AWS Config for Compliance
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
AWS Config for Compliance: A Comprehensive Guide
Introduction: Why Compliance Governance Matters
In the modern cloud landscape, maintaining a secure and compliant environment is no longer a manual task that can be handled with spreadsheets or periodic checklists. As organizations scale their infrastructure across hundreds or thousands of AWS accounts, the risk of configuration drift—where resources deviate from their intended secure state—becomes a significant threat. AWS Config serves as the foundational service for resource inventory, configuration history, and security governance, acting as a "continuous auditor" for your cloud environment.
Understanding AWS Config is vital because it moves the needle from reactive security (finding out about a breach after it happens) to proactive governance (detecting and potentially fixing a misconfiguration the moment it occurs). Whether you are subject to regulatory frameworks like PCI-DSS, HIPAA, or SOC2, or simply trying to enforce internal best practices like "no public S3 buckets" or "all volumes must be encrypted," AWS Config provides the automated evidence and enforcement mechanisms required to maintain a high security posture. This lesson will walk you through the inner workings of the service, how to implement it, and how to scale it across your organization.
Understanding the Core Components of AWS Config
To effectively use AWS Config, you must understand the three primary pillars that define its operation: Resources, Rules, and Conformance Packs. Each component plays a specific role in the lifecycle of cloud governance.
1. Resource Inventory and Configuration History
AWS Config automatically discovers existing AWS resources and records their configuration state. Every time a change occurs—such as a user modifying a security group rule, adding an IAM policy, or resizing an EC2 instance—AWS Config records the change as a "Configuration Item" (CI). This history allows you to perform "time-travel" debugging, where you can look back at exactly what your environment looked like at a specific point in time to troubleshoot an issue or provide evidence for an auditor.
2. Config Rules
Config Rules are the logic-based checks that evaluate your resources. A rule can be either "compliant" or "non-compliant." These rules operate based on the configuration data recorded by the service. For example, a rule might check if an S3 bucket is private. If the bucket is public, the rule marks the resource as non-compliant and triggers an alert.
3. Conformance Packs
As you scale, managing individual rules across hundreds of accounts becomes cumbersome. Conformance Packs are collections of AWS Config rules and remediation actions that can be deployed as a single entity. They are particularly useful for enforcing compliance standards like CIS Benchmarks or NIST 800-53 across an entire organization.
Callout: Config vs. CloudTrail It is common to confuse AWS Config with AWS CloudTrail. CloudTrail records who performed an action and when (the API call logs). AWS Config records what the resource looks like after the action is performed (the state). Think of CloudTrail as a security camera recording activity, and AWS Config as a snapshot of the room's layout at any given moment.
Setting Up AWS Config: Step-by-Step
Before you can write rules or run reports, you must enable the service. AWS Config works best when enabled at the organization level, but we will start with the basic setup to understand the underlying mechanics.
Step 1: Configuring the Delivery Channel
AWS Config needs a place to store its history and snapshot data. This is typically an S3 bucket. You should create a dedicated, locked-down S3 bucket specifically for audit logs. Ensure that this bucket has an S3 bucket policy that grants s3:PutObject permissions to the AWS Config service principal.
Step 2: Defining the IAM Role
AWS Config requires an IAM role with sufficient permissions to describe resources across your account. When you use the AWS Console to set up Config, it will create a service-linked role for you. If you are using Infrastructure as Code (IaC) like Terraform or CloudFormation, ensure your role has the AWSConfigRole managed policy attached.
Step 3: Enabling Resource Recording
You must specify which resources you want to track. You can choose to record "All supported resource types" or select specific ones.
Tip: While it might be tempting to record everything, be mindful of the costs. In a large production environment, recording every single resource type can lead to higher monthly bills. Start by recording the most critical security resources: IAM users, Security Groups, S3 Buckets, and RDS instances.
Implementing Config Rules: The Engine of Compliance
Once Config is recording data, the real value comes from creating rules. Rules can be either "Managed" (pre-built by AWS) or "Custom" (built by you using Lambda functions).
Managed Rules
AWS provides over 100 managed rules that cover common security scenarios. These are the easiest way to get started. For example, the s3-bucket-public-read-prohibited rule is a managed rule that automatically flags any S3 bucket that has public read access enabled.
Custom Rules
When a managed rule doesn't cover your specific business logic, you can write a custom rule. Custom rules are backed by AWS Lambda. When Config evaluates a resource, it triggers your Lambda function, passing the resource configuration as a JSON object. Your code then evaluates the resource and returns a "COMPLIANT" or "NON_COMPLIANT" status.
