AWS Config Rules and Remediation
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
AWS Config Rules and Auto-Remediation: A Comprehensive Guide
Introduction: The Necessity of Automated Governance
In the modern cloud landscape, the speed at which infrastructure changes is staggering. With developers deploying resources across hundreds of accounts and regions, maintaining security and compliance manually is not just difficult; it is practically impossible. This is where AWS Config comes into play. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. It continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of these configurations against desired practices.
However, simply knowing that a resource is non-compliant is only half the battle. If a developer accidentally leaves an S3 bucket open to the public, waiting for a human to see an alert and manually fix it creates a window of vulnerability. This is where auto-remediation enters the picture. Auto-remediation allows you to trigger automated actions—such as running an AWS Systems Manager (SSM) document or a Lambda function—to correct non-compliant resources as soon as they are detected. This lesson will walk you through the architecture, implementation, and management of these systems, ensuring you can maintain a secure environment without constant manual oversight.
Understanding AWS Config Rules
At the heart of AWS Config are "Config Rules." A rule represents your desired configuration settings for a resource. When AWS Config detects a change to a resource, it evaluates the resource against these rules. If the resource does not meet the specified parameters, AWS Config marks it as "Non-Compliant."
Types of Config Rules
To effectively use Config, you must understand the two primary ways these rules are triggered:
- Change-triggered rules: These rules are evaluated when a configuration change occurs on a resource. For example, if you change an IAM policy, the rule evaluates immediately. This is the most common type for real-time compliance.
- Periodic rules: These rules are evaluated at a set frequency, such as every 24 hours. These are useful for checks that don't depend on specific configuration changes, such as checking for IAM users who haven't rotated their access keys in 90 days.
Callout: Managed vs. Custom Rules AWS provides a large library of "Managed Rules" which are pre-built templates for common compliance scenarios (e.g., "is encryption enabled for EBS volumes?"). Custom Rules, on the other hand, are written by you using Lambda functions. Use Managed Rules whenever possible to reduce maintenance, but use Custom Rules when your organization has specific or proprietary compliance requirements that aren't covered by the out-of-the-box templates.
Architecture of Auto-Remediation
Auto-remediation bridges the gap between detection and correction. The architecture relies on three primary components: the Config Rule, the Remediation Configuration, and the Execution mechanism (usually SSM Documents or Lambda).
The Remediation Workflow
- Detection: A resource change occurs, and the Config Rule evaluates it.
- Notification: If the evaluation result is "Non-Compliant," AWS Config records the result.
- Trigger: If Remediation is configured, AWS Config triggers the remediation action.
- Execution: The action (SSM Document or Lambda) runs against the specific resource ID that failed the check.
- Verification: After the action completes, Config automatically re-evaluates the resource to confirm it is now compliant.
Note: Auto-remediation is not instantaneous. There is typically a delay of a few seconds to a few minutes between the configuration change and the remediation action. Always ensure your remediation scripts include error handling and logging to track why a fix might have failed.
Practical Implementation: Securing S3 Buckets
Let’s walk through a classic scenario: ensuring that no S3 bucket in your account is publicly accessible.
Step 1: Deploying the Config Rule
First, navigate to the AWS Config console and select "Rules." Choose "Add rule" and search for s3-bucket-public-read-prohibited. This is a managed rule that checks if public read access is granted to your buckets.
Step 2: Configuring Remediation
Once the rule is deployed, you will see a "Remediation" tab. Click "Edit" and select "Automatic remediation." You will then choose an SSM document that handles the fix. For this scenario, you would typically use the AWS-DisableS3BucketPublicRead document provided by AWS.
Step 3: Mapping Parameters
The SSM document requires the BucketName as an input. You must map the BucketName parameter to the resource ID that Config provides. In the remediation configuration, use the following mapping:
BucketName=ResourceId
This tells the SSM document to pass the ID of the non-compliant bucket into the remediation script, ensuring the action is taken on the correct resource.
Writing Custom Remediation Logic
Sometimes, managed rules aren't enough. Perhaps you need to enforce a specific tagging strategy where every resource must have a Project tag. If a resource is missing this tag, you might want to automatically add a default tag or delete the resource if it's considered "unauthorized."
