Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.
2.2.2.5. Implementing Governance & Security Controls at Scale (Config, Control Tower, Security Hub, GuardDuty, Detective, Service Catalog, SCPs)
2.2.2.5. Implementing Governance & Security Controls at Scale (Config, CloudFormation Guard)
Governance at scale means automatically detecting and remediating policy violations across hundreds of accounts.
AWS Config evaluates resource configurations against rules. Non-compliant resources trigger automatic remediation.
Config rule types:
- Managed rules: AWS-maintained (e.g.,
s3-bucket-public-read-prohibited,encrypted-volumes) - Custom rules: Lambda functions with custom compliance logic
- Organization rules: Deploy across all accounts via Organizations
Config aggregator collects compliance data from multiple accounts/regions into a single dashboard.
Automatic remediation:
Resources:
EncryptedVolumesRule:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: encrypted-volumes
Source:
Owner: AWS
SourceIdentifier: ENCRYPTED_VOLUMES
RemediationConfig:
Type: AWS::Config::RemediationConfiguration
Properties:
ConfigRuleName: !Ref EncryptedVolumesRule
TargetType: SSM_DOCUMENT
TargetId: AWS-EnableEbsEncryptionByDefault
Automatic: true
MaximumAutomaticAttempts: 3
CloudFormation Guard validates templates before deployment using policy-as-code:
# cfn-guard rule: all S3 buckets must have encryption
let s3_buckets = Resources.*[Type == 'AWS::S3::Bucket']
rule s3_encryption when %s3_buckets !empty {
%s3_buckets.Properties.BucketEncryption exists
}
Exam Trap: Config rules evaluate on configuration changes (triggered) or periodically (e.g., every 24 hours). Periodic rules won't catch violations immediately. For real-time enforcement, use SCPs to prevent the action entirely rather than detecting it after the fact.
Written byAlvin Varughese•Founder•15 professional certifications