AWS Config Rules
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
Understanding AWS Config Rules: A Foundation for Cloud Governance
In the early days of cloud computing, security and governance were often treated as manual, point-in-time activities. A team might run an audit once a quarter, identify a dozen misconfigurations, and spend the next week scrambling to fix them. As infrastructure scales into the hundreds or thousands of resources across multiple regions, this manual approach becomes impossible to maintain. This is where AWS Config comes in. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. At the heart of this service are AWS Config Rules, which act as automated "guardrails" that continuously monitor your environment to ensure it adheres to your organization's security and operational policies.
Understanding AWS Config Rules is essential because they transform compliance from a reactive, manual task into a proactive, automated process. Instead of discovering a publicly accessible database bucket three months after it was created, you can be notified—or even have the configuration automatically corrected—the moment that change occurs. This lesson will guide you through the architecture of Config Rules, how to deploy them, how to write custom logic for your specific business requirements, and how to govern your cloud footprint effectively.
The Architecture of AWS Config Rules
To effectively use AWS Config Rules, you must first understand how they interact with your AWS environment. AWS Config continuously records changes to your resource configurations. When a change occurs—such as a security group being modified or an S3 bucket policy being updated—AWS Config captures this change as a configuration item. This configuration item is then evaluated against the AWS Config Rules you have enabled.
Config Rules are essentially small pieces of logic—either managed by AWS or custom-written by you—that determine whether a resource is "Compliant" or "Non-Compliant" based on your specified criteria. If a resource fails to meet the rule’s requirements, it is marked as non-compliant, and you can trigger notifications via Amazon SNS or automated remediation actions through AWS Systems Manager (SSM) documents.
Managed vs. Custom Rules
AWS provides two primary ways to define your governance logic:
- Managed Rules: These are pre-written, tested, and maintained by AWS. They cover common security best practices, such as ensuring MFA is enabled for root accounts, verifying that EBS volumes are encrypted, or checking that S3 buckets are not publicly accessible. These are the best starting point for any organization.
- Custom Rules: If your organization has specific compliance requirements that go beyond standard best practices—such as ensuring a specific tag is present on all production resources or that a proprietary database configuration is used—you can write your own logic. Custom rules are executed as AWS Lambda functions, giving you full control over the evaluation logic.
Callout: Managed vs. Custom Logic Choosing between managed and custom rules is a balance between speed and specificity. Managed rules are "off-the-shelf" and require zero maintenance, making them ideal for standard security benchmarks like CIS or NIST. Custom rules require you to manage the underlying Lambda code, including its runtime, permissions, and potential failure modes, but they provide the flexibility to enforce unique organizational policies that no third party could anticipate.
Deploying AWS Config Rules: A Step-by-Step Guide
Before you can use Config Rules, you must ensure that AWS Config is enabled in your AWS account and region. AWS Config requires an S3 bucket to store configuration history and a configuration recorder to track resource changes.
Step 1: Enable the Configuration Recorder
- Navigate to the AWS Config console.
- Select the "Get Started" button or navigate to "Settings."
- Choose the resources you want to record (e.g., all supported resource types, or specific types like EC2, S3, and IAM).
- Specify an S3 bucket for delivery of configuration logs.
- Create an IAM role that allows AWS Config to access the required resources and write to the S3 bucket.
Step 2: Deploying a Managed Rule
Once the recorder is active, you can add rules:
- In the AWS Config console, click "Rules" in the left-hand menu.
- Click "Add Rule."
- Browse the extensive library of AWS-managed rules. For example, search for
s3-bucket-public-write-prohibited. - Review the rule parameters. Some rules allow you to specify exclusions or specific thresholds.
- Click "Next" and "Add Rule." AWS Config will immediately begin an evaluation of your existing resources, which may take a few minutes depending on the volume of resources in your account.
Step 3: Implementing a Custom Rule
If you need to enforce a custom requirement—for instance, ensuring all EC2 instances have an "Environment" tag—you will need to use a Lambda function.
- Write the Python or Node.js function that evaluates the resource configuration.
- Upload the code to AWS Lambda.
- In the AWS Config console, when adding a rule, select "Create custom rule."
- Choose "Custom Lambda rule."
- Provide the ARN of the Lambda function you created.
- Define the "Trigger type." You can trigger the rule on configuration changes (whenever a resource is created/updated) or on a periodic basis (e.g., every 24 hours).
Warning: Trigger Types Be cautious when choosing "Configuration changes" as your trigger type for custom rules. If your Lambda function is triggered by every minor change for thousands of resources, you may hit Lambda concurrency limits or incur unexpected costs. Always test custom rules in a sandbox environment before deploying them globally to ensure the logic is efficient and handles errors gracefully.
Practical Examples and Code Snippets
To truly master AWS Config, you need to see how the logic works under the hood. Below is a simplified example of how a custom rule is structured in Python.
Example: Enforcing an "Owner" Tag
The following Python code snippet demonstrates the logic required to check if an EC2 instance has an "Owner" tag. This function receives an event from AWS Config, inspects the resource configuration, and returns a compliance status.
import boto3
import json
def evaluate_compliance(configuration_item):
# Extract tags from the configuration item
tags = configuration_item.get('configuration', {}).get('tags', [])
# Check if the 'Owner' key exists in the tags
for tag in tags:
if tag['key'] == 'Owner':
return 'COMPLIANT'
return 'NON_COMPLIANT'
def lambda_handler(event, context):
# Parse the configuration item from the event
invoking_event = json.loads(event['invokingEvent'])
configuration_item = invoking_event['configurationItem']
# Determine compliance
compliance_status = evaluate_compliance(configuration_item)
# Report back to AWS Config
config = boto3.client('config')
config.put_evaluations(
Evaluations=[
{
'ComplianceResourceType': configuration_item['resourceType'],
'ComplianceResourceId': configuration_item['resourceId'],
'ComplianceType': compliance_status,
'OrderingTimestamp': configuration_item['configurationItemCaptureTime']
},
],
ResultToken=event['resultToken']
)
Explanation of the code:
- The Event: AWS Config sends a JSON object to the Lambda function. This object contains the
configurationItem, which holds the state of the resource at the time of the trigger. - Evaluation Logic: The
evaluate_compliancefunction iterates through the resource tags. If it finds a tag with the key "Owner," it returns 'COMPLIANT'. Otherwise, it returns 'NON_COMPLIANT'. - Reporting: The
put_evaluationscall is crucial. It tells AWS Config the outcome of the check, which then updates the dashboard and triggers any associated SNS notifications.
Governance Best Practices
Governance is not a "set it and forget it" task. As your infrastructure evolves, so should your rules. Here are the industry-standard best practices for maintaining a healthy AWS Config posture.
1. Start with the AWS Foundational Security Best Practices
Don't reinvent the wheel. AWS provides a conformance pack called "Operational Best Practices for AWS Foundational Security Best Practices." This is a pre-packaged set of rules that covers the most critical security configurations (e.g., ensuring CloudTrail is enabled, RDS instances are not public, and IAM policies are not overly permissive). Deploying this pack is the fastest way to achieve a baseline level of compliance.
2. Use Conformance Packs
A Conformance Pack is a collection of AWS Config rules and remediation actions that can be deployed as a single entity in an account or across an entire organization. Instead of managing 50 individual rules, you manage one pack. This makes it much easier to enforce compliance standards across multiple accounts using AWS Organizations.
3. Implement Automated Remediation
The real power of AWS Config lies in automated remediation. When a resource is found to be non-compliant, you can associate an SSM Document with the rule. This document can automatically trigger actions such as:
- Deleting a public S3 bucket policy.
- Disabling an unused IAM access key.
- Stopping an EC2 instance that lacks required tags.
Note: Remediation Caution Automated remediation is powerful, but it can be dangerous. Always test your remediation scripts in a staging account. If you configure a rule to "automatically delete" non-compliant resources, you might accidentally destroy production infrastructure due to a logic error in your rule. Start with "Manual Remediation" (where you trigger the fix via a button) before moving to "Auto-Remediation."
4. Monitor Config Costs
AWS Config is billed per configuration item recorded and per rule evaluation. If you have a highly dynamic environment where resources are created and destroyed thousands of times a day, your costs can escalate quickly. Regularly audit which resources you are recording. Do you really need to record every change to every EBS volume if you only care about security group changes? Filter your configuration recorder settings to capture only what is necessary.
Common Pitfalls and How to Avoid Them
Even experienced architects can fall into common traps when implementing AWS Config. Below are the most frequent mistakes and how to steer clear of them.
Pitfall 1: Over-recording
Many users enable AWS Config for every single resource type in every region. While this provides total visibility, it generates a massive amount of data and leads to unnecessary costs.
- Solution: Be selective. Focus on resources that impact security and compliance posture, such as IAM, VPC, S3, RDS, and EC2. You can exclude low-risk resources if your budget is tight.
Pitfall 2: Ignoring "Missing" Resources
Config Rules are great at identifying misconfigurations on existing resources, but they aren't always great at identifying missing resources. For example, a rule can tell you if an S3 bucket is public, but it cannot easily tell you that you are missing a backup S3 bucket entirely unless you use custom logic that checks for the existence of specific resources.
- Solution: Supplement Config Rules with other services like AWS Security Hub or AWS Backup, which provide a different lens on your infrastructure health.
Pitfall 3: Failing to Manage Permissions
Custom rules rely on Lambda, which requires specific IAM permissions to describe resources. If your Lambda function doesn't have the config:PutEvaluations permission, it won't be able to report its findings back to the Config dashboard, leading to "silent failures" where the rule appears to run but never updates the compliance status.
- Solution: Always use the principle of least privilege. Grant your Lambda execution role only the read permissions necessary to inspect the resources it is auditing, and the specific
config:PutEvaluationspermission.
Pitfall 4: Neglecting the Evaluation Frequency
If you set a rule to run on a periodic basis (e.g., every 24 hours), you are leaving a massive gap in your security. An attacker could create an insecure resource, perform their actions, and delete the resource within that 24-hour window, remaining completely undetected by your Config rule.
- Solution: Always prefer "Configuration Changes" as the trigger type over "Periodic" triggers whenever possible. This ensures that the moment a resource changes, the rule is evaluated.
Quick Reference: Config Rule Best Practices
| Feature | Best Practice | Why? |
|---|---|---|
| Scope | Use Conformance Packs | Simplifies management and ensures consistency. |
| Trigger | Use "Configuration Changes" | Real-time detection vs. delayed detection. |
| Remediation | Start with Manual | Prevents accidental deletion of production data. |
| Scope of Recording | Filter Resource Types | Controls costs and reduces noise. |
| Governance | Use AWS Organizations | Centralizes logs and rule enforcement. |
Scaling Governance with AWS Organizations
In a modern enterprise, you rarely manage a single AWS account. You likely have a management account and dozens, if not hundreds, of member accounts. AWS Config integrates seamlessly with AWS Organizations to provide "Organization-wide" rules.
When you deploy a rule from your management account, you can choose to apply it to all current and future accounts in your organization. This is a game-changer for compliance. It ensures that no matter who creates an account or where they create a resource, the same security guardrails are applied immediately.
The Multi-Account Workflow
- Enable Trusted Access: Enable AWS Config as a trusted service in your AWS Organizations management account.
- Deploy Organization Rules: Use the AWS CLI or CloudFormation to deploy a Conformance Pack across the entire organization.
- Aggregate Data: Use an "Aggregator" in your centralized security account. An aggregator collects configuration data and compliance status from all member accounts into one dashboard.
- Centralize Reporting: Point your aggregator to an S3 bucket in your security account. This allows your security team to run Athena queries across the entire organization's configuration history to identify trends or historical gaps.
Callout: The Power of Aggregators An aggregator is the "single pane of glass" for your cloud governance. Without it, you would have to log into every single account individually to check compliance. By using an aggregator, you can see at a glance which account is lagging in security patches or which region has the most non-compliant resources, significantly reducing the time required for security audits.
Advanced Troubleshooting: When Rules Fail
Sometimes, a rule will stay in a "Pending" state or report an error. Troubleshooting these instances is a standard part of maintaining a governance framework.
- Check the Lambda Logs: If you are using a custom rule, head to CloudWatch Logs. Look for the log group associated with the Lambda function. Errors often stem from missing permissions or unhandled exceptions in the code.
- Check the Rule Status: In the AWS Config console, the "Rules" tab will show you the status of the rule. If it says "Error," look for the specific error message. It will often tell you if the service is lacking permissions to access the resource.
- Validate the Trigger: If a rule is not firing when you change a resource, verify that the resource type is being recorded by your configuration recorder. If your recorder is set to only track EC2, but your rule is checking S3, the rule will never trigger.
- Review the Evaluation Timeline: If a resource is marked as "Non-Compliant" but you believe it is "Compliant," look at the "Timeline" tab for that specific resource in the Config console. It will show you exactly what changed, when it changed, and what the configuration was at that time.
Conclusion and Key Takeaways
AWS Config Rules represent the transition from human-led security to automated, machine-driven governance. By treating your infrastructure configuration as data, you can build a system that is self-monitoring and, in many cases, self-healing. This is not just about passing audits; it is about building a culture where security is a default state rather than a final check.
Key Takeaways for Your Governance Strategy:
- Continuous Compliance is Mandatory: Move away from point-in-time audits. AWS Config provides the mechanism to ensure that your environment remains in a known, good state 24/7.
- Prioritize Managed Rules: Start with the AWS-provided rules. They are battle-tested and cover the vast majority of common vulnerabilities. Only move to custom rules when you have a specific, unique business requirement.
- Balance Automation and Safety: Automated remediation is the ultimate goal, but it carries risk. Always implement human-in-the-loop workflows for sensitive or destructive actions until you are entirely confident in your remediation logic.
- Think at Scale: Always use AWS Organizations and Aggregators. Managing security on a per-account basis is a recipe for inconsistency and human error.
- Be Mindful of Costs: AWS Config is a powerful tool, but it is not free. Optimize your configuration recorder to track only the resources that matter to your security posture to keep costs predictable.
- Test Everything: Whether it is a managed rule or a custom Lambda-based rule, test it in a sandbox. Verify that the rule triggers correctly and that the remediation action (if enabled) performs exactly as expected.
- Integrate with Security Hub: AWS Config is a fantastic data source for AWS Security Hub. By feeding your Config compliance data into Security Hub, you get a prioritized list of security findings that can be acted upon by your incident response team.
By following these principles, you will build a robust governance framework that protects your organization while allowing your teams to innovate rapidly. Remember that governance is an ongoing journey—keep your rules updated, review your compliance reports regularly, and always look for ways to automate the mundane so your team can focus on the complex.
Continue the course
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons