AWS Glossary

AWS Config Rules

Automated compliance checking service that evaluates AWS resource configuration against desired standards.

Definition

AWS Config Rules are automated compliance checks that evaluate AWS resources against configuration rules. Rules continuously monitor your infrastructure and alert when resources drift from desired configuration. This enables compliance-as-code: define standards once, enforce organization-wide.

How Config Rules Work

Evaluation Cycle:

Config monitors all resource changes in real-time
Triggers evaluation of relevant rules
Rule evaluates: resource compliant or non-compliant
Sends notification via SNS if non-compliant
Logs compliance status in Config dashboard

Example Rule: S3 Encryption

Rule: “All S3 buckets must have encryption enabled”
Resource: New S3 bucket created
Config evaluates: Is encryption enabled?
Result: Compliant or Non-compliant
Action: Alert if non-compliant

AWS Managed Rules vs Custom Rules

AWS Managed Rules (pre-built)

S3 bucket encryption, versioning, logging
EC2 security groups, EBS encryption
RDS encryption, backup enabled
IAM password policy, MFA enabled
VPC flow logs enabled
CloudTrail logging enabled
400+ rules available

Custom Rules (you define)

Define compliance logic in Lambda
Evaluate based on custom requirements
Example: “All production resources must have cost-center tag”
Example: “No instances larger than m5.xlarge in dev”

Remediation Actions

Automatic Remediation (AWS-managed)

Modify non-compliant resource automatically
Examples: Enable encryption, add security group rule, tag resource
Reduces manual remediation effort
Can be dangerous; test first

Manual Remediation

Config alerts on non-compliance
Team manually fixes resource
Better for critical changes
Requires response process

Conformance Packs

Conformance Packs bundle multiple Config rules into a single deployable package aligned to a compliance standard. Deploy a pack and instantly get coverage for:

CIS AWS Foundations Benchmark — 49 rules covering IAM, logging, monitoring, networking
PCI DSS — 30+ rules for cardholder data environment controls
HIPAA — rules enforcing PHI protection requirements
NIST 800-53 — comprehensive federal security standard
AWS Security Best Practices — AWS-curated operational rules

Conformance Packs deploy via CloudFormation to single accounts or across an entire organization via AWS Organizations. Use them as a baseline; add custom rules on top.

Config + Other Services

Config + CloudTrail

Config shows compliance status (what)
CloudTrail shows who changed it (why)
Together: full audit trail

Config + Security Hub

Security Hub aggregates Config compliance findings with GuardDuty, Inspector, and Macie
Single dashboard for all security and compliance signals
Recommended for organizations managing multiple compliance standards

Config + Remediation Actions

Automated self-healing infrastructure
Example: Non-compliant SG auto-reverts
Reduces compliance violations

Config + SNS/EventBridge

Notify teams of non-compliance
Trigger workflows (Slack, email, Jira)
Escalate critical violations

Common Compliance Rule Patterns

Security Rules:

Encryption at rest (S3, EBS, RDS)
TLS in transit (ALB HTTPS, RDS)
Network isolation (security groups, NACLs)
IAM least privilege

Data Protection Rules:

Backup enabled (RDS, EBS, snapshots)
Versioning enabled (S3)
Replication enabled (multi-region)
Retention policies enforced

Operational Rules:

Logging enabled (CloudTrail, VPC Flow Logs, ALB)
Monitoring enabled (CloudWatch alarms)
Tags present and correct
No public resources

Common Mistakes

Mistake 1: Creating rules without remediation plan. Non-compliance means something is broken; have a way to fix it.

Mistake 2: Enabling automatic remediation without testing. A rule that auto-changes production config can break systems.

Mistake 3: Too many rules creating alert fatigue. Prioritize rules; not all violations need immediate response.

Implementation Timeline

Week 1: Setup

Enable AWS Config
Deploy 5-10 high-priority managed rules
Configure SNS notifications

Week 2-4: Tuning

Review false positives
Adjust rule logic or exclusions
Build remediation processes

Month 2: Expansion

Add custom rules for org-specific compliance
Implement automated remediation
Integrate with ticketing system

AWS CloudTrail (audit logging what changed)
AWS Systems Manager Automation (remediation workflows)
AWS Security Hub (centralized compliance dashboard)
AWS Organizations (multi-account config aggregation)

Related Services

Cloud Compliance Services

Explore this service offering

Learn more

Aws Cloud Security

Explore this service offering

Learn more

Need Help with This Topic?

Our AWS experts can help you implement and optimize these concepts for your organization.

Talk to AWS Experts

AWS Config Rules

AI & assistant-friendly summary

Summary

Key Facts

Entity Definitions

Related Content