Why Configuration Compliance Matters
Configuration drift occurs when your AWS resources gradually deviate from their intended secure state through manual changes, automated deployments, or human error. This silent compliance killer creates vulnerabilities that often go undetected for extended periods.
Common Configuration Drift Scenarios
1
S3 Bucket Exposure
Developer temporarily enables public access for testing, forgets to revert. AWS Config detects this immediately and can auto-remediate.
2
Security Group Drift
Emergency access rules added during incident response never removed. Config tracks all changes and alerts on non-compliant rules.
3
IAM Policy Creep
Permissions gradually expanded beyond principle of least privilege. Config monitors IAM changes and enforces policy standards.
4
Encryption Gaps
New resources deployed without required encryption settings. Config ensures all storage resources meet encryption requirements.
What AWS Config Provides
- Configuration Change Tracking: Complete audit trail of all configuration changes with timestamps, user attribution, and detailed change history—essential for SOX and HIPAA compliance
- Compliance Rule Enforcement: Automated evaluation of resources against compliance requirements with continuous monitoring that immediately flags non-compliant resources
- Automated Remediation: Automatic triggering of remediation actions through Systems Manager or Lambda when misconfigurations are detected
- Conformance Packs: Collections of Config rules and remediation actions deployed as a single entity for frameworks like CIS, HIPAA, and PCI DSS
AWS Config Pricing
AWS Config uses pay-as-you-go pricing:
- Configuration items recorded: $0.003 per configuration item
- Config rule evaluations: $0.001 per evaluation (first 100,000), with volume discounts
- Conformance pack evaluations: $0.001 per evaluation per rule
- S3 storage: Standard S3 rates for configuration history
Cost Example: A small business with 100 resources and 20 Config rules typically pays $50-100/month for comprehensive compliance monitoring—far less than the cost of a compliance audit failure.
1
Enable AWS Config
~8 minutes
Prerequisites
- AWS account with administrative privileges
- CloudTrail enabled (required for Config rule evaluation)
- S3 bucket for Config delivery channel (can be auto-created)
- IAM service role for Config (can be auto-created)
Console Steps
1.1 Navigate to AWS Config Service
- Sign in to AWS Console
- Search for "Config" in the services search bar
- Click on "AWS Config"
1.2 Configure the Recorder
- Click "Get started" if this is your first time
- Under "Resource types to record", select "Record all supported resources"
- Check "Include global resource types" (for IAM resources)
- Configure the S3 bucket for delivery channel
- Create or select an IAM role for AWS Config
Important: Recording all resource types ensures comprehensive compliance monitoring. Selective recording creates blind spots where misconfigurations can hide.
CLI Setup with JSON Files
Create the configuration recorder JSON file:
JSON - configurationRecorder.json
{
"name": "default",
"roleARN": "arn:aws:iam::123456789012:role/aws-config-role",
"recordingMode": {
"recordingFrequency": "CONTINUOUS"
}
}Create the recording group configuration:
JSON - recordingGroup.json
{
"allSupported": true,
"includeGlobalResourceTypes": true
}Create the delivery channel configuration:
JSON - deliveryChannel.json
{
"name": "default",
"s3BucketName": "config-bucket-123456789012-us-east-1",
"snsTopicARN": "arn:aws:sns:us-east-1:123456789012:config-compliance-alerts",
"configSnapshotDeliveryProperties": {
"deliveryFrequency": "Twelve_Hours"
}
}Deploy the configuration:
AWS CLI - Enable AWS Config
# Create the configuration recorder
aws configservice put-configuration-recorder \
--configuration-recorder file://configurationRecorder.json \
--recording-group file://recordingGroup.json
# Create the delivery channel (ensure S3 bucket exists first)
aws configservice put-delivery-channel \
--delivery-channel file://deliveryChannel.json
# Start the configuration recorder
aws configservice start-configuration-recorder \
--configuration-recorder-name default
# Verify the recorder is running
aws configservice describe-configuration-recorder-status \
--query 'ConfigurationRecordersStatus[0].{Name:name,Recording:recording,LastStatus:lastStatus}' \
--output table
Config Recording Active: AWS Config is now recording configuration changes across your account. The first configuration items will appear within 10-15 minutes.
2
Configure Compliance Rules
~10 minutes
Deploy AWS managed rules to evaluate resources against security best practices. Start with the most critical rules that prevent common misconfigurations.
2.1 Deploy S3 Security Rules
These rules prevent data exposure through misconfigured S3 buckets:
AWS CLI - S3 Security Rules
# S3 bucket public access prohibited
aws configservice put-config-rule \
--config-rule '{
"ConfigRuleName": "s3-bucket-public-access-prohibited",
"Source": {
"Owner": "AWS",
"SourceIdentifier": "S3_BUCKET_PUBLIC_ACCESS_PROHIBITED"
}
}'
# S3 bucket server-side encryption enabled
aws configservice put-config-rule \
--config-rule '{
"ConfigRuleName": "s3-bucket-server-side-encryption-enabled",
"Source": {
"Owner": "AWS",
"SourceIdentifier": "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED"
}
}'
# S3 bucket SSL requests only
aws configservice put-config-rule \
--config-rule '{
"ConfigRuleName": "s3-bucket-ssl-requests-only",
"Source": {
"Owner": "AWS",
"SourceIdentifier": "S3_BUCKET_SSL_REQUESTS_ONLY"
}
}'2.2 Deploy Network Security Rules
These rules detect overly permissive network configurations:
AWS CLI - Network Security Rules
# Check for unrestricted SSH access
aws configservice put-config-rule \
--config-rule '{
"ConfigRuleName": "incoming-ssh-disabled",
"Source": {
"Owner": "AWS",
"SourceIdentifier": "INCOMING_SSH_DISABLED"
}
}'
# VPC default security group closed
aws configservice put-config-rule \
--config-rule '{
"ConfigRuleName": "vpc-default-security-group-closed",
"Source": {
"Owner": "AWS",
"SourceIdentifier": "VPC_DEFAULT_SECURITY_GROUP_CLOSED"
}
}'2.3 Deploy IAM Security Rules
These rules enforce identity and access management best practices:
AWS CLI - IAM Security Rules
# IAM password policy
aws configservice put-config-rule \
--config-rule '{
"ConfigRuleName": "iam-password-policy",
"Source": {
"Owner": "AWS",
"SourceIdentifier": "IAM_PASSWORD_POLICY"
},
"InputParameters": "{\"RequireUppercaseCharacters\":\"true\",\"RequireLowercaseCharacters\":\"true\",\"RequireNumbers\":\"true\",\"RequireSymbols\":\"true\",\"MinimumPasswordLength\":\"14\"}"
}'
# Root account MFA enabled
aws configservice put-config-rule \
--config-rule '{
"ConfigRuleName": "root-account-mfa-enabled",
"Source": {
"Owner": "AWS",
"SourceIdentifier": "ROOT_ACCOUNT_MFA_ENABLED"
}
}'
# Root account access key check
aws configservice put-config-rule \
--config-rule '{
"ConfigRuleName": "root-access-key-check",
"Source": {
"Owner": "AWS",
"SourceIdentifier": "IAM_ROOT_ACCESS_KEY_CHECK"
}
}'2.4 Deploy Conformance Packs (Optional)
For comprehensive compliance, use conformance packs that bundle multiple related rules:
AWS CLI - Deploy Conformance Pack
# Deploy conformance pack from your S3 bucket
aws configservice put-conformance-pack \
--conformance-pack-name "SecurityBestPractices" \
--template-s3-uri "s3://your-bucket/templates/security-best-practices.yaml" \
--delivery-s3-bucket "config-bucket-123456789012-us-east-1"
# Or use the console to select from AWS sample templates:
# - Operational Best Practices for CIS AWS Foundations Benchmark v1.4
# - Operational Best Practices for HIPAA Security
# - Operational Best Practices for PCI DSS 3.2.1
# List deployed conformance packs
aws configservice describe-conformance-packs \
--query 'ConformancePackDetails[*].{Name:ConformancePackName,State:ConformancePackState}' \
--output table
Rules Active: Your compliance rules are now monitoring your environment. Any non-compliant resources will be flagged within the next evaluation cycle (10-30 minutes).
3
Set Up Automated Remediation
~8 minutes
Configure automatic fixes for common misconfigurations to reduce mean time to resolution from hours to minutes.
3.1 Create Remediation IAM Role
First, create an IAM role that Systems Manager can use for remediation:
AWS CLI - Create Remediation Role
# Create trust policy for SSM
cat > remediation-trust-policy.json << 'EOF'
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
# Create the remediation role
aws iam create-role \
--role-name ConfigRemediationRole \
--assume-role-policy-document file://remediation-trust-policy.json
# Attach SSM automation policy
aws iam attach-role-policy \
--role-name ConfigRemediationRole \
--policy-arn arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole3.2 Configure S3 Public Access Remediation
Automatically block public access when detected:
AWS CLI - S3 Public Access Remediation
# Get your account ID
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
# Configure automatic remediation for S3 public access
aws configservice put-remediation-configurations \
--remediation-configurations '[
{
"ConfigRuleName": "s3-bucket-public-access-prohibited",
"TargetType": "SSM_DOCUMENT",
"TargetId": "AWSConfigRemediation-ConfigureS3BucketPublicAccessBlock",
"TargetVersion": "1",
"Parameters": {
"AutomationAssumeRole": {
"StaticValue": {
"Values": ["arn:aws:iam::'${ACCOUNT_ID}':role/ConfigRemediationRole"]
}
},
"BucketName": {
"ResourceValue": {
"Value": "RESOURCE_ID"
}
}
},
"Automatic": true,
"MaximumAutomaticAttempts": 5,
"RetryAttemptSeconds": 60
}
]'3.3 View Remediation Status
AWS CLI - Check Remediation Status
# List all remediation configurations
aws configservice describe-remediation-configurations \
--config-rule-names s3-bucket-public-access-prohibited \
--query 'RemediationConfigurations[*].{Rule:ConfigRuleName,Target:TargetId,Automatic:Automatic}' \
--output table
# Check remediation execution status
aws configservice describe-remediation-execution-status \
--config-rule-name s3-bucket-public-access-prohibited \
--query 'RemediationExecutionStatuses[*].{Resource:ResourceKey.ResourceId,State:State}' \
--output table
Test First: Always test automated remediation in non-production environments before enabling in production. Verify actions work correctly and don't have unintended side effects.
Remediation Active: Non-compliant resources will be automatically fixed within 5-10 minutes of detection.
4
Create Compliance Dashboards
~4 minutes
Set up real-time monitoring and alerting for compliance violations.
4.1 Configure EventBridge Alerts
Get real-time notifications when compliance violations occur:
AWS CLI - EventBridge Compliance Alerts
# Get account ID and region
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
REGION=$(aws configure get region)
# Create SNS topic for alerts
aws sns create-topic --name config-compliance-alerts
# Create EventBridge rule for Config compliance changes
aws events put-rule \
--name "ConfigComplianceChanges" \
--description "Alert on Config compliance state changes" \
--event-pattern '{
"source": ["aws.config"],
"detail-type": ["Config Rules Compliance Change"],
"detail": {
"newEvaluationResult": {
"complianceType": ["NON_COMPLIANT"]
}
}
}'
# Add SNS target to the rule
aws events put-targets \
--rule ConfigComplianceChanges \
--targets "Id"="1","Arn"="arn:aws:sns:${REGION}:${ACCOUNT_ID}:config-compliance-alerts"4.2 Generate Compliance Reports
AWS CLI - Compliance Reports
# Get overall compliance summary by rule
aws configservice get-compliance-summary-by-config-rule \
--query 'ComplianceSummary' \
--output table
# List all rules and their compliance status
aws configservice describe-compliance-by-config-rule \
--query 'ComplianceByConfigRules[*].{RuleName:ConfigRuleName,Compliance:Compliance.ComplianceType}' \
--output table
# Get detailed non-compliant resources for a specific rule
aws configservice get-compliance-details-by-config-rule \
--config-rule-name s3-bucket-public-access-prohibited \
--compliance-types NON_COMPLIANT \
--query 'EvaluationResults[*].{ResourceId:EvaluationResultIdentifier.EvaluationResultQualifier.ResourceId}' \
--output table
Monitoring Complete: You now have comprehensive compliance monitoring with real-time alerts for your security team.
Validate Your Configuration
Run through this checklist to ensure AWS Config is properly configured:
Config Validation Script
Bash - Config Validation Script
#!/bin/bash
# AWS Config Validation Script
REGION="${1:-us-east-1}"
echo "============================================"
echo "AWS Config Validation - Region: $REGION"
echo "============================================"
# Check Config recorder status
echo -e "\n[1/5] Checking Config recorder status..."
aws configservice describe-configuration-recorder-status \
--region $REGION \
--query 'ConfigurationRecordersStatus[0].{Name:name,Recording:recording,LastStatus:lastStatus}' \
--output table
# Check active rules
echo -e "\n[2/5] Checking active Config rules..."
RULES_COUNT=$(aws configservice describe-config-rules \
--region $REGION \
--query 'length(ConfigRules)' \
--output text)
echo "Active Config rules: ${RULES_COUNT:-0}"
# List rules by compliance status
echo -e "\n[3/5] Checking rule compliance status..."
aws configservice describe-compliance-by-config-rule \
--region $REGION \
--query 'ComplianceByConfigRules[*].{Rule:ConfigRuleName,Status:Compliance.ComplianceType}' \
--output table
# Check compliance summary
echo -e "\n[4/5] Getting compliance summary..."
aws configservice get-compliance-summary-by-config-rule \
--region $REGION \
--output table
# Check remediation configurations
echo -e "\n[5/5] Checking remediation configurations..."
aws configservice describe-remediation-configurations \
--config-rule-names s3-bucket-public-access-prohibited \
--region $REGION \
--query 'RemediationConfigurations[*].{Rule:ConfigRuleName,Automatic:Automatic}' \
--output table 2>/dev/null || echo "No remediation configured for this rule"
echo -e "\n============================================"
echo "AWS Config validation complete!"
echo "============================================"Common Mistakes to Avoid
Not enabling Config in all regions. Security threats can exploit resources in any region. Enable Config globally or use AWS Organizations to deploy across all accounts and regions.
Selecting only certain resource types. This creates blind spots where misconfigurations can hide. Record all supported resource types unless you have specific cost constraints.
Not setting up automated remediation. Manual remediation leads to extended exposure windows. Configure automatic remediation for critical rules like public S3 access.
Ignoring Config costs. Config charges per configuration item and rule evaluation. Monitor costs and implement S3 lifecycle policies for historical data.
Not testing remediation actions. Always test automated remediation in non-production first. Verify actions work correctly before enabling in production.
Deploying too many rules at once. Start with critical security rules (S3 public access, encryption, IAM) before expanding. Too many alerts leads to alert fatigue.
Want Comprehensive AWS Security Monitoring?
AWS Config is one layer of protection. AWSight automatically monitors your AWS environment against 500+ security best practices daily—providing unified visibility across Config rules, security findings, and compliance gaps.