AWS Config for Network Compliance
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
AWS Config for Network Compliance: A Comprehensive Guide
Introduction: Why Network Compliance Matters in the Cloud
In the early days of cloud computing, network management was often treated as a "set it and forget it" task. You would provision a Virtual Private Cloud (VPC), attach a few subnets, define some security groups, and move on to application deployment. However, as cloud environments have scaled into complex architectures involving hundreds of VPCs, thousands of security group rules, and intricate routing tables, the manual management of these assets has become a primary source of security vulnerabilities and operational downtime.
Network compliance is the practice of ensuring that your network infrastructure adheres to a defined set of security, operational, and regulatory standards. In the AWS ecosystem, this means ensuring that your network resources—like VPCs, Network ACLs, Route Tables, and Security Groups—do not deviate from your organization's security posture. When a developer accidentally opens an SSH port to the entire internet or removes a mandatory logging configuration on a Transit Gateway, the consequences can range from minor compliance audit findings to catastrophic data breaches.
AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. It continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. By using AWS Config for network compliance, you shift from a reactive security model—where you hunt for misconfigurations after an incident—to a proactive model where the network is constantly monitored for drift, and in many cases, automatically remediated.
The Core Components of AWS Config
To understand how to manage network compliance effectively, we must first look at the three primary pillars of the AWS Config service. These components work together to provide a continuous feedback loop regarding the state of your infrastructure.
1. Resource Inventory and History
AWS Config automatically discovers supported AWS resources in your account and records their configuration state. If you change a security group rule, AWS Config captures that event, stores the new configuration, and keeps a history of what the resource looked like before the change. This is critical for network troubleshooting because it allows you to see exactly when a network connectivity issue began and what specific configuration change might have caused it.
2. Configuration Rules
Rules are the heart of compliance. A rule represents your desired state. You can use AWS Managed Rules (pre-built templates provided by AWS) or create Custom Rules using AWS Lambda. For networking, you might have a rule that states: "All security groups must not allow ingress on port 22 from 0.0.0.0/0." AWS Config evaluates your resources against these rules and reports them as either "Compliant" or "Non-Compliant."
3. Conformance Packs
A conformance pack is a collection of AWS Config rules and remediation actions that can be deployed as a single entity in an account or across an entire AWS Organization. Think of these as "compliance-as-code" templates. If your organization requires adherence to a specific framework like PCI-DSS or NIST, you can deploy a conformance pack that checks for a wide range of networking and security best practices simultaneously.
Callout: Config Rules vs. AWS Security Hub It is common to confuse AWS Config with AWS Security Hub. While both contribute to security posture, they serve different purposes. AWS Config is focused on the configuration state of specific resources—is this security group configured correctly? Security Hub, conversely, acts as a central dashboard that aggregates findings from Config, GuardDuty, Inspector, and third-party tools. Use Config to define the "rules of the road" for your infrastructure, and use Security Hub to get a high-level view of your overall risk score.
Implementing Network Compliance: A Step-by-Step Approach
Implementing compliance is not a "big bang" activity. It requires a structured approach to ensure you do not break existing applications while enforcing new standards.
Phase 1: Establish Your Baseline
Before you can enforce rules, you must know what your network looks like. Enable AWS Config in all regions where you operate. Start by recording all resource types, specifically focusing on the AWS::EC2::VPC, AWS::EC2::SecurityGroup, AWS::EC2::NetworkAcl, and AWS::EC2::RouteTable types. Once recording is enabled, let it run for a few days to gather a baseline of your current network state.
Phase 2: Deploying Managed Rules
AWS provides several managed rules that are immediately useful for network security. Start with the "low-hanging fruit." Some of the most critical managed rules include:
- restricted-common-ports: Checks whether security groups that are in use disallow unrestricted incoming TCP traffic for the specified ports.
- vpc-sg-open-only-to-authorized-ports: Checks whether the security groups in use allow ingress traffic on ports other than those specified.
