AWS Config Rules

AWS Config Rules: Complete Guide for AWS Security Specialty Exam

Why AWS Config Rules Are Important

AWS Config Rules are a foundational component of security logging and monitoring in AWS environments. They enable organizations to continuously evaluate the configuration of AWS resources against desired settings, ensuring compliance, governance, and security best practices are maintained at all times. Without Config Rules, organizations would need to manually audit their infrastructure, which is error-prone, time-consuming, and does not scale. In the context of the AWS Security Specialty exam, Config Rules represent a critical topic because they sit at the intersection of detective controls, compliance automation, and remediation — all core themes of the certification.

What Are AWS Config Rules?

AWS Config Rules are configurable policies that AWS Config uses to evaluate whether your AWS resource configurations comply with your desired configurations. Each rule is essentially a compliance check. When a resource violates a rule, AWS Config flags the resource as noncompliant and can optionally trigger remediation actions.

There are three types of AWS Config Rules:

1. AWS Managed Rules — Pre-built rules created and maintained by AWS. Examples include:
- s3-bucket-versioning-enabled: Checks whether S3 bucket versioning is enabled.
- encrypted-volumes: Checks whether EBS volumes are encrypted.
- restricted-ssh: Checks whether security groups allow unrestricted SSH access.
- iam-password-policy: Checks whether the IAM password policy meets specified requirements.
- root-account-mfa-enabled: Checks whether the root account has MFA enabled.

2. Custom Rules — Rules you define using AWS Lambda functions. You write the evaluation logic in your Lambda function, and AWS Config invokes it when relevant configuration changes occur or on a schedule. Custom rules give you full flexibility to evaluate any configuration scenario unique to your organization.

3. Custom Rules with Guard (Proactive Rules) — AWS Config now supports AWS CloudFormation Guard policy-as-code rules, allowing you to write rules using a declarative, domain-specific language without needing Lambda functions.

How AWS Config Rules Work

Understanding the mechanics of AWS Config Rules is essential for exam success:

Step 1: AWS Config Records Resource Configurations
AWS Config continuously monitors and records the configurations of supported AWS resources. Each time a configuration change is detected, a configuration item (CI) is created. Configuration items are stored in a configuration history and delivered to an S3 bucket.

Step 2: Rules Are Triggered
Config Rules can be triggered in two ways:
- Configuration change trigger: The rule is evaluated whenever a relevant resource is created, changed, or deleted. You can scope this to specific resource types, resource IDs, or tags.
- Periodic trigger: The rule is evaluated at a frequency you define (e.g., every 1 hour, 3 hours, 6 hours, 12 hours, or 24 hours).

Step 3: Evaluation Occurs
For managed rules, AWS Config evaluates the resource against the rule's built-in logic. For custom rules, AWS Config invokes the associated Lambda function, passing the configuration item as an event. The Lambda function returns a compliance status.

Step 4: Compliance Status Is Reported
Each resource is marked as either COMPLIANT, NON_COMPLIANT, NOT_APPLICABLE, or INSUFFICIENT_DATA. Results are visible in the AWS Config console, and you can view compliance timelines for each resource.

Step 5: Notifications and Remediation
- Amazon SNS Notifications: AWS Config can send notifications to an SNS topic when compliance status changes.
- Amazon EventBridge Integration: Config compliance change events are published to EventBridge, enabling you to trigger downstream workflows such as Lambda functions, Step Functions, or incident management systems.
- Automatic Remediation: AWS Config Rules support automatic remediation through AWS Systems Manager Automation documents (SSM Automation runbooks). You can associate a remediation action with any rule. When a resource becomes noncompliant, the remediation action is automatically executed. For example, if an S3 bucket is found to have public access, an SSM Automation document can automatically block public access.
- Manual Remediation: You can also trigger remediation manually from the Config console for specific noncompliant resources.

Key Architecture Components

- Configuration Recorder: The component that records configurations of supported resources. You must have a running configuration recorder for Config Rules to work.
- Delivery Channel: Specifies the S3 bucket where configuration history and snapshots are delivered, and optionally an SNS topic for notifications.
- Aggregator: An AWS Config resource that collects Config data from multiple accounts and regions. This is critical for multi-account, multi-region compliance views using AWS Config Aggregators or AWS Organizations integration.
- Conformance Packs: A collection of AWS Config Rules and remediation actions that can be deployed as a single entity across an organization. Conformance packs are authored in YAML and can be deployed via AWS Organizations for enterprise-wide governance.

Multi-Account and Multi-Region Strategy

For organizations using AWS Organizations, AWS Config can be deployed across all member accounts and regions using:
- AWS Config Aggregators: Aggregate compliance data from multiple accounts and regions into a single aggregator account.
- Organization Config Rules: Deploy Config Rules across all accounts in an organization from the management account or a delegated administrator account.
- Organization Conformance Packs: Deploy conformance packs organization-wide.

Integration with Other AWS Services

- AWS Security Hub: Security Hub integrates with AWS Config to evaluate security standards (like CIS AWS Foundations Benchmark and AWS Foundational Security Best Practices). Many Security Hub controls are backed by Config Rules.
- AWS CloudTrail: While CloudTrail logs API calls (who did what), AWS Config records the resulting configuration state (what the resource looks like). Together, they provide a complete audit trail.
- AWS Systems Manager: SSM Automation runbooks are used for automatic remediation of noncompliant resources.
- AWS Organizations: Enables organization-wide deployment of Config Rules and aggregation of compliance data.
- Amazon EventBridge: Config compliance change events can trigger automated workflows.
- AWS Lambda: Powers custom Config Rules evaluation logic.

Important Limitations to Know

- AWS Config is a regional service. You must enable it in each region where you want to monitor resources.
- AWS Config does not prevent configuration changes. It is a detective control, not a preventive control. It detects noncompliance after the fact.
- For preventive controls, use AWS Service Control Policies (SCPs), IAM policies, or AWS CloudFormation Guard (proactive evaluation mode).
- Config Rules have a soft limit of 400 rules per account per region (can be increased).
- There are costs associated with AWS Config: per configuration item recorded, per active Config Rule evaluation, and per conformance pack evaluation.

Common Use Cases for the Security Specialty Exam

1. Ensuring encryption at rest: Rules like encrypted-volumes, s3-bucket-server-side-encryption-enabled, rds-storage-encrypted.
2. Ensuring encryption in transit: Rules like alb-http-to-https-redirection-check, elb-tls-https-listeners-only.
3. Restricting public access: Rules like s3-bucket-public-read-prohibited, s3-bucket-public-write-prohibited, restricted-ssh, restricted-common-ports.
4. IAM best practices: Rules like iam-root-access-key-check, root-account-mfa-enabled, iam-user-mfa-enabled, access-keys-rotated.
5. VPC security: Rules like vpc-flow-logs-enabled, vpc-default-security-group-closed.
6. Logging and monitoring: Rules like cloud-trail-enabled, cloudtrail-s3-dataevents-enabled, guardduty-enabled-centralized.
7. Compliance auditing: Using conformance packs aligned to compliance frameworks (PCI DSS, HIPAA, NIST).

Proactive vs. Detective Evaluation

AWS Config now supports proactive evaluation, which allows you to evaluate resources before they are provisioned. This is done by evaluating CloudFormation templates against proactive Config Rules before deployment. This is useful for shift-left security practices. However, it is important to note that traditional Config Rules remain detective in nature — they evaluate resources after they are created or modified.

---

Exam Tips: Answering Questions on AWS Config Rules

1. Config is detective, not preventive. If the question asks how to prevent a noncompliant resource from being created, AWS Config alone is not the answer. Look for SCPs, IAM policies, or CloudFormation Guard for prevention. If the question asks how to detect and remediate noncompliant resources, AWS Config Rules with automatic remediation is the answer.

2. Config + SSM Automation = Automatic Remediation. Whenever a question mentions automatically fixing noncompliant resources, think AWS Config Rules with SSM Automation runbooks as the remediation action.

3. Config is regional. If a question asks about monitoring resources across all regions, remember that Config must be enabled in every region. Use an aggregator for a centralized view.

4. Config vs. CloudTrail. CloudTrail answers who made what API call and when. Config answers what is the current and historical configuration of this resource and is it compliant. If the question is about auditing configuration compliance, choose Config. If it is about tracking API activity, choose CloudTrail.

5. Multi-account scenarios use Organization Config Rules. When questions involve deploying compliance rules across an AWS Organization, the answer is typically Organization Config Rules or Organization Conformance Packs deployed from the management account or delegated administrator.

6. Security Hub uses Config Rules under the hood. If a question mentions Security Hub standards and compliance checks, remember that Security Hub relies on AWS Config being enabled. If Config is not enabled, Security Hub controls will not work properly.

7. Know the key managed rules. You do not need to memorize every managed rule, but be familiar with the most common ones related to encryption, public access, MFA, logging, and access key rotation, as they appear frequently in scenario questions.

8. Trigger types matter. If a question asks about near-real-time compliance detection, the answer is a configuration change trigger. If the question asks about periodic compliance checks (e.g., checking something every 24 hours), the answer is a periodic trigger.

9. Custom Rules = Lambda. Whenever a question describes a unique compliance requirement that no managed rule covers, the answer is a custom Config Rule backed by a Lambda function.

10. Cost considerations. Be aware that AWS Config has costs per configuration item and per rule evaluation. In questions about cost optimization, consider limiting the scope of recorded resources or reducing the number of active rules.

11. Conformance Packs for compliance frameworks. When questions reference deploying a set of compliance rules aligned to a framework like PCI DSS or HIPAA, the answer is AWS Config Conformance Packs.

12. Evaluate the entire question for context clues. Words like detect, evaluate, assess compliance, configuration drift, and audit strongly point toward AWS Config. Words like prevent, deny, and block point toward IAM, SCPs, or other preventive controls.

13. Remember the Config Rule evaluation statuses. COMPLIANT, NON_COMPLIANT, NOT_APPLICABLE, and INSUFFICIENT_DATA. If a resource type is not relevant to a rule, the status is NOT_APPLICABLE, not NON_COMPLIANT.

14. EventBridge integration for advanced workflows. If a question asks about triggering a complex workflow (e.g., notifying a security team, creating a Jira ticket, invoking Step Functions) based on compliance changes, the answer involves EventBridge rules matching Config compliance change events.