What Is AWS Config? Security Definition
On This Page
What do you want to do?
Quick Definition
AWS Config records every change made to your AWS resources, like when someone creates a new server or changes a security setting. It keeps a history of these changes and checks if your setup follows your rules. This helps you see what has changed, who changed it, and whether your environment is still secure and compliant.
Common Commands & Configuration
aws configservice put-config-rule --config-rule file://s3-bucket-rule.jsonCreates or updates an AWS Config rule from a JSON file; used to enforce compliance checks like requiring S3 bucket encryption.
Appears in exams testing your ability to automate compliance rules; the JSON structure often includes SourceIdentifier, Scope, and Compliance properties.
aws configservice describe-config-rules --rule-ids config-rule-abc123Returns details of a specific Config rule by rule ID; useful for auditing rule definitions and parameters.
Exam questions may ask which CLI command retrieves rule metadata; this tests knowledge of Config rule management.
aws configservice get-compliance-details-by-config-rule --config-rule-name s3-bucket-public-read-prohibitedRetrieves compliance details for a specific rule, including which resources are compliant or non-compliant.
Commonly tested in scenarios where you need to report non-compliant resources; links to remediation actions.
aws configservice start-config-recorder --config-recorder-name defaultStarts recording configuration changes for supported AWS resources; must be enabled before Config can track changes.
Exams often check if you know that Config recording must be started explicitly; also tests recording status (active vs. stopped).
aws configservice put-evaluations --evaluations file://evaluation-results.json --result-token 12345 --config-rule-name my-ruleCustom evaluation result submission for custom Lambda-backed Config rules; used to report compliance from custom logic.
Appears in developer associate exams testing integration of Lambda with Config; the result token is critical for matching evaluations.
aws configservice describe-compliance-by-resource --resource-type AWS::S3::Bucket --resource-id my-bucketReturns compliance status of a specific resource across all Config rules; useful for pinpointing non-compliance.
Often used in sysops scenarios to quickly check a resource's compliance posture; tests understanding of resource-level queries.
aws configservice get-resource-config-history --resource-type AWS::EC2::Instance --resource-id i-0abcd1234efgh5678Lists configuration timeline changes for a specific EC2 instance; helps trace changes that caused compliance drift.
Exams may ask which command retrieves historical configuration items; tests the concept of configuration timeline and change tracking.
AWS Config appears directly in 80exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on CLF-C02. Practise them →
Must Know for Exams
AWS Config appears in multiple certification exams, often as a foundational concept in governance and compliance. For the AWS Certified Cloud Practitioner (CLF-C02) exam, you need to understand AWS Config as a service that records configuration changes and evaluates resources against rules. You will not need to know deep implementation details, but you must know its purpose: auditing, compliance, and change tracking. The exam may present a scenario where a company needs to track resource changes for compliance, and you should recognize AWS Config as the appropriate service. Similarly, for the AWS Certified Solutions Architect – Associate (SAA-C03) exam, AWS Config is a key component of the pillar of security in the Well-Architected Framework. You will need to know how to use config rules to enforce security best practices, how to aggregate data from multiple accounts, and how to integrate it with AWS CloudTrail for identity information. The SAA exam may have a scenario question where you need to choose between AWS Config, AWS CloudTrail, and AWS CloudWatch for a specific compliance requirement. Knowing that AWS Config records configuration state changes, while CloudTrail records API calls, is vital.
For the AWS Certified Developer – Associate (DVA-C02) exam, the focus is less on broad compliance and more on how AWS Config can be used in development pipelines. For example, you might need to create a custom config rule using a Lambda function to ensure that all S3 buckets have versioning enabled. The SysOps Administrator – Associate (SOA-C02) exam dives deeper into operations: you will need to configure AWS Config, set up delivery channels to S3 and SNS, create custom rules, and automate remediation with Systems Manager. This is the exam where you are most likely to see detailed troubleshooting questions about why a config rule evaluation failed or how to aggregate data.
Beyond AWS, this topic is relevant in multi-cloud contexts. For the Azure exams (AZ-104 and Azure Fundamentals), the equivalent service is Azure Policy, which also evaluates resource compliance. The Google Cloud exams (Google ACE and Cloud Digital Leader) have a similar concept called Google Cloud Asset Inventory and Policy Intelligence. While the exam objectives are different, understanding AWS Config gives you a mental model for cloud governance that applies to all providers. In questions, you will see patterns like "A company needs to ensure that all EBS volumes are encrypted. Which service should they use?" The answer is AWS Config with a managed rule. Or, "A security team needs a report of all IAM policy changes in the last month." Again, AWS Config is the right answer. You will also see comparison questions: "CloudTrail vs. Config vs. CloudWatch." Practicing how to differentiate these services is critical for exam success.
Simple Meaning
Think of AWS Config as a security camera and a rulebook combined for your cloud environment. Imagine you are the manager of a large warehouse where workers can rearrange shelves, add new boxes, or change the locks on doors. Without any oversight, chaos could happen: someone might leave a door unlocked, put a heavy box on a weak shelf, or bring in unapproved items. AWS Config works like a system that notes down every single action taken in the warehouse, like "at 10:32 AM, Employee A opened the north door" or "at 2:15 PM, Employee B added a new shelf in aisle 3."
Now, imagine you also have a rulebook that says: "All doors must stay locked after 6 PM" and "Shelves cannot hold more than 500 pounds." AWS Config reads that rulebook and checks every action against it. If at 7 PM a door is left unlocked, the service flags that as a problem and sends you an alert. It does not lock the door for you, but it tells you exactly which rule was broken and what the current state of the door is. Over time, it builds a timeline of every change so you can go back and see exactly how your warehouse looked on any given day.
In the real world of IT, your "warehouse" is your AWS account, and the "shelves and doors" are resources like virtual servers (EC2 instances), databases (RDS), or storage buckets (S3). When someone in your team modifies a security group to allow all traffic from the internet, AWS Config logs that change. If you have a rule that says "no security group should allow unrestricted access (0.0.0.0/0)," the service will show that your current setup is non-compliant. You can then take corrective action, for example, by reverting the change or updating the rule. The beauty of AWS Config is that it does this continuously and automatically, without you having to manually check everything.
The service also helps with audits. Auditors often ask, "Who changed what, and when?" With AWS Config, you can show a complete configuration history and compliance dashboard. It integrates with AWS CloudTrail to tell you not just what changed, but who made the change. In this way, AWS Config is an essential tool for security, compliance, and operational troubleshooting. It does not stop mistakes from happening, but it makes sure you never miss them and can always fix them quickly.
Full Technical Definition
AWS Config is a fully managed service provided by Amazon Web Services that enables you to assess, audit, and evaluate the configurations of your AWS resources. At its core, the service works by continuously recording resource configuration changes, evaluating those configurations against desired policies, and providing a detailed timeline of configuration history. It operates by integrating with the AWS resource model, using AWS CloudTrail for API call history and AWS Resource Groups Tagging to understand resource hierarchies.
Under the hood, AWS Config works through a series of key components: configuration recorder, configuration items, configuration snapshots, configuration streams, and config rules. The configuration recorder is the engine that discovers and tracks all supported AWS resources in your account. Whenever a resource is created, modified, or deleted, AWS Config generates a configuration item (CI). Each CI is a JSON file that contains the resource's current properties, its relationships to other resources, and metadata like timestamps. These CIs are stored in an Amazon Simple Storage Service (S3) bucket that you specify, and they can also be streamed to Amazon Simple Notification Service (SNS) for real-time notifications.
AWS Config supports over 300 resource types, including EC2 instances, security groups, S3 buckets, Lambda functions, and VPCs. The service uses a concept called "configuration items" to represent the state of a resource at a point in time. For example, when an EC2 instance is launched, AWS Config records a CI with details like instance type, AMI ID, associated security groups, subnet, and tags. If the instance is later stopped or its security group is modified, another CI is generated. This creates a complete audit trail. AWS Config can deliver configuration snapshots to your S3 bucket on a schedule you define, providing a point-in-time backup of all resource configurations.
The compliance evaluation aspect of AWS Config is driven by config rules. A config rule is essentially a desired configuration policy. You can use AWS managed config rules, which are pre-defined rules for common compliance checks (e.g., "s3-bucket-public-read-prohibited" or "ec2-volume-inuse-check"), or you can create custom config rules using AWS Lambda functions. Custom rules allow you to write any logic you need. For example, you might write a custom rule that checks whether all EC2 instances have a specific tag, like "Environment=Production". When a resource configuration changes, AWS Config automatically evaluates it against all applicable rules and updates the compliance status to "Compliant", "Non-compliant", or "Not applicable". You can view these results in the AWS Config console, receive SNS notifications, or query them via the AWS Config API.
AWS Config also provides advanced features like multi-account multi-region data aggregation through the AWS Config Aggregator. This is critical for enterprises managing hundreds of accounts. The aggregator collects configuration and compliance data from multiple accounts and regions into a single dashboard, allowing for centralized governance. The service integrates with AWS Organizations, so you can automatically enable AWS Config across all accounts in your organization. AWS Config can be used with AWS CloudFormation StackSets to enforce consistent configurations across environments.
From a security perspective, AWS Config is important for meeting compliance standards like PCI DSS, HIPAA, SOC, and GDPR. It provides a detailed, immutable record of configuration changes, which is often a direct audit requirement. The service does not make changes to resources itself; it is a read-only evaluation and recording tool. This is a critical distinction from services like AWS Config Rules Remediation (part of AWS Config), which can trigger automatic remediation actions through AWS Systems Manager Automation documents. For instance, if a rule detects an S3 bucket that is publicly accessible, it can automatically apply a bucket policy to block public access. This remediation feature is optional and must be explicitly configured.
In terms of implementation, you enable AWS Config per region per account. You choose which resource types to record, the S3 bucket for storing configuration items and snapshots, and whether to stream notifications to SNS. There is no upfront cost; you pay for the number of configuration items recorded and the number of config rule evaluations performed. AWS Config does not monitor data inside resources (like files on an EC2 instance); it only monitors the configuration of the resource itself (like the instance type, security groups, and tags). For data-level monitoring, you would combine it with services like Amazon GuardDuty or AWS CloudTrail.
Real-Life Example
Imagine you are the superintendent of a large apartment building with 200 units. Each unit has a lock, a thermostat, a smoke detector, and a mail slot. There are also common areas like the lobby, the gym, and the laundry room. You cannot personally check every door and every device every day. Instead, you hire a digital assistant that watches everything. Every time a tenant changes the lock on their door, the assistant notes the exact time, which tenant did it, and what the new lock model is. If a tenant sets the thermostat to 90 degrees in winter, the assistant records that too. You also give the assistant a rulebook: "Smoke detectors must be tested every six months" and "Locks must be from an approved brand." The assistant constantly checks the actual state of every unit against these rules, and if something is wrong, it sends you an alert. For example, if someone installs a lock that is not on the approved list, the assistant flags it as non-compliant.
This is exactly how AWS Config works for your cloud resources. Each AWS resource, like an EC2 instance or an S3 bucket, is like an apartment unit with specific settings. AWS Config records every change to those settings. The rulebook you provide is the set of config rules that define a secure and compliant configuration. AWS Config continuously compares the current state of your resources against those rules and tells you when something is off. It does not evict the problematic lock, but it gives you all the information you need to handle the situation. In the apartment building analogy, the assistant gives you a report that says "Unit 204 has a non-approved lock installed on March 15th by Tenant Smith." In AWS, you get a similar report: "Security group sg-12345 was modified to allow all inbound traffic on port 22, making the resource non-compliant with the restricted-ssh rule."
imagine that a fire inspector arrives and asks for a record of all smoke detector tests for the past year. Without the assistant, you would have to dig through paper logs or hope tenants remembered. With the assistant, you simply pull a snapshot of all smoke detector test records for the past 12 months and hand it to the inspector. AWS Config provides these snapshots on demand or on a schedule. So when an auditor asks for proof that your S3 buckets were not publicly accessible on a specific date last quarter, you can provide a configuration snapshot from that exact date showing the state of every bucket. This is a huge time saver and gives auditors confidence in your security posture. The assistant also sends alerts when something changes, like if a tenant swaps their smoke detector for a decorative fake one. In AWS, if someone makes an IAM policy that gives full admin access to all users, a config rule can flag it immediately and alert the security team via SNS. The real-life parallel is clear: AWS Config is the diligent, never-sleeping assistant that keeps your cloud apartment building safe, documented, and compliant.
Why This Term Matters
In any IT environment, change is constant. Developers deploy new resources, administrators tweak security groups, and automated scripts modify configurations. Without a system to track these changes, your environment can drift away from your security and compliance baselines without anyone noticing. AWS Config matters because it gives you visibility and control over that drift. It eliminates the guesswork and manual audits. Instead of asking "did anyone change the VPC flow log settings?" you can look at the AWS Config timeline and see exactly what changed, when, and by whom. This is critical for incident response, because when a security incident happens, you need to know what changed in the minutes or hours before the incident.
From a compliance perspective, standards like PCI DSS, HIPAA, and SOC 2 require organizations to maintain a secure configuration baseline and to monitor for violations. AWS Config provides a built-in way to satisfy these requirements without building your own monitoring system. It offers pre-built managed config rules that map directly to common compliance best practices. For instance, the rule "ec2-instances-in-vpc" helps ensure that no EC2 instances are launched outside a VPC, which is a common security requirement. This makes audits smoother and reduces the risk of non-compliance penalties.
Operationally, AWS Config helps with troubleshooting. If a load balancer suddenly stops working, you can check the configuration history to see if a security group or listener rule was changed. If a database becomes unreachable, you can look at the config timeline to see if the subnet or network ACL was modified. This aligns with the DevOps principle of "everything as code" and immutable infrastructure. AWS Config also integrates with AWS CloudFormation, so if someone manually changes a resource that was created by CloudFormation, the service can detect that drift and alert you. This is a powerful way to maintain the principle that all changes should go through infrastructure-as-code pipelines. In short, AWS Config is not an optional extra; for any organization running production workloads in AWS, it is an essential tool for security, compliance, and operational health.
How It Appears in Exam Questions
Exam questions about AWS Config usually follow four main patterns: scenario based, configuration based, troubleshooting based, and comparison based. In scenario-based questions, you are given a business requirement and asked which AWS service can meet it. For example: "A company wants to ensure that all S3 buckets are configured with versioning enabled and that any bucket without versioning is identified and reported to the security team." The correct answer is to use AWS Config with a managed rule (s3-bucket-versioning-enabled). The distractors might include AWS CloudTrail (which tracks API calls, not configuration state) or AWS CloudWatch (which tracks metrics and logs). You must understand that AWS Config is the only service that evaluates resource configuration against rules.
In configuration-based questions, you are given a specific setup and asked what the outcome will be. For instance, "A developer creates a custom AWS Config rule using a Lambda function. The rule checks if EC2 instances have the tag 'CostCenter'. A new instance is launched without the tag. What is the compliance status reported by AWS Config?" The answer is "Non-compliant." This type of question tests your understanding of how config rules work and that custom rules evaluate after a configuration change. Another common question: "Which resource type does AWS Config NOT support?" The answer will be something like 'a specific deprecated resource type' or 'contents of an S3 object', because AWS Config only monitors resource metadata, not data.
Troubleshooting-based questions are more common in the SysOps exam. For example: "A company has enabled AWS Config in the us-east-1 region, but they cannot see any configuration items for resources in us-west-2. What is the likely cause?" The answer is that AWS Config is region-specific; you must enable it separately in each region. Another example: "An administrator sets up a custom config rule but the evaluation status shows 'Insufficient data'. What might be the reason?" The correct answer could be that the resource type has not been recorded yet or that the rule evaluation period has not elapsed. You also might see questions about the delivery channel: "Config items are not being delivered to S3. What should you check?" The answer might involve the S3 bucket policy permissions or the SNS topic subscription.
Comparison questions are a staple of the Cloud Practitioner exam. They might ask: "Which service is best for monitoring changes to the configuration of an EC2 instance over time?" AWS Config is the answer. Another comparison: "A company wants to know who deleted an S3 bucket. Which service provides this information?" AWS CloudTrail is the answer for identity, but AWS Config would show the bucket's deletion in its configuration history. Understanding the subtle differences is key. A pro tip: always read the question for the key phrase "configuration changes" or "compliance rules." If you see that, AWS Config is almost certainly the correct service.
Practise AWS Config Questions
Test your understanding with exam-style practice questions.
Example Scenario
You are a cloud administrator for a company that runs a web application on AWS. The compliance team has mandated that every EC2 instance must have the tag "Environment" with a value of either "Production", "Staging", or "Development". No security group attached to an instance in the production environment should allow SSH access (port 22) from the entire internet (0.0.0.0/0). To enforce this, you decide to use AWS Config. First, you enable AWS Config in your region and set up an S3 bucket to store the configuration history. You then enable AWS managed config rules: ec2-required-tags and restricted-ssh. The ec2-required-tags rule checks for the presence of the 'Environment' tag, and the restricted-ssh rule flags any security group that allows inbound SSH from anywhere.
After a week, a developer named Maria launches a new EC2 instance for a rapid prototype. She forgets to add the 'Environment' tag, and to make testing easier, she opens SSH to the world on port 22. Within minutes, AWS Config detects the new instance, evaluates it against the rules, and marks it as non-compliant for both rules. You receive an email notification via SNS. You log into the AWS Config console and see the detail: the instance i-0a1b2c3d is non-compliant because of missing tag and unrestricted SSH. You check the configuration timeline and see that the instance was launched by Maria and her IAM user. You contact Maria, explain the policy, and she adds the tag and limits SSH access to the company's VPN IP range. AWS Config then re-evaluates the instance and marks it as compliant. Later, during a quarterly audit, the compliance team asks for proof that all production instances have correct tags and restricted SSH. You generate a configuration snapshot from the AWS Config dashboard and export a compliance report showing that all resources were compliant on the date queried, except for one instance that was quickly fixed. The auditor is satisfied. This scenario shows exactly how AWS Config provides continuous monitoring, rapid detection, and easy evidence for compliance.
Common Mistakes
Confusing AWS Config with AWS CloudTrail
AWS CloudTrail records API calls and who made them, while AWS Config records the state of resource configurations at a point in time. They are complementary, not interchangeable. CloudTrail answers 'who did what', Config answers 'what is the state of my resources'.
If the question asks about monitoring configuration changes over time or evaluating compliance rules, choose AWS Config. If it asks about tracking user activity or API calls, choose CloudTrail.
Thinking AWS Config automatically fixes non-compliant resources
By default, AWS Config only evaluates and reports compliance. It does not take any action to fix the resource. Automatic remediation is an optional feature that must be explicitly configured using AWS Systems Manager Automation.
When asked about automated remediation, remember that AWS Config needs to be paired with a remediation action (like using Systems Manager Automation documents or Lambda). The service itself is read-only.
Assuming AWS Config works across all regions by default
AWS Config operates on a per-region basis. You must enable it separately in each region where you want to track resources. To see a global view, you must use the AWS Config Aggregator.
If the question mentions resources in multiple regions, remember that you need to enable AWS Config in each region, or use the aggregator to consolidate data from multiple regions into a single dashboard.
Thinking all resource types are supported
While AWS Config supports over 300 resource types, not all AWS services and resources are supported. For example, certain newer services or specific resource subtypes may not be recorded until AWS adds support.
Always check the AWS Config documentation for the list of supported resource types. In exams, they may test unsupported resources like AWS WAF WebACLs in earlier versions or specific Lambda layers.
Believing AWS Config monitors data inside resources
AWS Config only monitors the configuration metadata of resources, such as instance type, security group rules, or bucket policies. It does not monitor the actual data stored in S3 buckets, files on EC2 instances, or database records.
For data-level monitoring, use services like Amazon GuardDuty, Amazon Inspector, or AWS Macie. AWS Config is for configuration compliance, not data content scanning.
Misunderstanding the evaluation frequency of config rules
Some learners think that config rules are evaluated continuously or at fixed intervals. Actually, config rules are evaluated on a trigger basis: when a resource configuration changes, and periodically every few hours for all resources to pick up any drift.
In questions about timing, remember that evaluations happen after a configuration change (triggered) and also on a periodic basis (typically every 24 hours for managed rules).
Thinking AWS Config is only for security and compliance
While security is a major use case, AWS Config is also valuable for operational troubleshooting, change management, cost optimization (tag compliance), and automation. It provides a full configuration history used for any kind of audit or debugging.
Consider AWS Config for any scenario where you need a historical record of what a resource looked like at a specific time, even if it's not a security issue.
Exam Trap — Don't Get Fooled
{"trap":"The exam might present a scenario where a company needs to 'monitor API calls for a specific S3 bucket' and suggest AWS Config as an incorrect answer. Learners often choose AWS Config because they think it monitors everything, but the correct service for monitoring API calls is CloudTrail. Another trap: 'A company wants to be alerted when an EC2 instance is launched with a public IP address.'
The correct answer might be to use AWS Config with a rule, but the trap is that CloudWatch Events (now Amazon EventBridge) can also detect instance launches. The key differentiator is that AWS Config evaluates the configuration state (e.g.
, 'does this instance have a public IP?'), while EventBridge just triggers on the event of launch. The question will hint at 'compliance evaluation' or 'configuration check' to lead you to Config."
,"why_learners_choose_it":"Learners often confuse AWS Config with CloudTrail because both deal with change tracking. They also underestimate the specificity of AWS Config, thinking it is a general-purpose monitoring service. The exam trap exploits this by using vague wording like 'track changes' without specifying whether they want API call logs or configuration state."
,"how_to_avoid_it":"Always look for keywords in the question. If the question says 'evaluate the configuration against rules' or 'ensure compliance', pick AWS Config. If it says 'who made the change' or 'capture API calls', pick CloudTrail.
If it says 'metric or log analysis', pick CloudWatch. Practice with sample questions to build pattern recognition. Remember the three-way split: CloudTrail (who/when), Config (what state), CloudWatch (performance/logs)."
Commonly Confused With
AWS CloudTrail records API calls made to AWS services, showing who made the call, when, and from what IP address. AWS Config records the resulting state of a resource after an API call or change. For example, CloudTrail tells you that user John called the 'RunInstances' API, but Config tells you that after that call, an EC2 instance of type t3.medium with the tag 'dev' now exists.
To find out who deleted an S3 bucket, use CloudTrail. To check if a bucket currently has public access blocked, use AWS Config.
AWS CloudWatch monitors performance metrics (like CPU utilization, request latency) and collects log files. AWS Config monitors configuration state (like what ports are open, what tags are applied). CloudWatch is for operational health, while Config is for configuration compliance. An example: CloudWatch would alert you if an EC2 instance CPU goes above 90%, and Config would alert you if the same instance's security group changes to allow SSH from anywhere.
Use CloudWatch to monitor if a server is overloaded. Use AWS Config to check if the server's security settings are compliant with your policies.
AWS Systems Manager State Manager is an agent-based service that enforces a desired configuration on managed instances (like installing patches or setting registry values). AWS Config is agentless and only evaluates and reports on the configuration of resources; it does not enforce changes (unless you set up remediation). State Manager is about making changes to keep instances in a desired state, while Config is about checking whether the state is compliant.
Use State Manager to automatically install the latest Windows patches on all EC2 instances. Use AWS Config to verify that no instance has an outdated OS version and report any non-compliance.
This is not a separate service but a feature of AWS Config. Some confuse the core AWS Config (which only reports) with the remediation feature (which can automatically fix non-compliance). The core service only evaluates; remediation is an optional add-on using SSM Automation documents.
If you only want to see which S3 buckets are public, use AWS Config without remediation. If you want AWS Config to automatically block public access when it finds a public bucket, you must enable the remediation feature.
Azure Policy is a similar service in Azure that evaluates resources against policies and can enforce compliance. Unlike AWS Config, Azure Policy has a built-in ability to 'deny' or 'modify' resources directly at the time of creation, whereas AWS Config is primarily reactive (evaluates after creation). Azure Policy is more prescriptive in its enforcement capabilities by default.
In Azure, you can create a policy that denies creation of an S3 bucket (blob storage) without encryption. In AWS, a Config rule can only report on non-compliance and optionally trigger a remediation script.
Step-by-Step Breakdown
Enable AWS Config in your account and region
You go to the AWS Config console and click 'Get started'. You select the resource types you want to record (all resources or a specific list). You also specify an S3 bucket for storing configuration items and snapshots, and an SNS topic if you want notifications. This step turns on the configuration recorder, which is the engine that starts tracking changes.
Configuration recorder discovers current resources
Once enabled, the configuration recorder immediately scans your account in that region and generates a configuration item (CI) for each supported resource it finds. This gives you a baseline snapshot of your current resource state. If a resource already exists, its first CI captures its current state at the time of enabling AWS Config.
Resource change triggers a new configuration item
When any action changes a resource (e.g., launching an EC2 instance, modifying a security group, deleting an S3 bucket), AWS Config automatically detects the change and creates a new CI. Each CI is a JSON document that includes the resource ID, its properties, its relationships, and a timestamp. This creates a versioned timeline of the resource.
