What Is AWS Config Rules? Security Definition
On This Page
What do you want to do?
Quick Definition
AWS Config Rules are like a set of house rules for your AWS account that run automatically. They check your cloud resources, such as servers or storage buckets, to make sure they follow your company’s security and compliance policies. If something breaks a rule, you get an alert so you can fix it. This helps you catch misconfigurations early and keep your cloud environment safe and well‑managed.
Common Commands & Configuration
aws configservice put-config-rule --config-rule file://s3-bucket-encryption.jsonCreates or updates an AWS Config rule using a JSON file that defines the rule, such as requiring S3 bucket encryption to be enabled.
Tests ability to create managed rules via CLI and understanding of rule structure, especially the 'Source' and 'Scope' fields.
aws configservice describe-compliance-by-config-rule --config-rule-names s3-bucket-ssl-requests-onlyReturns the compliance status of a specific AWS Config rule, showing which resources are compliant or non-compliant.
Exams ask about how to retrieve compliance results programmatically for auditing; this command is the primary way to do so.
aws configservice start-config-rules-evaluation --config-rule-names encrypted-volumesManually triggers an evaluation of a specific AWS Config rule (e.g., 'encrypted-volumes') against current resource configurations.
Covers the difference between periodic evaluations and manual re-evaluations, which is a common exam point for troubleshooting compliance delays.
aws configservice describe-config-rule-evaluation-status --config-rule-name required-tagsShows the evaluation status of a rule, including last successful evaluation time and any errors.
Exams test knowledge of how to diagnose why a rule didn't evaluate, especially if the rule is in 'Failed' status due to permissions or runtime issues.
aws configservice list-discovered-resources --resource-type AWS::EC2::InstanceLists all EC2 instances discovered by AWS Config in the current region and account, useful for verifying resource coverage.
Highlights that AWS Config must first discover resources before rules evaluate them; exam questions assume Config recording is enabled.
aws configservice put-remtiation-configurations --remtiation-configuration file://auto-remediate-sg.jsonCreates an automatic remediation action for a non-compliant resource, e.g., updating a security group to restrict SSH access.
Tests understanding of AWS Config Rules with auto-remediation via AWS Systems Manager Automation documents, a key security automation pattern in exams.
AWS Config Rules appears directly in 16exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on SAA-C03. Practise them →
Must Know for Exams
AWS Config Rules are a common and important topic in several AWS certification exams, especially the AWS Solutions Architect Associate (SAA‑C03), AWS Developer Associate (DVA‑C02), AWS SysOps Administrator Associate (SOA‑C02), and the AWS Security Specialty (SCS‑C02). In these exams, you will encounter questions that test your understanding of what Config Rules can and cannot do, and how they fit into the larger picture of security and compliance. The exam objectives that cover Config Rules fall under domains like Security and Compliance, Monitoring and Logging, and Governance. For example, in the SAA‑C03 exam, Config Rules are part of a broader set of services used to enforce security policies, and you might be asked to choose the best service to automatically detect and report noncompliant resource configurations.
In the SysOps Administrator exam, Config Rules appear in questions about compliance enforcement and resource compliance reporting. You might be given a scenario where a company must ensure that all S3 buckets have versioning enabled, and you need to recommend a solution that can automatically check this and send notifications. The correct answer is to create a Config Rule and configure an Amazon Simple Notification Service (SNS) topic for alerts. A common distractor is Amazon Inspector, which is for vulnerability scanning, not configuration compliance. Similarly, AWS Trusted Advisor provides best‑practice recommendations but does not allow you to define custom rules. The exam expects you to know the difference between these services.
For the AWS Security Specialty exam, Config Rules are a major topic. Questions often ask about enforcing compliance across multiple accounts using AWS Organizations and Config Rules with conformance packs. You may also see questions about automated remediation using AWS Config Rules combined with AWS Systems Manager Automation or AWS Lambda. For instance, a question might describe a scenario where a security policy requires that all EC2 instances are replaced with new instances if they become noncompliant. The correct answer would be to use a Config Rule with an automatic remediation action that uses an AWS Systems Manager Automation document to terminate the instance. You need to understand the remediation workflow and how to set up the necessary IAM roles.