- vpc-no-public-ip: Checks whether your EC2 instances have a public IP address.
- vpc-flow-logs-enabled: Checks whether VPC Flow Logs are enabled for your VPCs.
To deploy these, navigate to the AWS Config console, select "Rules," and click "Add rule." Search for the managed rule name, configure the parameters (such as specifying which ports are restricted), and assign it to the appropriate scope.
Phase 3: Writing Custom Rules for Specialized Needs
Sometimes, managed rules are not enough. Perhaps your organization has a specific naming convention for VPCs, or you require that all VPCs be connected to a specific Transit Gateway. This is where AWS Lambda and Custom Config Rules come into play.
A custom rule is essentially a Python or Node.js function that receives the configuration of a resource as an input, evaluates it against your logic, and returns a "COMPLIANT" or "NON_COMPLIANT" status.
Below is a conceptual example of a Python Lambda function that checks if a VPC has a specific tag:
import boto3
def evaluate_compliance(configuration_item):
# Check if the resource type is a VPC
if configuration_item['resourceType'] != 'AWS::EC2::VPC':
return 'NOT_APPLICABLE'
# Extract tags from the configuration item
tags = configuration_item.get('configuration', {}).get('tags', [])
# Check if the 'Environment' tag exists and is set to 'Production'
for tag in tags:
if tag['key'] == 'Environment' and tag['value'] == 'Production':
return 'COMPLIANT'
return 'NON_COMPLIANT'
def lambda_handler(event, context):
# This is the simplified entry point for the Config rule
invoking_event = event['invokingEvent']
configuration_item = invoking_event['configurationItem']
status = evaluate_compliance(configuration_item)
# Report back to AWS Config
config = boto3.client('config')
config.put_evaluations(
Evaluations=[{
'ComplianceResourceType': configuration_item['resourceType'],
'ComplianceResourceId': configuration_item['resourceId'],
'ComplianceType': status,
'OrderingTimestamp': configuration_item['configurationItemCaptureTime']
}],
ResultToken=event['resultToken']
)
Note: When writing custom rules, ensure your Lambda function has the necessary IAM permissions to talk to the AWS Config service. Specifically, the
config:PutEvaluationspermission is required for the function to report the compliance status back to the Config dashboard.
Advanced Network Automation: Remediation
Reporting a non-compliant resource is helpful, but fixing it automatically is the goal of a mature network operations team. AWS Config supports "Remediation Actions" using AWS Systems Manager (SSM) Automation documents.
When a resource is marked as non-compliant, you can trigger an SSM document to perform a corrective action. For example, if a security group is found to have an overly permissive rule (e.g., port 22 open to the world), the remediation action can automatically remove that ingress rule.
Steps to implement Auto-Remediation:
- Select a Remediation Document: AWS provides pre-built SSM documents for common issues. For example,
AWSConfigRemediation-RemoveUnusedSecurityGroup. - Associate with Rule: In the AWS Config rule settings, choose the "Remediation" tab.
- Define Parameters: Map the resource ID from the Config rule to the input parameter of the SSM document.
- Set Execution Mode: You can choose between "Manual" remediation (where an admin clicks a button to fix it) or "Automatic" remediation (where the fix happens immediately upon detection).
Warning: Use Automatic Remediation with extreme caution in production environments. If a rule is too broad, it could accidentally remove legitimate network access, causing an outage. Always test your remediation logic in a staging or development account before enabling it globally.
Best Practices for Network Compliance
Achieving compliance is not a one-time project; it is an ongoing operational process. To ensure your configuration management remains effective, follow these industry-standard practices:
- Adopt "Compliance as Code": Manage your Config rules and conformance packs using Infrastructure as Code (IaC) tools like Terraform or AWS CloudFormation. This ensures that your compliance rules are version-controlled, peer-reviewed, and consistently deployed across all accounts.
- Use Aggregators: If you operate in a multi-account environment, use AWS Config Aggregators to consolidate compliance data from all accounts and regions into a single primary account. This gives your security team a "single pane of glass" view.
- Continuous Monitoring of Config Itself: It sounds recursive, but you should monitor the status of AWS Config. Ensure that recording is enabled and that your Lambda functions are not failing due to execution timeouts or permission errors.
- Establish a "Grace Period": When deploying new rules, start by setting them to "Evaluation Only" mode. This allows you to identify all current non-compliant resources without triggering automated remediation or alerts, giving your teams time to remediate issues manually before enforcement begins.
- Tagging as a Compliance Driver: Use tags to differentiate between production, staging, and development environments. You can then create scoped Config rules that apply stricter standards to production VPCs while allowing more flexibility in development environments.
Common Pitfalls and How to Avoid Them
Even with the best intentions, teams often hit common roadblocks when implementing AWS Config for network compliance. Being aware of these will save you significant time and frustration.
1. The "Cost Explosion"
AWS Config charges per configuration item recorded and per rule evaluation. In a large, dynamic environment where network resources change frequently, these costs can add up quickly.
- The Fix: Use the "Resource Selection" feature to record only the resource types you actually care about. Do not record every single resource type if you don't have a compliance requirement for them.
2. Overly Complex Custom Rules
Developers sometimes write highly complex Lambda functions for Config rules, leading to timeouts and high maintenance overhead.
- The Fix: Keep custom rules simple and focused on a single condition. If you need to perform a complex audit, break it down into multiple smaller rules rather than one massive, monolithic function.
3. Ignoring Resource Dependencies
Network resources are highly interdependent. For example, a security group might be non-compliant because it references a prefix list that is also misconfigured.
- The Fix: When designing your compliance strategy, map out the dependencies. Ensure that your remediation actions account for these dependencies so that fixing one resource does not accidentally break another.
4. Alert Fatigue
If you enable too many rules at once, you will be flooded with notifications, leading to "alert fatigue" where teams start ignoring the warnings.
- The Fix: Start small. Enable only the most critical rules (e.g., public SSH access) and gradually add more as your team matures and cleans up the existing environment.
Comparison Table: Manual Auditing vs. AWS Config
| Feature | Manual Auditing | AWS Config |
|---|---|---|
| Frequency | Periodic (e.g., monthly/quarterly) | Continuous (real-time) |
| Accuracy | Prone to human error | Consistent and programmatic |
| Historical Data | Difficult to reconstruct | Automatic history tracking |
| Remediation | Manual, slow | Automated, fast |
| Scalability | Poor (does not scale) | High (works across accounts) |
Quick Reference: Essential Network Rules
If you are just getting started, focus your efforts on these specific AWS Managed Rules to secure your network perimeter:
ec2-instance-no-public-ip: Prevents instances from being directly exposed to the internet.vpc-flow-logs-enabled: Ensures you have a record of network traffic for security auditing.restricted-ssh: Scans security groups for port 22 access from 0.0.0.0/0.vpc-sg-open-only-to-authorized-ports: Ensures only approved ports are exposed to the public.igw-attachment: Verifies that VPCs that should be private are not attached to an Internet Gateway.
Deep Dive: The Role of VPC Flow Logs in Compliance
While AWS Config monitors the configuration of your network, it does not tell you what is actually happening on the wire. This is where VPC Flow Logs become essential for compliance. When combined with AWS Config, you have a complete picture of both intent and reality.
VPC Flow Logs capture information about the IP traffic going to and from network interfaces in your VPC. You can store these logs in CloudWatch Logs or S3. For compliance purposes, you should use AWS Config to ensure that Flow Logs are enabled for all VPCs, and then use Amazon Athena to query those logs for suspicious patterns.
For example, if an attacker attempts to scan your network, they will likely touch many ports in a short period. An AWS Config rule can verify that the "Flow Logs" configuration is active, while a subsequent analysis in Athena can alert you to the scanning behavior itself. This layering of security—Config for state, Flow Logs for behavior—is the hallmark of a secure cloud network architecture.