Delivery of configuration items to S3 and SNS
Each CI is delivered to the S3 bucket you specified, organized by account, region, and resource type. If you set up SNS, a notification is sent with details about the change. This allows you to have a durable archive of every state change and to trigger downstream processes, such as sending a Slack alert or initiating a compliance check.
Evaluation by AWS Config rules
Whenever a CI is generated (or according to a periodic schedule), AWS Config evaluates the new state against all enabled config rules. Each rule contains a condition. For managed rules, the condition is predefined (e.g., 'check if bucket has public access blocked'). For custom rules, your Lambda function runs and returns a compliance status. The result is attached to the resource.
Compliance status update
Based on the evaluation, the resource's compliance status is updated to 'Compliant', 'Non-compliant', or 'Not applicable'. This status is viewable in the dashboard, API, and can be included in the SNS notification. If a remediation action is configured (via SSM Automation), a non-compliant status can trigger that remediation automatically.
Periodic re-evaluation for drift detection
Although evaluations are triggered by configuration changes, AWS Config also performs periodic evaluations (typically every 24 hours for managed rules) to catch resources that might have been changed but did not trigger an event, or to catch resources that have become non-compliant due to changes in external references (like a rule that depends on a tag that was changed on a different resource).
Generate configuration snapshots and reports
On a schedule you define (e.g., every 6 hours), AWS Config takes a complete snapshot of all resource configurations in the region and delivers it to your S3 bucket. This is useful for long-term archiving and for auditors. You can also generate on-demand snapshots. You can use the AWS Config API or console to query configuration history for a specific time range.
Aggregation across accounts and regions (optional)
If you have multiple accounts or regions, you can set up an AWS Config Aggregator. This step involves creating an aggregator resource that collects configuration and compliance data from source accounts/regions into a single account. The aggregator provides a unified view for centralized governance, without needing to log into each account separately.
Practical Mini-Lesson
AWS Config is a service that many organizations underutilize because they do not fully understand its configuration and integration capabilities. In practice, a cloud professional needs to think beyond just enabling Config and turning on a few managed rules. The real power comes from a thoughtful architecture. First, decide on a naming convention and tagging strategy for your resources, because tags are often the basis for custom rules. For example, you might want to enforce that all production resources have a 'CostCenter' tag and are encrypted. You can write a custom AWS Config rule using a Lambda function that does a 'describe' API call to check for the tag and encryption status. The Lambda function receives an event with the resource properties and returns a JSON payload with compliance status. This is a common pattern in real-world environments.
Next, consider the delivery channel configuration. You should choose an S3 bucket with versioning enabled and a lifecycle policy to archive old snapshots to Glacier for long-term retention. Also, encrypt the bucket with AWS KMS to protect sensitive configuration data. SNS topics can be used to send notifications to a centralized security team via email or integration with ticketing systems like Jira or PagerDuty. A common mistake is to skip the SNS setup and then wonder why no one gets alerted about non-compliance. Professional setups often create a separate SNS topic for critical violations and a lower-priority topic for informational ones.
In terms of operational workflow, you should regularly review the compliance dashboard. Resources can become non-compliant for many reasons: a developer manually overriding settings, an automated script that lacks tagging, or a new service that was not anticipated. It is important to have a process to handle these exceptions. Sometimes non-compliance is intentional and approved (like a temporary open port for an emergency fix). In that case, you can use the AWS Config console to 'acknowledge' or 'suppress' the alert for a specific time, or use resource-level exclusions. You should also set up 'remediation' with care. While automatic remediation is powerful, it can break production if not tested. For example, if you set up an automatic remediation that blocks all public access to S3 buckets, it might accidentally block a legitimate public bucket used for static website hosting. The best practice is to start with only recording and alerting, then gradually introduce remediation for non-critical resources, and only after thorough testing in a staging environment.
Finally, integrate AWS Config with other services. Combine it with AWS CloudTrail to get the identity of the user who made the change. Combine it with AWS Systems Manager Parameter Store to store the expected configuration values. And combine it with AWS Security Hub, which ingests findings from AWS Config and other security services into a single dashboard. By building a comprehensive governance stack, you transform AWS Config from a simple recording service into a core component of your cloud security and compliance strategy. The most important takeaway is that AWS Config is not a set-it-and-forget-it tool; it requires ongoing curation of rules, periodic reviews, and active response to alerts.
