @@ -86 +101 @@ A configuration profile includes, among other things, a URI that enables AWS App -A configuration profile can also include optional validators to ensure your configuration data is syntactically and semantically correct. AWS AppConfig performs a check using the validators when you start a deployment. If any errors are detected, the deployment rolls back to the previous configuration data. +You can also add optional validators to ensure that configuration data is syntactically and semantically correct. During deployment, AWS AppConfig evaluates these validators and automatically rolls back changes if validation fails. @@ -88 +103 @@ A configuration profile can also include optional validators to ensure your conf -When you create a configuration profile, you also create an application in AWS AppConfig. An application is simply a namespace or an organizational construct like a folder. +Each configuration profile is associated with an application, which acts as a logical container for your configuration resources. For more information about creating a configuration profile, see [Creating a configuration profile in AWS AppConfig](./appconfig-creating-configuration-profile.html). @@ -93 +108 @@ When you create a configuration profile, you also create an application in AWS A -When you start a deployment, AWS AppConfig performs the following tasks: +When you start a deployment, AWS AppConfig: @@ -95 +110 @@ When you start a deployment, AWS AppConfig performs the following tasks: - 1. Retrieves the configuration data from the underlying data store by using the location path name in the configuration profile. + 1. Retrieves configuration data from the source defined in the configuration profile @@ -97 +112 @@ When you start a deployment, AWS AppConfig performs the following tasks: - 2. Verifies the configuration data is syntactically and semantically correct by using the validators you specified when you created your configuration profile. + 2. Validates the data using the configured validators @@ -99 +114 @@ When you start a deployment, AWS AppConfig performs the following tasks: - 3. Sends a copy of the data to AWS AppConfig Agent to be read by your application. This copy is called the _deployed data_. + 3. Delivers the validated configuration to AWS AppConfig Agent @@ -104 +119 @@ When you start a deployment, AWS AppConfig performs the following tasks: -For more information about deploying a configuration, see [Deploying feature flags and configuration data in AWS AppConfig](./deploying-feature-flags.html). +The delivered configuration becomes the deployed version used by your application. For more information about deploying a configuration, see [Deploying feature flags and configuration data in AWS AppConfig](./deploying-feature-flags.html). @@ -106 +121 @@ For more information about deploying a configuration, see [Deploying feature fla -**4\. Retrieve the configuration** +**4\. Retrieve configuration data** @@ -109 +124 @@ For more information about deploying a configuration, see [Deploying feature fla -To retrieve the data, your application makes an HTTP call to the localhost server where AWS AppConfig Agent has cached a local copy of your deployed configuration data. Retrieving data is a metered event. AWS AppConfig Agent supports several use cases, as described in [How to use AWS AppConfig Agent to retrieve configuration data](./appconfig-agent-how-to-use.html). +Your application retrieves configuration data by calling a local endpoint exposed by AWS AppConfig Agent, which caches the deployed configuration. Retrieving data is a metered event. AWS AppConfig Agent supports a variety of use cases, as described in [How to use AWS AppConfig Agent to retrieve configuration data](./appconfig-agent-how-to-use.html). @@ -111 +126 @@ To retrieve the data, your application makes an HTTP call to the localhost serve -If AWS AppConfig Agent isn't supported for your use case, you can configure your application to poll AWS AppConfig for configuration updates by directly calling the [StartConfigurationSession](https://docs.aws.amazon.com/appconfig/2019-10-09/APIReference/API_appconfigdata_StartConfigurationSession.html) and [GetLatestConfiguration](https://docs.aws.amazon.com/appconfig/2019-10-09/APIReference/API_appconfigdata_GetLatestConfiguration.html) API actions. +If the agent is not suitable for your use case, your application can retrieve configuration data directly from AWS AppConfig by calling the [StartConfigurationSession](https://docs.aws.amazon.com/appconfig/2019-10-09/APIReference/API_appconfigdata_StartConfigurationSession.html) and [GetLatestConfiguration](https://docs.aws.amazon.com/appconfig/2019-10-09/APIReference/API_appconfigdata_GetLatestConfiguration.html) API actions. @@ -117 +132 @@ For more information about retrieving a configuration, see [Retrieving feature f -Pricing for AWS AppConfig is pay-as-you-go based on configuration data and feature flag retrieval. We recommend using the AWS AppConfig Agent to help optimize costs. For more information, see [AWS Systems Manager Pricing](https://aws.amazon.com/systems-manager/pricing/). +Pricing for AWS AppConfig is pay-as-you-go based on configuration data and feature flag retrieval. We recommend using AWS AppConfig Agent to help optimize costs. For more information, see [AWS Systems Manager Pricing](https://aws.amazon.com/systems-manager/pricing/).