Callout: The "Human Element" in Compliance Technology is only half the battle. A robust compliance strategy requires a culture of accountability. When a developer receives a "Non-Compliant" notification from AWS Config, they should be empowered to fix it, rather than just ignoring it. Use Config to provide clear, actionable feedback in the notification message—for example, including a link to your internal documentation on how to properly secure a security group.
Best Practices for Scaling Compliance Across Organizations
As your cloud footprint grows, managing compliance account-by-account becomes impossible. AWS Organizations provides a mechanism to manage this at scale. Use AWS Config Conformance Packs deployed via AWS CloudFormation StackSets.
When you deploy a Conformance Pack using StackSets, you can target an entire Organizational Unit (OU). This ensures that every time a new account is added to your environment, it automatically inherits the standard network compliance rules you have defined. This is "compliance at birth"—the moment an account is created, it is already being monitored.
Checklist for Multi-Account Compliance:
- Centralized Logging Account: Create a dedicated, hardened AWS account for security and compliance logs.
- Delegated Administrator: Designate this central account as the "Delegated Administrator" for AWS Config within your AWS Organization.
- Standardized Rulesets: Define your "Gold Standard" conformance pack and keep it in a central repository.
- Automated Deployment: Use a CI/CD pipeline to push updates to your conformance packs. When you need to add a new compliance rule, you update the code, and the pipeline deploys the change to every account in your organization simultaneously.
Common Questions (FAQ)
Q: Does AWS Config slow down my network?
A: No. AWS Config is an out-of-band service. It monitors the metadata of your network resources (the configuration) and does not sit in the data path of your network traffic. It has zero impact on network performance or latency.
Q: How much does AWS Config cost?
A: You are charged per configuration item recorded and per active rule evaluation. The exact cost depends on how many resources you have and how often they change. AWS provides a calculator on their pricing page to help you estimate costs based on your specific environment size.
Q: Can I use AWS Config to fix resources that were created manually?
A: Yes. AWS Config does not care how a resource was created. Whether it was created via the Console, CLI, or Terraform, Config will detect it and evaluate it against your rules. This makes it an excellent tool for "shadow IT" discovery.
Q: What happens if I disable AWS Config?
A: If you disable Config, you lose the ability to track configuration history and you will no longer receive compliance updates. Any automated remediation triggered by Config will also stop functioning, leaving your network vulnerable to drift.
Key Takeaways for Network Professionals
- Continuous Visibility is Mandatory: In a dynamic cloud environment, manual audits are insufficient. AWS Config provides the continuous visibility required to maintain a secure network posture.
- Configuration as Code: Always define your compliance rules through code (CloudFormation/Terraform) rather than manually clicking through the console. This ensures consistency and reproducibility.
- Layered Defense: Remember that AWS Config monitors the state of the network. Complement this with VPC Flow Logs to monitor the behavior of the network for a holistic security approach.
- Start Small, Scale Smart: Do not try to enforce all possible rules on day one. Enable monitoring, identify the noise, fix the critical issues, and then move toward automated remediation.
- Culture Matters: Compliance is a shared responsibility. Use the automated feedback provided by AWS Config to educate developers and operations staff, turning compliance into a collaborative effort rather than a policing action.
- Use Organizational Tools: For multi-account environments, always leverage AWS Organizations and Conformance Packs to ensure uniform compliance standards across the entire enterprise.
- Test Remediation: Never enable automated remediation in production without extensive testing in a non-production environment. An overly aggressive rule can cause significant, unintended service disruptions.
By mastering AWS Config, you transition from a network administrator who is constantly "putting out fires" to an architect who builds systems that are secure and compliant by design. This shift is essential for anyone looking to scale their cloud operations while maintaining the integrity and security of their network infrastructure.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons