AWS Config Rules and Remediation
Deploy managed and custom Config rules to detect non-compliant resources and use SSM Automation documents for automatic remediation.
What Is AWS Config?
AWS Config is a continuous configuration audit service that records the configuration state of your AWS resources over time and evaluates those configurations against desired rules. Unlike CloudTrail (which records who did what), AWS Config answers what does this resource look like right now? and what did it look like at any point in the past?. It also answers: does this configuration comply with my policy? — making it the go-to service for governance and compliance.
Configuration Items and Configuration History
When AWS Config records a resource, it creates a configuration item (CI) — a snapshot of the resource's attributes, relationships, and metadata at a point in time. Every time a resource changes, a new CI is recorded. AWS Config maintains a full configuration history for each resource, allowing you to see how a security group evolved over months and exactly when a rule was added or removed. CIs are delivered to an S3 bucket and optionally to CloudWatch Events.
# Get the full configuration history for an EC2 security group
aws configservice get-resource-config-history \
--resource-type AWS::EC2::SecurityGroup \
--resource-id sg-0abc1234def567890 \
--limit 10 \
--query 'configurationItems[].{Time:configurationItemCaptureTime,Status:configurationItemStatus}'All lessons in this course
- CloudTrail Trails and Event History
- CloudTrail Insights and Log File Integrity
- AWS Config Rules and Remediation
- Conformance Packs and Organisation Trails