AWS Config Rules and Remediation
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Continuous Improvement for Existing Solutions: AWS Config Rules and Remediation
Introduction: Why Security Posture Management Matters
In the modern landscape of cloud computing, the pace at which infrastructure changes is relentless. Teams are constantly deploying new resources, modifying existing configurations, and scaling services to meet user demand. In such a dynamic environment, maintaining a secure state is not a one-time event; it is a continuous process of observation, evaluation, and correction. If your security strategy relies on point-in-time audits or manual checks, you are likely already behind the curve.
AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. It continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired practices. When we talk about security improvement, AWS Config serves as the "eyes and ears" of your infrastructure, ensuring that what you have deployed remains compliant with your internal security policies and industry standards.
This lesson explores how to use AWS Config rules to establish a baseline of security and how to implement automated remediation to correct drift as soon as it occurs. By the end of this guide, you will understand how to transition from a reactive security posture—where you find problems during a quarterly audit—to a proactive, self-healing architecture that maintains its integrity without constant human intervention.
Understanding the AWS Config Architecture
To effectively use AWS Config, you must first understand the core components that make up the service. At its heart, AWS Config is an inventory and change management tool. It tracks the state of your resources and provides a historical record of changes, which is invaluable for forensic analysis and compliance reporting.
Key Components
- Resource Inventory: AWS Config maintains a detailed list of all your AWS resources, including their current configuration and their relationships with other resources.
- Configuration Recorder: This component captures changes to your resource configurations. It acts as the data source for all evaluations.
- Config Rules: These are the logic gates that evaluate your resources. A rule can be either AWS-managed (pre-built by AWS) or custom (written by you).
- Remediation Actions: This is the automated response mechanism. When a rule identifies a non-compliant resource, a remediation action—typically an AWS Systems Manager (SSM) Document—can be triggered to fix the issue.
Callout: The Difference Between Config and CloudTrail It is common for engineers to confuse AWS Config with AWS CloudTrail. CloudTrail is an audit log of API calls; it tells you "who did what and when." AWS Config is a state tracker; it tells you "what the resource looks like right now." For security, you need both: CloudTrail for investigations and Config for compliance enforcement.
Implementing AWS Config Rules
Implementing AWS Config begins with enabling the service in your target region. Once enabled, you select the resource types you wish to track. To move toward security improvement, you must define "rules" that represent your security requirements.
Categorizing Rules
When designing your security strategy, you should categorize your rules to ensure comprehensive coverage:
- Data Protection: Rules that check if S3 buckets are public or if EBS volumes are encrypted.
- Access Control: Rules that identify overly permissive IAM policies or security groups that allow unrestricted access (e.g., SSH open to 0.0.0.0/0).
- Network Security: Rules that verify the presence of VPC flow logs or ensure that specific ports are closed.
- Operational Hygiene: Rules that check for unused IAM users, expired certificates, or resources without mandatory tags.
Step-by-Step: Enabling a Managed Rule
For most common security scenarios, AWS provides managed rules that require minimal configuration.
- Navigate to the AWS Config Console: Select "Rules" from the sidebar.
- Add Rule: Click the "Add rule" button.
- Choose a Rule: Search for a standard security rule, such as
s3-bucket-public-write-prohibited. - Configure Parameters: Most rules have parameters you can adjust. For this rule, you might not need to change anything, but for others, you might define specific tags or naming conventions.
- Triggering: Choose whether the rule should trigger on configuration changes or on a periodic schedule (e.g., every 24 hours).
- Review and Create: Once created, Config will begin evaluating existing resources and reporting their compliance status.
Tip: Start by running rules in "Detection" mode before enabling "Remediation." This allows you to identify how many resources are currently non-compliant without accidentally breaking production services by automatically changing their settings.
Automated Remediation: The Self-Healing Cloud
Detection is only half the battle. If you identify a non-compliant resource, you must fix it. In large-scale environments, manually addressing these issues is impossible. Automated remediation allows you to define a "fix" that is triggered automatically when a rule marks a resource as non-compliant.
Using AWS Systems Manager (SSM) Documents
Remediation is powered by SSM Documents. An SSM Document is essentially a script (in JSON or YAML format) that AWS executes to perform the remediation.
Example: Remediating an Unencrypted S3 Bucket
If you have a rule that detects unencrypted S3 buckets, the remediation action would need to enable server-side encryption for that bucket.
