Conformance Packs and Organisation Trails
Apply Conformance Packs across an AWS Organisation for CIS or PCI-DSS benchmarks, and deploy organisation-level trails for centralised auditing.
What Are Conformance Packs?
AWS Config Conformance Packs are collections of Config rules and remediation actions packaged together as a single deployable unit using a CloudFormation-like YAML template. They represent a set of compliance controls for a specific standard or framework — such as the CIS AWS Foundations Benchmark, PCI-DSS, HIPAA, or NIST 800-53. Instead of deploying dozens of individual Config rules manually, you deploy a conformance pack and get comprehensive coverage in minutes.
Sample Conformance Packs
AWS provides dozens of sample conformance pack templates on GitHub and in the AWS console. Examples include: Operational-Best-Practices-for-CIS-AWS-v1.4-Level1 (foundational security controls), Operational-Best-Practices-for-PCI-DSS (payment card industry controls), and Operational-Best-Practices-for-HIPAA-Security (healthcare data controls). You can use these templates as-is or customise them by adding, removing, or modifying individual rules before deployment.
# Deploy a sample CIS conformance pack
aws configservice put-conformance-pack \
--conformance-pack-name CIS-AWS-Foundations-Level1 \
--template-s3-uri s3://my-templates-bucket/cis-aws-foundations-level1.yaml \
--delivery-s3-bucket my-config-conformance-results
# Check deployment status
aws configservice describe-conformance-packs \
--conformance-pack-names CIS-AWS-Foundations-Level1 \
--query 'ConformancePackDetails[].{Name:ConformancePackName,Status:ConformancePackState}'All lessons in this course
- CloudTrail Trails and Event History
- CloudTrail Insights and Log File Integrity
- AWS Config Rules and Remediation
- Conformance Packs and Organisation Trails