Troubleshooting Clues
Config rule shows 'INSUFFICIENT_DATA' for all resources
Symptom: Rule status remains 'INSUFFICIENT_DATA' even after hours, no compliance results appear.
Typically caused by a missing or misconfigured IAM role; Config needs permissions to describe resources and Lambda (if custom rule) to execute.
Exam clue: Questions often describe a rule showing INSUFFICIENT_DATA and ask you to check the IAM role or that recording hasn't started.
Config recording not started or stopped unexpectedly
Symptom: No configuration items are recorded; the recorder status shows 'STOPPED' or 'FAILED'.
Recording can be stopped manually, or the IAM role used by Config may have been deleted or lost permissions.
Exam clue: Exams test that you must call StartConfigRecorder after setup; also tests that recording status is separate from rule evaluation.
Custom Config rule with Lambda never evaluates resources
Symptom: Lambda function is not invoked; no entries in CloudWatch logs for Config invocation.
The Lambda trigger from Config may be missing; ensure the correct resource types are scoped in the rule and that the Lambda resource policy allows invocation by Config.
Exam clue: Common in developer associate exams; tests understanding of Lambda invocation from Config and resource-based policies.
Config rule reports false positive non-compliance for encrypted volumes
Symptom: EBS volumes that are encrypted show as non-compliant for a rule requiring encryption.
The rule may be checking the wrong property (e.g., 'Encrypted' field instead of 'VolumeType'); or the rule parameters are misconfigured.
Exam clue: Questions about managed rules for encryption often include trick options; you must understand which rule (e.g., encrypted-volumes) works.
Aggregate view of compliance shows inconsistent data
Symptom: AWS Config aggregator shows different compliance counts than the individual account view.
Aggregators pull data from multiple accounts/regions; data may not be synchronized if Config recording is disabled in some accounts or regions.
Exam clue: Exams test that aggregators require Config recording and authorized cross-account IAM roles; inconsistent data indicates setup issues.
Cannot delete an AWS Config rule (delete fails)
Symptom: Delete command returns error: 'Cannot delete rule because it is referenced by another resource'.
The rule might be associated with a remediation action or a conformance pack; you must remove those dependencies first.
Exam clue: Sysops questions may present this scenario and ask you to check for remediation actions or conformance packs before deletion.
Config history delivery fails to S3 bucket
Symptom: No configuration history files appear in the designated S3 bucket; errors in Config logs.
The S3 bucket policy must allow Config to write; often missing bucket permissions, or the bucket is in another account.
Exam clue: Exams test that you must attach a bucket policy permitting Config's service role to put objects; link to S3 bucket policy for Config.
Memory Tip
Remember the three C's of AWS Config: Compliance, Changes, and Configuration. It checks your resources for Compliance against rules, tracks all Changes over time, and records the Configuration state. Not CloudTrail, not CloudWatch.
Learn This Topic Fully
This glossary page explains what AWS Config means. For a complete lesson with labs and practice, see the topic guide.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
ACEGoogle ACE →CDLGoogle CDL →AZ-104AZ-104 →AZ-900AZ-900 →CLF-C02CLF-C02 →SAA-C03SAA-C03 →DVA-C02DVA-C02 →SOA-C02SOA-C02 →220-1102CompTIA A+ Core 2 →CS0-003CompTIA CySA+ →PT0-003CompTIA PenTest+ →AZ-400AZ-400 →SC-900SC-900 →ISC2 CCISC2 CC →Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
An A record is a type of DNS resource record that maps a domain name to an IPv4 address.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
An AAAA record is a DNS record that maps a domain name to an IPv6 address, allowing devices to find each other over the internet using the newer IP addressing system.
Quick Knowledge Check
1.What is required for AWS Config to start recording configuration changes?
2.Which AWS Config feature allows you to define custom compliance rules using Lambda functions?
3.Why might an AWS Config rule show 'INSUFFICIENT_DATA' for all resources?
4.What is the purpose of an AWS Config aggregator?
5.You have a custom Config rule that checks for encryption on S3 buckets, but it consistently reports non-compliant for a bucket that has encryption enabled. What is the most likely cause?
6.Which service does AWS Config primarily integrate with to send notifications on compliance changes?