# Simplified conceptual SSM Document for S3 remediation
schemaVersion: '0.3'
description: Enable AES256 encryption on an S3 bucket
mainSteps:
- action: aws:executeAwsApi
name: enableEncryption
inputs:
Service: s3
Api: PutBucketEncryption
Bucket: '{{BucketName}}'
ServerSideEncryptionConfiguration:
Rules:
- ApplyServerSideEncryptionByDefault:
SSEAlgorithm: AES256
Steps to Link Remediation to a Rule
- Identify the Rule: Select the rule that identifies the non-compliance.
- Assign Remediation: In the rule's settings, choose "Remediation."
- Select Action: Choose an SSM Document that corresponds to the rule.
- Define Parameters: Map the resource ID from the Config rule to the input parameter of the SSM Document.
- Set Execution Mode: You can set this to "Automatic" (the fix happens immediately) or "Manual" (an administrator must click a button to approve the fix).
Warning: Always test your remediation scripts in a sandbox account. An incorrectly configured remediation script could accidentally delete production data, modify critical access policies, or disrupt network connectivity.
Custom Rules: Beyond the Basics
Sometimes, the managed rules provided by AWS do not cover your specific business requirements. In these cases, you can write custom rules using AWS Lambda.
How Custom Rules Work
A custom rule is essentially a Lambda function that receives a configuration item from AWS Config, evaluates it against your logic, and returns a compliance status (COMPLIANT, NON_COMPLIANT, or NOT_APPLICABLE).
Writing a Custom Rule (Python Example)
Here is a high-level structure of what a custom rule function looks like:
import boto3
import json
def evaluate_compliance(event, context):
# Retrieve the configuration item
invoking_event = json.loads(event['invokingEvent'])
configuration_item = invoking_event['configurationItem']
# Logic to check your custom security requirement
# Example: Check if a custom tag 'Department' exists
tags = configuration_item.get('tags', {})
if 'Department' in tags:
return 'COMPLIANT'
else:
return 'NON_COMPLIANT'
def lambda_handler(event, context):
# This is the entry point that AWS Config calls
# You would also need to report the result back to Config
pass
When to Use Custom Rules
- Proprietary Standards: If your organization has specific naming conventions or unique security policies that aren't industry-standard.
- Complex Dependencies: When compliance depends on the state of multiple resources (e.g., "An EC2 instance is only compliant if it is connected to a specific Security Group AND has a specific IAM Role").
- Integration: When you need to trigger an alert in a third-party ticketing system (like Jira or ServiceNow) as part of your remediation workflow.
Best Practices for Security Improvement
Implementing AWS Config is not just a technical task; it is an organizational one. To be successful, you must follow established industry patterns.
1. Start with a "Read-Only" Phase
Never turn on automated remediation for every rule on day one. Start by deploying your rules and monitoring the dashboard for a few weeks. This allows you to understand the "noise" level and identify which resources frequently fall out of compliance. You might discover that certain teams have legitimate reasons for specific configurations, which will help you refine your rules before applying automated fixes.
2. Centralize Your Config Data
If you have a multi-account AWS environment (which is best practice), do not manage AWS Config in every account individually. Use AWS Organizations to designate a "Config Aggregator" account. This central account will receive data from all member accounts, giving your security team a single pane of glass to view the entire organization's compliance posture.
3. Implement Least Privilege for Remediation
The IAM role used by the SSM Document to perform remediation must have the minimum permissions necessary to fix the issue. Do not give your remediation role AdministratorAccess. If the role only needs to modify S3 bucket encryption, it should only have the s3:PutBucketEncryption permission.
4. Tagging as a Security Control
Use tags to exclude specific resources from rules. For example, if you have a development environment that requires loose security settings for testing, you can add a tag Environment: Sandbox and update your rule to ignore resources with that tag. This prevents your security rules from interfering with legitimate, temporary experimentation.
Common Pitfalls and How to Avoid Them
Even experienced engineers fall into traps when scaling AWS Config. Here are the most frequent mistakes:
The "Loop" Problem
A common mistake occurs when a remediation action causes a resource to trigger a change event, which then triggers the Config rule again. If the remediation action is not idempotent (meaning it produces the same result regardless of how many times it is run), you can end up in an infinite loop. Always ensure your remediation scripts check the current state before attempting to change it.