Example: Custom Lambda Rule (Python)
The following is a simplified logic structure for a custom rule that checks if an EC2 instance has a specific tag:
import json
import boto3
def evaluate_compliance(configuration_item):
# Extract tags from the resource configuration
tags = configuration_item.get('configuration', {}).get('tags', [])
# Check if 'Environment' tag exists and is set to 'Production'
for tag in tags:
if tag['key'] == 'Environment' and tag['value'] == 'Production':
return 'COMPLIANT'
return 'NON_COMPLIANT'
def lambda_handler(event, context):
invoking_event = json.loads(event['invokingEvent'])
configuration_item = invoking_event['configurationItem']
status = evaluate_compliance(configuration_item)
# Report back to AWS Config
config = boto3.client('config')
config.put_evaluations(
Evaluations=[{
'ComplianceResourceType': configuration_item['resourceType'],
'ComplianceResourceId': configuration_item['resourceId'],
'ComplianceType': status,
'OrderingTimestamp': configuration_item['configurationItemCaptureTime']
}],
ResultToken=event['resultToken']
)
Warning: When writing custom rules, ensure your Lambda function has a timeout long enough to process the event, but keep it as short as possible to avoid unnecessary costs. Also, ensure your IAM role for the Lambda has
config:PutEvaluationspermissions, or the rule will fail to report status.
Advanced Governance: Remediation and Aggregation
Simply knowing that you are non-compliant is often not enough. In a mature environment, you want the system to automatically fix the issue. This is where Remediation comes in.
Automatic Remediation
AWS Config allows you to associate a "Remediation Action" with a rule. For example, if a rule detects that an S3 bucket is public, you can trigger an AWS Systems Manager (SSM) Document to automatically run a script that changes the bucket's ACL to private.
Multi-Account Aggregation
In an enterprise, you don't want to log into 50 different accounts to check compliance. The Config Aggregator feature allows you to collect compliance data from multiple accounts and regions into a single, centralized dashboard. This is essential for central security teams to maintain oversight without requiring individual access to every developer's sandbox account.
Best Practices for AWS Config
To get the most out of AWS Config, follow these industry-standard practices:
- Use Organizational Conformance Packs: Do not manage rules on an account-by-account basis. Deploy your compliance baseline using AWS Organizations so that every new account created automatically inherits your security standards.
- Filter Noise: Not every non-compliant resource is a "fire-alarm" event. Use the "Compliance Resource" filtering to prioritize high-risk resources (like IAM policies or Security Groups) over low-risk ones (like unused EBS volume tags).
- Implement Least Privilege: The IAM roles used by Config and its remediation documents should strictly follow the principle of least privilege. An SSM document that deletes public access should only have permission to modify S3 policies, not delete the data itself.
- Regularly Audit the Auditor: Periodically review your Config rules to ensure they are still relevant. As your architecture evolves, some rules might become obsolete and generate "false positives" that distract your security team.
- Use Infrastructure as Code (IaC): Never configure AWS Config via the console for production environments. Use Terraform, CloudFormation, or AWS CDK to define your rules. This ensures that your compliance configuration is version-controlled and peer-reviewed.
Common Pitfalls and How to Avoid Them
Even experienced engineers run into challenges with AWS Config. Here are the most frequent mistakes:
1. High Costs due to "All Resources" Recording
Many users enable "Record all resources" and forget about it. If you have a highly dynamic environment with thousands of temporary resources being created and destroyed (e.g., Lambda functions, auto-scaling instances), your Config bill will skyrocket.
- Solution: Be selective. Use the "Include/Exclude" resource type feature to record only what is necessary for compliance.
2. Ignoring Remediation Loop Risks
If you set up an automated remediation that is too aggressive, you might accidentally break production systems. For example, if a rule automatically deletes any security group that is "too open," you might inadvertently cut off access to a critical database.
- Solution: Always set up remediation to "Manual" first. Test the remediation in a non-production account, verify it works as expected, and only then enable "Auto-remediation" once you are confident in the logic.
3. Missing IAM Permissions
A very common issue is the "silent failure," where a rule is active but never reports compliance. This is almost always due to the Lambda function (for custom rules) or the Config service role lacking the necessary permissions to describe resources or report status.
- Solution: Check the CloudWatch Logs for your Lambda function. It will almost always tell you if it encountered an
AccessDeniedexception.
Comparison Table: Managed Rules vs. Custom Rules
| Feature | Managed Rules | Custom Rules |
|---|---|---|
| Effort | Low (Built-in) | High (Requires development) |
| Flexibility | Limited to AWS-provided logic | Infinite (Can evaluate any logic) |
| Maintenance | None (AWS manages) | High (You manage code/updates) |
| Use Case | Common standards (CIS, HIPAA) | Unique business requirements |
| Cost | Fixed per rule | Lambda execution + Config costs |
Compliance Frameworks and AWS Config
AWS Config is the primary tool used to provide evidence for compliance audits. When an auditor asks, "How do you ensure your EBS volumes are encrypted?", you don't show them a document; you show them the AWS Config dashboard for the encrypted-volumes rule.
