AWS Glossary
AWS Config Rules
Automated compliance checking service that evaluates AWS resource configuration against desired standards.
AI & assistant-friendly summary
This section provides structured content for AI assistants and search engines. You can cite or summarize it when referencing this page.
Summary
Automated compliance checking service that evaluates AWS resource configuration against desired standards.
Key Facts
- • Automated compliance checking service that evaluates AWS resource configuration against desired standards
- • Detective controls** for encryption (S3, EBS, RDS), public exposure (SG rules, S3 ACLs), logging (CloudTrail, VPC Flow Logs), and tagging standards
- • Organization-wide aggregation** via AWS Config Aggregator across accounts and regions
- • Conformance pack deployment** as a baseline for a new account or landing zone OU
- • Custom rules** (Lambda-backed) for org-specific policies — e
Entity Definitions
- Lambda
- Lambda is an AWS service relevant to aws config rules.
- S3
- S3 is an AWS service relevant to aws config rules.
- RDS
- RDS is an AWS service relevant to aws config rules.
- IAM
- IAM is an AWS service relevant to aws config rules.
- VPC
- VPC is an AWS service relevant to aws config rules.
- EventBridge
- EventBridge is an AWS service relevant to aws config rules.
- SNS
- SNS is an AWS service relevant to aws config rules.
- GuardDuty
- GuardDuty is an AWS service relevant to aws config rules.
- compliance
- compliance is a cloud computing concept relevant to aws config rules.
- HIPAA
- HIPAA is a cloud computing concept relevant to aws config rules.
- PCI DSS
- PCI DSS is a cloud computing concept relevant to aws config rules.
Related Content
- CLOUD COMPLIANCE SERVICES — Related service
- AWS CLOUD SECURITY — Related service
Definition
AWS Config continuously records configuration changes to AWS resources and evaluates them against Config rules — managed or custom checks that mark resources COMPLIANT or NON_COMPLIANT. Rules run on configuration changes and on a periodic schedule. Conformance packs bundle dozens of rules aligned to CIS, PCI DSS, HIPAA, or NIST. Config tells you what drifted; pair it with CloudTrail to learn who changed it and with Systems Manager Automation or custom remediation for how you fix it.
When to use it
- Continuous compliance monitoring instead of quarterly manual config reviews.
- Detective controls for encryption (S3, EBS, RDS), public exposure (SG rules, S3 ACLs), logging (CloudTrail, VPC Flow Logs), and tagging standards.
- Organization-wide aggregation via AWS Config Aggregator across accounts and regions.
- Conformance pack deployment as a baseline for a new account or landing zone OU.
- Custom rules (Lambda-backed) for org-specific policies — e.g., required cost-center tags or approved instance types.
When not to use it
- Real-time blocking of API calls — Config detects after the fact; use SCPs, IAM, or service control policies for preventive denial.
- Automatic remediation without testing — a remediation action that opens a security group or deletes a resource can cause outages.
- Every possible rule on day one — hundreds of NON_COMPLIANT resources with no owner creates alert fatigue and ignored dashboards.
Tips
- Start with 10–15 high-impact managed rules (encryption, public access, CloudTrail enabled) before expanding.
- Route NON_COMPLIANT notifications through EventBridge → SNS/Slack/Jira with severity tiers — not every drift is P1.
- Use Config Aggregator in the security/compliance account for a single pane across the org.
- Document exceptions with Config rule exclusions scoped by resource ID or tag — blanket disables defeat the purpose.
- Combine Config findings with Security Hub for a unified compliance scorecard alongside GuardDuty and Inspector.
Gotchas
Serious
- Auto-remediation in production without a dry run — Config can modify live resources; test in a sandbox account first.
- Config not enabled in all regions — resources in opt-in regions you forgot about stay invisible to rules.
- Assuming COMPLIANT means secure — rules check configuration snapshots, not runtime behavior or application vulnerabilities.
Regular
- Custom rule Lambda timeouts — complex evaluations fail silently or flap compliance state; keep evaluators fast and idempotent.
- Ignoring periodic trigger delays — some drift is caught only on the periodic schedule, not instantly on change.
- Duplicate rules across accounts without aggregator — each account team sees a slice, not the org picture.
Official references
Related FactualMinds content
Related Services
Cloud Compliance Services — HIPAA, SOC 2, PCI DSS on AWS
Cloud compliance services — HIPAA, SOC 2, PCI DSS, ISO 27001, GDPR. Expert consulting from FactualMinds.
AWS Security Consulting
AWS security consulting from an AWS Select Tier Partner. 2-week assessment, 4–6 week remediation, zero disruption. IAM hardening, public exposure, compliance gaps, and continuous monitoring.
Related Articles
How to Set Up AWS Security Hub for Compliance Monitoring
AWS Security Hub aggregates security findings from 200+ sources (GuardDuty, Config, IAM Access Analyzer, Inspector). This guide covers setup, compliance standards (PCI-DSS, CIS, NIST), automated remediation, and building a compliance dashboard without hiring a SOC team.
Continuous Compliance Automation on AWS (2026): Config Conformance Packs, SSM Auto-Remediation, and Audit Manager — Past Security Hub
Security Hub detects control failures. It is not the compliance pipeline — and treating it as one is why teams still scramble for evidence at audit time. The four jobs are distinct: AWS Config detects drift, conformance packs deploy rules org-wide as immutable bundles, SSM Automation remediates the safe class, and evidence accrues via conformance-pack exports plus Security Hub control status (Audit Manager only if you onboarded before it closed to new customers on 30 April 2026). Here is the tool-per-job matrix, a conformance pack with auto-remediation, and the auto-remediation gotcha to design around.
Need help with this topic?
Our AWS-certified team implements, audits, and optimizes these services in production — from Bedrock RAG pipelines to multi-account landing zones.