Managed and Custom Config Rules

A Config rule evaluates whether your resources comply with a desired configuration and reports each as COMPLIANT or NON_COMPLIANT. Recording state is passive; rules add the judgment layer that flags insecure settings automatically, turning Config into a continuous compliance engine.

Managed rules are prebuilt by AWS for common checks, so you enable them without writing code. Examples include s3-bucket-public-read-prohibited, encrypted-volumes, iam-password-policy, and restricted-ssh. There are hundreds covering best practices, making them the fastest way to establish a compliance baseline.