Operations Management

Continuous Compliance Monitoring with AWS Config - Rule Evaluation and Auto-Remediation

Learn how to record resource configurations with AWS Config, evaluate compliance using Config rules, and set up auto-remediation actions.

約 3 分で読めます

Overview of Config

AWS Config is a service that continuously records configuration changes to your AWS resources and automatically evaluates compliance. It captures every configuration change, including security group modifications on EC2 instances, public access setting changes on S3 buckets, and IAM policy updates. With over 200 managed Config rules, you can define conditions such as "S3 bucket public access must be blocked" and automatically detect non-compliant resources.

Rules and Auto-Remediation

Managed rules are pre-defined rules provided by AWS, with over 200 available options including s3-bucket-public-read-prohibited, ec2-instance-no-public-ip, and iam-password-policy. Custom rules let you implement your own evaluation logic using Lambda functions. Auto-remediation executes SSM Automation documents when non-compliant resources are detected. For example, it can automatically block public access on an S3 bucket. Conformance packs bundle rule sets aligned with industry standards such as CIS AWS Foundations Benchmark and PCI DSS for batch deployment.

Conformance Packs and Aggregation

Conformance packs are templates that package multiple Config rules and remediation actions together. Pre-defined packs are available for compliance frameworks including CIS Benchmark, PCI DSS, and NIST 800-53. You can define custom conformance packs with organization-specific rule sets and deploy them across your entire Organizations structure at once. Config Aggregator consolidates compliance status from multiple accounts and regions into a single account, providing a dashboard view of organization-wide compliance. Advanced queries let you run cross-account searches such as "find all resources with unencrypted EBS volumes across all accounts." For a deeper look at Config, you can also explore related books on Amazon.

Optimizing Config Costs

Config pricing consists of the number of configuration items recorded (approximately $0.003 per item), rule evaluations (approximately $0.001 per evaluation), and conformance pack evaluations. Enabling recording for all resource types can result in a massive number of configuration items, so you should limit recording to only the resource types required for compliance to manage costs. Use a mix of periodic evaluation (every 24 hours) and change-triggered evaluation, applying periodic evaluation to resources that change infrequently. Config's advanced queries are available at no additional charge and can be leveraged for compliance reporting.

Summary

AWS Config is a service that records resource configuration changes and continuously evaluates compliance. Conformance packs let you batch-deploy rule sets for CIS Benchmark and PCI DSS, while Aggregator provides organization-wide compliance visibility. Auto-remediation automates the entire flow from detecting non-compliant resources to fixing them, maintaining continuous compliance.

Related Services

AWS ConfigA service that records and evaluates AWS resource configuration changes and continuously monitors complianceAWS OrganizationsA service for centrally managing multiple AWS accountsAWS Systems ManagerAn operations management service for centrally managing AWS resources and on-premises servers

Related Articles

Building a Multi-Account Environment with AWS Control Tower - Landing Zone and GuardrailsEstablish governance for your multi-account environment with automated landing zone construction and guardrail-based policy enforcement. Also covers automated account creation with Account Factory.Retrieving Compliance Reports with AWS Artifact - Audit Response and Agreement ManagementLearn how to retrieve SOC, PCI DSS, and ISO audit reports on demand and apply BAA and GDPR DPA agreements across your entire AWS Organizations structure.API Audit Logging with AWS CloudTrail - Trail Design and Security AnalysisRecord all API activity and run advanced analysis with SQL queries in CloudTrail Lake. This article covers automatic anomaly detection with Insights and real-time detection through EventBridge integration.

More on This Topic

How AWS Keeps Time Internally - Amazon Time Sync Service and Leap Second Smearing DesignLearn how Amazon Time Sync Service works, how GPS and atomic clocks provide high-precision time sources, the design decision to absorb leap seconds through smearing, and why time synchronization matters in distributed systems.Centralizing SaaS Audit Logs with AWS AppFabric - OCSF Standardization and Security Lake IntegrationLearn how AppFabric collects audit logs from SaaS applications, standardizes them to OCSF format, and builds analysis pipelines.Implementing Feature Flags with AWS AppConfig - Safe Configuration Deployment and RollbackRoll out configuration changes independently from code deployments using Linear and Exponential strategies. Ensure safety with automatic rollback triggered by CloudWatch alarms.Architecture Review - Systematically Evaluate Workloads with the AWS Well-Architected ToolLearn about architecture reviews using the AWS Well-Architected Tool. Covers evaluation based on the six pillars, improvement planning, and custom lens usage.Audit Log Design and Operations - Complete API Activity Recording with CloudTrailLearn how to design audit logs using AWS CloudTrail, including recording API activity, long-term storage in S3, and compliance automation through integration with AWS Config.Lessons from AWS Incident Reports (COE) - How Past Major Outages Shaped Design PrinciplesAnalyze the root causes of past major incidents including the S3 outage, us-east-1 DNS failure, and Kinesis outage from AWS's published Correction of Errors (COE) and incident reports, and explain how they changed AWS's design principles.Tag Design Determines Operations - Trivia and Practical Naming Conventions for AWS Resource Tagging StrategyWe explain why AWS resource tags are not just labels but the foundation for cost allocation, access control, and automation, covering tag key naming conventions, how to use the 50-tag limit, and governance through tag policies.Why AWS Service Quotas Exist - Multi-Tenant Design That Protects Shared InfrastructureExplain how AWS service quotas (formerly service limits) are not mere restrictions but a design to protect other customers in a multi-tenant environment, covering the noisy neighbor problem, soft vs hard limits, and what happens behind quota increase requests.

Similar Articles and Services

AWS ConfigA service that continuously records and evaluates AWS resource configuration changes, enabling automated compliance auditing and configuration history tracking based on defined rulesAudit Log Design and Operations - Complete API Activity Recording with CloudTrailLearn how to design audit logs using AWS CloudTrail, including recording API activity, long-term storage in S3, and compliance automation through integration with AWS Config.AWS Security HubCentrally manage your AWS security posture and automatically check compliance with best practicesCentralized Security Posture Management with AWS Security Hub - Aggregating Findings and Automated ResponseAggregate findings from GuardDuty, Inspector, and Macie using ASFF, quantify your security score through automated security standard evaluations, and set up automated remediation via EventBridge.