Creating a Custom Config Rule
To write a custom rule, you must create a Lambda function that accepts an event object from AWS Config.
import json
import boto3
def lambda_handler(event, context):
# Parse the invoker event
invoking_event = json.loads(event['invokingEvent'])
configuration_item = invoking_event['configurationItem']
# Extract the resource ID
resource_id = configuration_item['resourceId']
# Check for tags
tags = configuration_item.get('tags', {})
if 'Project' not in tags:
# Return Non-Compliant
return {
'complianceType': 'NON_COMPLIANT',
'resourceId': resource_id
}
return {
'complianceType': 'COMPLIANT',
'resourceId': resource_id
}
This code snippet checks if the Project tag exists. If it doesn't, it returns a NON_COMPLIANT status. Once you have this, you can attach an SSM document that runs a CLI command (e.g., aws ec2 create-tags) to add the missing tag automatically.
Best Practices for Auto-Remediation
Implementing auto-remediation is powerful, but it can also be destructive if configured incorrectly. Follow these best practices to maintain stability:
1. The "Manual-First" Approach
Before enabling "Automatic" remediation, use "Manual" remediation. This allows you to click a "Remediate" button in the Config console to trigger the fix. Once you have verified the scripts work perfectly across various edge cases, switch to "Automatic."
2. Implement "Dry Run" Logic
If you are writing custom Lambda functions, ensure your code has a way to log what it would do without actually performing the action. This is crucial for verifying that your logic doesn't accidentally delete production databases or modify critical security groups.
3. Use IAM Least Privilege
The IAM role used by the SSM document or Lambda function to perform the remediation must only have the permissions necessary to fix the specific issue. Do not grant AdministratorAccess to your remediation roles. If you are fixing S3 bucket policies, the role should only have s3:PutBucketPolicy permissions.
4. Monitor Remediation Failures
Even the best automation will fail occasionally due to API throttling, network issues, or dependency conflicts. Create an Amazon CloudWatch Alarm that triggers if the RemediationExecutionFailed metric increases. This ensures that you aren't living in a false sense of security while your automation silently fails.
Warning: Be extremely careful with automated deletions. If you have an auto-remediation rule that deletes resources (like unencrypted EBS volumes), ensure you have a "grace period" or an exception list. Unexpectedly deleting a developer's environment can cause significant downtime and frustration.
Comparison: Managed vs. Custom Remediation
| Feature | Managed Remediation | Custom Remediation |
|---|---|---|
| Maintenance | Low (AWS managed) | High (You manage the code) |
| Flexibility | Limited to standard fixes | Infinite (Anything via SDK) |
| Complexity | Simple configuration | Requires Lambda/SSM expertise |
| Testing | Pre-validated by AWS | Requires thorough unit testing |
Common Pitfalls and How to Avoid Them
Pitfall 1: Infinite Loops
A common mistake occurs when a remediation action causes a configuration change that triggers the rule again. For example, if your rule checks for a specific security group setting and your remediation script updates the security group, AWS Config sees this as a new change and re-evaluates the rule. If your script doesn't correctly update the resource to the compliant state, you can end up in an infinite loop of remediation attempts.
- Solution: Always ensure your remediation script verifies the state after the change or includes logic to check if the current state already meets the requirement before applying the fix.
Pitfall 2: Excessive Throttling
If you deploy a new rule that flags thousands of resources simultaneously, the auto-remediation will attempt to fire for all of them at once. This can lead to API throttling, which will cause many of your remediation attempts to fail.
- Solution: Use the "Maximum execution frequency" setting in your Config rule, and consider rolling out rules in smaller batches or by tagging resources to limit the scope of the rule initially.
Pitfall 3: Ignoring Regional Dependencies
Config rules are regional. If you have resources in us-east-1 and eu-west-1, you must deploy your Config rules and your remediation documents in every region where you have resources.
- Solution: Use Infrastructure as Code (IaC) tools like AWS CloudFormation StackSets or Terraform to deploy your compliance rules across all accounts and regions simultaneously.
Step-by-Step: Deploying Remediation with Terraform
For teams using Infrastructure as Code, manual console work is not sustainable. Here is how you define a Config Rule and its remediation with Terraform.
# Define the Config Rule
resource "aws_config_config_rule" "s3_encryption" {
name = "s3-bucket-server-side-encryption-enabled"
source {
owner = "AWS"
source_identifier = "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED"
}
}
# Define the Remediation Configuration
resource "aws_config_remediation_configuration" "s3_encryption_fix" {
config_rule_name = aws_config_config_rule.s3_encryption.name
target_type = "SSM_DOCUMENT"
target_id = "AWS-EnableS3BucketEncryption"
parameter {
name = "BucketName"
resource_value = "RESOURCE_ID"
}
automatic = true
maximum_automatic_attempts = 3
}
This Terraform snippet ensures that your compliance posture is version-controlled and repeatable. By using RESOURCE_ID as the mapping value, you dynamically inject the bucket name into the AWS-provided remediation document.
Advanced Strategies: Handling Complex Compliance
As your environment grows, you may need to implement more sophisticated logic than simple "if-then" statements.
The "Exception" Pattern
In some cases, a resource might be marked as non-compliant for a valid business reason (e.g., a legacy bucket that requires public access for a specific partner). You should implement an "Exception" mechanism using tags.
Modify your custom Config rule to check for a tag like ComplianceExemption: true. If this tag is present, the rule should return NOT_APPLICABLE rather than NON_COMPLIANT. This prevents the auto-remediation from firing while maintaining visibility that the resource is technically non-compliant but has been reviewed.
Multi-Account Governance
Using AWS Organizations, you can aggregate your compliance data into a single account. Use "Config Aggregators" to collect data from all member accounts. You can then deploy a centralized dashboard to view the compliance status of your entire organization. This is vital for security teams who need a bird's-eye view of the organization’s health.
Callout: Compliance Dashboards While Config provides the raw data, it is often helpful to stream Config results into Amazon QuickSight or an external SIEM (like Splunk) using Kinesis Firehose. This allows you to create trend reports, such as "How many non-compliant resources did we have last month vs. this month?" to prove the effectiveness of your auto-remediation efforts.
Troubleshooting Remediation Issues
When a remediation fails, the first place to look is the Execution tab within the Config rule details. AWS provides the exact error message returned by the SSM document or Lambda function.
- Check Permissions: Most failures occur because the service role assigned to the remediation document lacks the required permissions. Verify the role in IAM.
- Verify Resource State: Sometimes the resource has been deleted or modified in a way that makes the remediation command invalid.
- Inspect Logs: If using a Lambda function, check the Amazon CloudWatch Logs group associated with that function. This will give you the stack trace and the exact line of code where the logic failed.
Integrating with Incident Response
Auto-remediation is a form of "Active Defense." However, it should be part of a larger incident response plan. Even if the auto-remediation succeeds, you should still trigger an alert if a critical policy (like "Public S3 Bucket") is violated.
Use Amazon EventBridge to capture Config Rules Compliance Change events. You can route these events to an SNS topic, which then emails your security team, or to a Jira/ServiceNow ticket system. This provides a paper trail for the incident, even if the remediation was successful and transparent to the end-user.
Summary: Key Takeaways
As we conclude this lesson, remember that auto-remediation is about creating a "self-healing" infrastructure. Here are the core principles to carry forward:
- Continuous Monitoring is Mandatory: You cannot secure what you do not see. AWS Config provides the foundational visibility into your resource state.
- Prioritize Managed Rules: Use AWS-provided managed rules to cover the "low-hanging fruit" of security, such as encryption, public access, and logging.
- Automate with Caution: Always start with manual remediation to test your scripts. Once you are confident, move to automatic remediation to reduce the window of vulnerability.
- The Power of SSM: Systems Manager documents are the preferred way to execute remediation scripts because they are versioned, auditable, and easily integrated with Config.
- Handle Exceptions Gracefully: Use tagging strategies to account for edge cases where a resource must deviate from standard policies, preventing "false-positive" remediation actions.
- Governance at Scale: Use StackSets to deploy your Config rules across your entire AWS Organization, ensuring that no account is left behind.
- Audit and Monitor: Auto-remediation is not a "set and forget" feature. Regularly review the
RemediationExecutionFailedmetrics and audit your logs to ensure the system is working as intended.
By mastering AWS Config and auto-remediation, you shift your security strategy from reactive to proactive. You are no longer chasing down developers for non-compliant resources; you are providing an environment where compliance is the default state.
Frequently Asked Questions (FAQ)
Q: Does auto-remediation cost extra? A: Yes. You are charged for each Config rule evaluation and for the resources used by the remediation action (e.g., Lambda execution time or SSM Document overhead).
Q: Can I use auto-remediation for resources in other clouds? A: No, AWS Config is native to AWS resources. For multi-cloud governance, you would need to look at third-party cloud security posture management (CSPM) tools.
Q: What happens if the remediation script fails? A: AWS Config will record the remediation as "Failed." It will not automatically retry indefinitely unless you configure it to do so, and it will trigger an event that you can monitor to alert your team.
Q: Is it possible to remediate resources that are not in the same account as the Config Rule? A: Yes, but this requires complex cross-account IAM roles. It is generally recommended to deploy the Config rule in the same account where the resource resides.
Q: Can I use auto-remediation to "revert" a configuration change? A: Yes. For example, if a user changes a security group rule, your remediation script can simply re-apply the "known good" security group configuration.
Continue the course
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons