Auto-Remediation Through Config Rules

Finding a non-compliant resource is only half the job; auto-remediation fixes it automatically. AWS Config can attach a remediation action to a rule so that when a resource becomes NON_COMPLIANT, the fix runs without waiting for a human. This shrinks the time an insecure configuration is exposed.

Config remediation is powered by AWS Systems Manager (SSM) Automation documents, also called runbooks. AWS provides many predefined documents, such as one to disable public access on an S3 bucket or to encrypt a volume. The document defines the exact steps taken to bring the resource back into compliance.