--- title: AWS Config Rules description: Automated compliance checking service that evaluates AWS resource configuration against desired standards. url: https://www.factualminds.com/glossary/aws-config-rules/ publishDate: 2026-06-13 updateDate: 2026-06-13 --- # AWS Config Rules > Automated compliance checking service that evaluates AWS resource configuration against desired standards. ## Definition AWS Config continuously records configuration changes to AWS resources and evaluates them against **Config rules** — managed or custom checks that mark resources **COMPLIANT** or **NON_COMPLIANT**. Rules run on configuration changes and on a periodic schedule. **Conformance packs** bundle dozens of rules aligned to CIS, PCI DSS, HIPAA, or NIST. Config tells you _what_ drifted; pair it with CloudTrail to learn _who_ changed it and with Systems Manager Automation or custom remediation for _how_ you fix it. ## When to use it - **Continuous compliance monitoring** instead of quarterly manual config reviews. - **Detective controls** for encryption (S3, EBS, RDS), public exposure (SG rules, S3 ACLs), logging (CloudTrail, VPC Flow Logs), and tagging standards. - **Organization-wide aggregation** via AWS Config Aggregator across accounts and regions. - **Conformance pack deployment** as a baseline for a new account or landing zone OU. - **Custom rules** (Lambda-backed) for org-specific policies — e.g., required cost-center tags or approved instance types. ## When not to use it - **Real-time blocking of API calls** — Config detects after the fact; use SCPs, IAM, or service control policies for preventive denial. - **Automatic remediation without testing** — a remediation action that opens a security group or deletes a resource can cause outages. - **Every possible rule on day one** — hundreds of NON_COMPLIANT resources with no owner creates alert fatigue and ignored dashboards. ## Tips - Start with **10–15 high-impact managed rules** (encryption, public access, CloudTrail enabled) before expanding. - Route NON_COMPLIANT notifications through **EventBridge → SNS/Slack/Jira** with severity tiers — not every drift is P1. - Use **Config Aggregator** in the security/compliance account for a single pane across the org. - Document **exceptions** with Config rule exclusions scoped by resource ID or tag — blanket disables defeat the purpose. - Combine Config findings with **Security Hub** for a unified compliance scorecard alongside GuardDuty and Inspector. ## Gotchas ### Serious - **Auto-remediation in production without a dry run** — Config can modify live resources; test in a sandbox account first. - **Config not enabled in all regions** — resources in opt-in regions you forgot about stay invisible to rules. - **Assuming COMPLIANT means secure** — rules check configuration snapshots, not runtime behavior or application vulnerabilities. ### Regular - **Custom rule Lambda timeouts** — complex evaluations fail silently or flap compliance state; keep evaluators fast and idempotent. - **Ignoring periodic trigger delays** — some drift is caught only on the periodic schedule, not instantly on change. - **Duplicate rules across accounts** without aggregator — each account team sees a slice, not the org picture. ## Official references - [What is AWS Config?](https://docs.aws.amazon.com/config/latest/developerguide/WhatIsConfig.html) - [AWS Config managed rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html) - [Conformance packs](https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html) - [Remediation actions](https://docs.aws.amazon.com/config/latest/developerguide/remediation.html) ## Related FactualMinds content - [AWS Security Hub and compliance monitoring setup](/blog/how-to-set-up-aws-security-hub-compliance-monitoring/) - [Continuous compliance automation with Config and Audit Manager](/blog/aws-continuous-compliance-automation-config-audit-manager-2026/) - [Cloud Compliance Services](/services/cloud-compliance-services/) - [AWS Cloud Security Services](/services/aws-cloud-security/) ## Related AWS Services - cloud-compliance-services - aws-cloud-security ## Related Posts - how-to-set-up-aws-security-hub-compliance-monitoring - aws-continuous-compliance-automation-config-audit-manager-2026 --- *Source: https://www.factualminds.com/glossary/aws-config-rules/*