Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

2.2.2.5. Implementing Governance & Security Controls at Scale (Config, Control Tower, Security Hub, GuardDuty, Detective, Service Catalog, SCPs)

2.2.2.5. Implementing Governance & Security Controls at Scale (Config, CloudFormation Guard)

Governance at scale means automatically detecting and remediating policy violations across hundreds of accounts.

AWS Config evaluates resource configurations against rules. Non-compliant resources trigger automatic remediation.

Config rule types:
  • Managed rules: AWS-maintained (e.g., s3-bucket-public-read-prohibited, encrypted-volumes)
  • Custom rules: Lambda functions with custom compliance logic
  • Organization rules: Deploy across all accounts via Organizations

Config aggregator collects compliance data from multiple accounts/regions into a single dashboard.

Automatic remediation:
Resources:
  EncryptedVolumesRule:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: encrypted-volumes
      Source:
        Owner: AWS
        SourceIdentifier: ENCRYPTED_VOLUMES
  RemediationConfig:
    Type: AWS::Config::RemediationConfiguration
    Properties:
      ConfigRuleName: !Ref EncryptedVolumesRule
      TargetType: SSM_DOCUMENT
      TargetId: AWS-EnableEbsEncryptionByDefault
      Automatic: true
      MaximumAutomaticAttempts: 3

CloudFormation Guard validates templates before deployment using policy-as-code:

# cfn-guard rule: all S3 buckets must have encryption
let s3_buckets = Resources.*[Type == 'AWS::S3::Bucket']
rule s3_encryption when %s3_buckets !empty {
  %s3_buckets.Properties.BucketEncryption exists
}

Exam Trap: Config rules evaluate on configuration changes (triggered) or periodically (e.g., every 24 hours). Periodic rules won't catch violations immediately. For real-time enforcement, use SCPs to prevent the action entirely rather than detecting it after the fact.

Alvin Varughese
Written byAlvin Varughese•Founder•15 professional certifications