High Cost of Over-Recording
AWS Config charges per configuration item recorded. If you enable recording for every single resource type in every region, your monthly bill can escalate quickly. Filter your recording to only track the resource types that are critical to your security posture. You don't necessarily need to track the configuration of every transient network interface if it doesn't impact your security compliance.
Ignoring "NOT_APPLICABLE" Results
Sometimes a resource will be marked "NOT_APPLICABLE" by a rule. This often happens because the resource doesn't have the properties required for the rule to run. Do not ignore these; sometimes they indicate that a resource is misconfigured in such a fundamental way that the system cannot even evaluate it.
Comparison: Managed vs. Custom Rules
| Feature | Managed Rules | Custom Rules |
|---|---|---|
| Effort | Low (Ready to use) | High (Requires code) |
| Maintenance | Handled by AWS | Owned by your team |
| Flexibility | Limited to AWS parameters | Unlimited logic |
| Support | Backed by AWS Support | Self-supported |
| Use Case | Common security standards | Unique business requirements |
Step-by-Step: Building an Automated Remediation Pipeline
To solidify your understanding, let’s walk through the creation of a complete, automated security pipeline for a common threat: public S3 buckets.
Step 1: Establish the Baseline
Ensure you are using an AWS Organizations setup where a central account is designated as the aggregator. Ensure the "Config Recorder" is enabled in all member accounts.
Step 2: Deploy the Rule
Using CloudFormation or Terraform, deploy the s3-bucket-public-read-prohibited managed rule. This rule will automatically evaluate all S3 buckets in the account.
Step 3: Define the Remediation Document
Create an SSM Document named RemediatePublicS3Bucket. The content of the document should be a script that calls the S3 API to modify the bucket's Public Access Block settings.
Step 4: Link and Automate
In the AWS Config console, navigate to the rule. Select the "Remediation" tab. Choose "Automatic" remediation and select your RemediatePublicS3Bucket document. Map the BucketName parameter to the ResourceId provided by the Config rule.
Step 5: Verification
Create a test S3 bucket and intentionally make it public. Within a few minutes, AWS Config will detect the non-compliance. Shortly after, the SSM Document will trigger, the S3 bucket's public access will be blocked, and the resource will return to a COMPLIANT status.
Note: Always enable CloudWatch logging for your SSM Documents. If a remediation fails, the logs are the only way to debug the issue and determine why the API call was denied or failed.
Advanced Concepts: Compliance Dashboards
Once you have dozens of rules running across hundreds of accounts, the raw data becomes difficult to manage. This is where AWS Security Hub comes in. Security Hub aggregates data from AWS Config, GuardDuty, and other services into a unified dashboard.
Why Integrate with Security Hub?
- Severity Scoring: Security Hub assigns a severity score to compliance findings, helping your team prioritize which issues to fix first.
- Cross-Service View: You can see if a non-compliant resource is also being targeted by a malicious actor (via GuardDuty).
- Compliance Frameworks: Security Hub provides pre-built dashboards for compliance frameworks like CIS AWS Foundations Benchmark, PCI-DSS, and HIPAA.
By pushing your AWS Config findings to Security Hub, you move from "managing rules" to "managing security risk." This is the pinnacle of a continuous improvement strategy.
Summary of Key Takeaways
To wrap up this lesson, here are the essential principles you should carry forward in your security journey:
- Continuous Visibility is Mandatory: Security is not a point-in-time event. You must have a system that continuously records configuration changes to maintain an accurate view of your environment.
- Start Small, Scale Carefully: Begin by enabling detection-only rules. Only move to automated remediation once you have verified your scripts and understood the impact on your operational environment.
- Automate for Scale: Manual remediation is not sustainable. Use AWS Systems Manager Documents to create self-healing infrastructure that corrects drift without human intervention.
- Centralize Compliance Data: Use AWS Organizations and Config Aggregators to maintain a single view of your security posture across all accounts.
- Test Your Remediation: Treat your remediation scripts like production code. They require version control, testing, and error handling to avoid unintended consequences.
- Use Managed Rules First: Don't reinvent the wheel. AWS provides a vast library of managed rules that cover the majority of common security misconfigurations.
- Integrate with Security Hub: Leverage higher-level tools to aggregate findings, prioritize risks, and align your technical configurations with industry-standard compliance frameworks.
By applying these practices, you transform your infrastructure from a static set of resources into a dynamic, secure system that actively defends itself against configuration drift. This shift is the hallmark of mature cloud operations and is the most effective way to secure your environment at scale.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons