Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.
3.2.2.4. AWS Config Rules
3.2.2.4. AWS Config Rules
AWS Config continuously evaluates resource configurations against rules. It doesn't just monitor — it maintains a complete configuration history of every resource change.
How Config works:
- Config records configuration changes to supported resources
- Each change triggers evaluation against applicable Config rules
- Non-compliant resources are flagged
- Optional: automatic remediation via SSM Automation
Config rule types:
| Type | Definition | Example |
|---|---|---|
| AWS Managed | Pre-built by AWS | encrypted-volumes, s3-bucket-public-read-prohibited |
| Custom (Lambda) | Your Lambda evaluates compliance | Check for mandatory tags, naming conventions |
| Custom (Guard) | CloudFormation Guard policy rules | Declarative policy-as-code |
Commonly tested Config rules:
restricted-ssh: Security groups don't allow unrestricted SSH (0.0.0.0/0:22)cloud-trail-enabled: CloudTrail is active in the regionrds-multi-az-support: RDS instances have Multi-AZ enablediam-root-access-key-check: Root account has no access keys
Config aggregator collects compliance data across multiple accounts and regions — essential for organizational security dashboards.
# Deploy a managed Config rule
aws configservice put-config-rule --config-rule '{
"ConfigRuleName": "encrypted-ebs-volumes",
"Source": {
"Owner": "AWS",
"SourceIdentifier": "ENCRYPTED_VOLUMES"
},
"Scope": {
"ComplianceResourceTypes": ["AWS::EC2::Volume"]
}
}'
Exam Trap: Config records resource configuration changes — not API calls (that's CloudTrail). Config answers "what is the current state of my resources?" CloudTrail answers "who changed what and when?" For compliance auditing, you typically need both: CloudTrail for the audit trail and Config for current state assessment.
Written byAlvin Varughese•Founder•15 professional certifications