Mapping to Industry Standards
- PCI-DSS: Use Config to monitor for unauthorized changes to security groups and IAM policies.
- HIPAA: Use Config to ensure that all databases (RDS) have snapshots enabled and that public access is restricted.
- SOC2: Use Config to prove that you have an automated process for monitoring the configuration state of your production environment.
Callout: Evidence Generation AWS Config snapshots can be exported to S3 and then queried using Amazon Athena. This is a powerful way to generate custom audit reports for management. Instead of taking screenshots of the console, you can run an SQL query that lists every resource that was non-compliant during a specific audit window.
Deep Dive: Scaling with Conformance Packs
As you grow, individual rules become difficult to track. Conformance Packs are the solution to this "governance at scale" problem. A Conformance Pack is essentially a YAML template that aggregates a group of rules.
Why use Conformance Packs?
- Consistency: You can ensure that every account in your organization has the exact same set of 50 security rules.
- Single Deployment: Instead of deploying 50 individual rules, you deploy one pack.
- Remediation Integration: You can include SSM documents within the pack, effectively deploying both the "check" and the "fix" simultaneously.
Structure of a Conformance Pack
A conformance pack typically looks like this:
- Parameters: Variables used across rules (e.g., the threshold for a specific metric).
- Resources: The definition of the rules themselves.
- Remediation: The link to the SSM document that performs the fix.
By standardizing your Conformance Packs, you turn your security governance into a "product" that you deliver to your development teams.
Real-World Scenario: Implementing "No Public S3 Buckets"
Let's walk through the practical implementation of a "No Public S3" policy using AWS Config.
- Select the Rule: Use the managed rule
s3-bucket-public-read-prohibited. - Define Scope: Apply this rule to all S3 buckets in the account.
- Enable Remediation: Associate this rule with the AWS-provided SSM document
AWS-DisablePublicS3Bucket. - Testing: Create a public bucket in a test environment. Observe as Config flags it as
NON_COMPLIANT. - Execution: Trigger the remediation. Observe as the bucket becomes private.
- Reporting: Verify in the Config dashboard that the resource status has changed to
COMPLIANT.
This cycle is the bedrock of automated security. Once you have this template, you can apply it to hundreds of accounts, effectively eliminating a massive category of data breaches across your entire organization.
Troubleshooting Checklist
If you find that your AWS Config setup is not working, follow this systematic troubleshooting process:
- Check the Configuration Recorder: Is it in the "Running" state? If it is "Stopped," no data will be recorded.
- Check S3 Bucket Policies: Does the delivery channel have permission to write to the bucket? Use the "Test Configuration" button in the console to verify connectivity.
- Check IAM Role Permissions: Does the service role have
config:PutConfigurationItemandconfig:PutEvaluationspermissions? - Check CloudWatch Logs: For custom rules, the Lambda function logs are the first place to look for errors.
- Evaluate Timing: Remember that AWS Config is not always instantaneous. There can be a delay of several minutes between a resource change and the rule evaluation. Do not expect real-time sub-second responses; Config is designed for continuous auditing, not real-time packet filtering.
The Future of Governance: Config and EventBridge
The most advanced organizations are now integrating AWS Config with Amazon EventBridge. Because every Config change generates an event, you can use EventBridge to trigger complex workflows.
For example, when a resource is marked as NON_COMPLIANT, you can trigger a message to a Slack channel, create a Jira ticket for the infrastructure team, or even shut down the resource entirely if it is deemed a critical security risk. This moves the organization from "passive auditing" to "active security operations."
Key Takeaways
- Continuous Auditing is Mandatory: In the cloud, static checklists are obsolete. AWS Config provides the automated, continuous visibility required for modern compliance.
- Resource Inventory is the Foundation: You cannot secure what you cannot see. Config provides the historical record of your resources, which is essential for troubleshooting and auditing.
- Start with Managed Rules, Move to Custom: Leverage the library of AWS-managed rules first to cover the basics, then build custom rules for your specific business logic.
- Governance at Scale: Use Conformance Packs and Organizations to enforce security standards across the entire enterprise, rather than managing rules on a per-account basis.
- Automate Remediation Carefully: While auto-remediation is powerful, start with manual remediation to ensure your logic does not negatively impact production systems.
- Cost Awareness: Be mindful of the number of resources you track. Focus on high-value, high-risk resources to keep costs manageable while maintaining a high security posture.
- Evidence for Auditors: Use Config snapshots and query tools like Athena to provide clear, data-driven proof of compliance, significantly reducing the manual effort of audit preparation.
By mastering AWS Config, you transition from being a gatekeeper who slows down development to a security partner who enables developers to move fast while remaining within the guardrails of a secure and compliant environment. This is the ultimate goal of effective cloud governance.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons