4.2.3. AWS Config: Rules, Remediation, and Compliance
š” First Principle: You can't maintain compliance in a cloud environment reactively ā by the time you discover a misconfiguration, damage may already be done. AWS Config is a continuous compliance monitoring service: it records the configuration of every supported AWS resource at all times, evaluates those configurations against rules you define, and can automatically fix violations before they become incidents.
Think of Config as a continuous audit that never sleeps. While a human auditor checks quarterly, Config checks on every change and on a schedule, flagging deviations the moment they occur.
Config Core Concepts:
| Concept | Description |
|---|---|
| Configuration Recorder | Records configuration changes for all supported resource types in a region |
| Delivery Channel | Sends configuration snapshots and change history to an S3 bucket |
| Configuration Item | A point-in-time record of a resource's configuration |
| Config Rule | Evaluates whether resources comply with a desired configuration |
| Compliance Status | COMPLIANT, NON_COMPLIANT, or NOT_APPLICABLE |
Config Rule Types:
| Type | Description | Example |
|---|---|---|
| AWS Managed Rules | Pre-built rules for common compliance checks | restricted-ssh, s3-bucket-public-read-prohibited, encrypted-volumes |
| Custom Rules | Lambda-backed rules for custom logic | "Ensure all EC2 instances have a specific tag" |
| Conformance Packs | Collections of rules + remediation actions packaged together | CIS AWS Benchmark, PCI DSS, HIPAA |
Evaluation Triggers:
| Trigger | When Rules Evaluate |
|---|---|
| Configuration change | Every time the resource's configuration changes |
| Periodic | On a schedule (1 hour, 3 hours, 6 hours, 12 hours, 24 hours) |
Remediation Actions: When a resource is non-compliant, Config can trigger an SSM Automation document to fix it. Auto-remediation applies the fix without human approval. Manual remediation creates the remediation action but waits for you to click "Remediate."
Example auto-remediation flow:
Config Aggregator: Collects Config data from multiple accounts and regions into a single view. Essential for multi-account compliance dashboards. The aggregator account sees compliance status across the entire organization without logging into each account.
Config vs. CloudTrail:
| | Config | CloudTrail | |:|:------:|:----------:| | What it records | Resource configuration state over time | API calls made by users/services | | Question answered | "What did this resource look like at time X?" | "Who made this API call at time Y?" | | Used for | Compliance, drift detection, change history | Security audit, forensics, accountability | | Triggered by | Resource configuration changes | Any AWS API call |
ā ļø Exam Trap: Config rules evaluate resources; they don't prevent resource creation. A non-compliant resource can still be created ā Config detects it after the fact. To prevent non-compliant resources from being created, use IAM policies (deny the creation action) or AWS Service Control Policies (at the organization level). Config + remediation is detective and corrective; IAM/SCP is preventive.
Reflection Question: A security team wants to ensure that all S3 buckets in the organization never have public access enabled. They want to: (1) detect violations within 5 minutes, (2) automatically remove public access, and (3) get a compliance report monthly. What combination of AWS Config features achieves each requirement?
