Continuous Compliance Monitoring with AWS Config - Rule Evaluation and Auto-Remediation

Learn how to record resource configurations with AWS Config, evaluate compliance using Config rules, and set up auto-remediation actions.

Overview of Config

AWS Config is a service that continuously records configuration changes to your AWS resources and automatically evaluates compliance. It captures every configuration change, including security group modifications on EC2 instances, public access setting changes on S3 buckets, and IAM policy updates. With over 200 managed Config rules, you can define conditions such as "S3 bucket public access must be blocked" and automatically detect non-compliant resources. Each configuration item includes resource metadata, attributes, relationships to other resources, and a configuration snapshot, enabling you to reconstruct the state of any resource at any point in time.

Rules and Auto-Remediation

Managed rules are pre-defined rules provided by AWS, with over 200 available options including s3-bucket-public-read-prohibited, ec2-instance-no-public-ip, and iam-password-policy. Custom rules let you implement your own evaluation logic using Lambda functions. Guard rules define policies using AWS CloudFormation Guard's declarative syntax, letting you create custom rules without writing Lambda code. Auto-remediation executes SSM Automation documents when non-compliant resources are detected - for example, automatically blocking public access on an S3 bucket. Remediation actions can include a manual approval step to prevent unintended changes in production environments. Triggers can be change-triggered (evaluated immediately on resource change) or periodic (1, 3, 6, 12, or 24 hours); applying periodic triggers to infrequently changed rules reduces costs.

Conformance Packs and Aggregation

Conformance packs are templates that package multiple Config rules and remediation actions together. Pre-defined packs are available for compliance frameworks including CIS Benchmark, PCI DSS, and NIST 800-53. You can define custom conformance packs with organization-specific rule sets and deploy them across your entire Organizations structure at once. Config Aggregator consolidates compliance status from multiple accounts and regions into a single account, providing a dashboard view of organization-wide compliance. Advanced queries let you run cross-account searches such as "find all resources with unencrypted EBS volumes across all accounts." For a deeper look at Config, you can also explore related books on Amazon.

Design Best Practices and Pitfalls

When enabling Config, recording all resource types causes the number of configuration items to explode, resulting in significant costs. Start by recording only security-critical resource types (IAM, S3, EC2, RDS) and expand gradually. A key consideration with auto-remediation is the risk of cascading remediation, where a remediation action triggers another rule violation. For example, a remediation that deletes security group inbound rules could disrupt application communication. Run auto-remediation in DryRun mode first to verify results, then automate incrementally. When deploying rules across the organization, manage exclusion lists for certain accounts (sandboxes, development environments) to avoid excessive evaluations. Config recording and CloudTrail recording are complementary - Config records "what changed" while CloudTrail records "who made the change" - so incident investigations use both together.

Config and Security Hub Integration

AWS Security Hub automatically aggregates Config rule evaluation results and visualizes them as security scores. Enabling Security Hub auto-deploys Config rules for CIS AWS Foundations Benchmark and AWS Foundational Security Best Practices, displaying each resource's compliance status as a scorecard. While Config alone aggregates individual rule evaluations via Aggregator, Security Hub organizes these as prioritized findings classified into Critical, High, Medium, and Low severity. In practice, Config serves as the engine for rule definition, custom evaluation, and auto-remediation, while Security Hub functions as the organization-wide security posture visualization dashboard. A common pattern is routing Config rule violations through Security Hub to EventBridge for automated ticket creation or Slack notifications.

Optimizing Config Costs

Config pricing consists of the number of configuration items recorded (approximately $0.003 per item), rule evaluations (approximately $0.001 per evaluation), and conformance pack evaluations. Enabling recording for all resource types can result in a massive number of configuration items, so you should limit recording to only the resource types required for compliance to manage costs. Use a mix of periodic evaluation (every 24 hours) and change-triggered evaluation, applying periodic evaluation to resources that change infrequently. Config's advanced queries are available at no additional charge and can be leveraged for compliance reporting. For accounts with many rules, using change triggers to reduce re-evaluations against resources whose evaluation results haven't changed directly impacts cost efficiency.

Summary

AWS Config is a service that records resource configuration changes and continuously evaluates compliance. Conformance packs let you batch-deploy rule sets for CIS Benchmark and PCI DSS, while Aggregator provides organization-wide compliance visibility. Auto-remediation automates the entire flow from detecting non-compliant resources to fixing them, maintaining continuous compliance.