2.1.4. Automated Assessments and Investigations

First Principle: Continuous automated assessment ensures your security posture doesn't degrade over time — catching configuration drift, non-compliant resources, and emerging vulnerabilities without waiting for a manual audit.

AWS Config provides continuous configuration assessment:

• Config Rules evaluate resource configurations against desired baselines (e.g., s3-bucket-server-side-encryption-enabled)
• Conformance Packs deploy collections of related Config Rules as a single unit (e.g., PCI DSS pack, CIS Benchmark pack)
• Remediation Actions automatically fix non-compliant resources using SSM Automation documents
• Aggregators provide cross-account, cross-Region compliance dashboards

Systems Manager State Manager ensures instances maintain desired configuration:

• Applies configuration documents on a schedule (e.g., ensure antivirus is installed and running)
• Reports compliance status to a central dashboard
• Works alongside Config for a complete compliance picture

Security Hub Standards provide automated benchmarking:

• AWS Foundational Security Best Practices — AWS-recommended controls
• CIS AWS Foundations Benchmark — Center for Internet Security standards
• PCI DSS — Payment card industry standards
• Standards run automated checks and report compliance scores

⚠️ Exam Trap: Config Rules evaluate configuration compliance (is this S3 bucket encrypted?). Inspector evaluates vulnerability status (does this EC2 instance have CVE-2024-1234?). They're complementary but distinct.

Scenario: A compliance team needs to ensure all EC2 instances across 50 accounts are running approved AMIs and have the latest patches. You deploy a Config conformance pack with approved-amis-by-id and ec2-managedinstance-patch-compliance-status-check rules, with auto-remediation using SSM Patch Manager.

Reflection Question: How does the combination of Config rules, conformance packs, and auto-remediation create a "self-healing" security posture?