In the Developer Associate exam, Config Rules are less frequent but still appear. You might be asked about how to use Config Rules to enforce tagging policies or to ensure that Lambda functions have the correct IAM role attached. Questions can be tricky because they might ask you to write a custom Config Rule using Lambda. You need to know that the Lambda function receives a configuration item and must return a compliance result. The exam might also test your understanding of the difference between managed rules and custom rules, and when to use each.
The key exam takeaways are: Config Rules are detective, not preventative. They do not block actions; they only report. For proactive enforcement, you need SCPs or IAM policies. Config Rules are regional and must be deployed per region unless you use conformance packs across organizations. The evaluation can be change‑triggered or periodic. Compliance results are stored in the AWS Config timeline and can be exported to S3. Config Rules integrate with SNS, CloudWatch, Security Hub, and Lambda for notifications and remediation. Memorizing these points and practicing with sample questions will help you answer Config Rule questions confidently on exam day.
Simple Meaning
Imagine you own a large apartment building and you want every apartment to follow the same safety rules. You write down a list of rules, such as “every apartment must have a working smoke detector” and “windows must not be left open when it rains.” Then you hire a manager who walks through the building every day and checks each apartment against that list. If the manager finds an apartment without a smoke detector, they flag it and tell you so you can fix it. AWS Config Rules work exactly like that manager, but for your virtual resources in the cloud. Instead of smoke detectors, AWS Config Rules check things like “Is this virtual server using a secure type of encryption?” or “Is this storage bucket publicly accessible to the internet?” You define the rules yourself, or you can use pre‑built rules written by AWS security experts. Once a rule is set up, AWS Config automatically evaluates each resource against that rule every time the resource’s configuration changes. If the resource violates the rule, AWS Config marks it as noncompliant and sends you a notification. You can then look at the details and take corrective action. This is incredibly handy because manually checking every single resource in a large cloud account would be like your building manager trying to check 1,000 apartments every day without a checklist. AWS Config Rules provide that automated, always‑on checklist so you never miss a violation. The best part is that the rules run in the background without stopping your applications. They simply report what they find, and you decide what to do next.
Another way to think about it is a security guard who watches security cameras. The guard isn’t there to stop everything; they are there to look for specific bad things, like a door being propped open or a light that is off when it should be on. When they see something wrong, they radio you. AWS Config Rules are that security guard, only they never sleep and they never miss a detail. They are always watching your cloud resources, comparing each one to the list of allowed configurations that you provided. If anything drifts away from the allowed state, you get a report. This helps you keep your cloud environment stable, secure, and compliant with industry standards like HIPAA or PCI. It also gives you a full history of every change made to a resource, which is useful for audits or troubleshooting. In short, AWS Config Rules are a simple but powerful way to enforce good practices in your cloud environment without extra manual work.
Full Technical Definition
AWS Config Rules are a feature of AWS Config, a fully managed service that provides resource inventory, configuration history, and configuration change notifications. A Config Rule is essentially a function that evaluates a resource’s configuration settings against a desired state. The rule can be a managed rule provided by AWS or a custom rule you write using AWS Lambda. Each rule is defined with a trigger type and a set of parameters. The trigger type determines when the rule runs: either on configuration changes (change‑triggered) or at periodic intervals (periodic). When a resource configuration changes, AWS Config records the configuration change as a configuration item and then evaluates all applicable rules against that new configuration. For periodic rules, AWS Config runs an evaluation on a schedule you define, such as every hour or every day.
At its core, an AWS Config Rule uses a JSON file called a conformance pack template or a simple AWS Lambda function to implement the evaluation logic. For managed rules, the evaluation logic is already written by AWS and tested. For example, the managed rule ‘s3-bucket-public-read-prohibited’ checks whether any S3 bucket has a bucket policy that allows public read access. If the rule detects a bucket with public read, it sets the compliance status to NON_COMPLIANT. For a custom rule, you write a Lambda function in a language such as Python or Node.js. That function receives an event from AWS Config that contains the resource configuration. You then write code to check the configuration against your own business rules. For instance, you could write a custom rule that checks whether every EC2 instance has a specific tag (like “Environment:Production”) and marks the instance as noncompliant if the tag is missing.
The evaluation result is stored in the AWS Config timeline for that resource, and you can view compliance status in the AWS Config console, through the AWS CLI, or via the AWS Config API. AWS Config also integrates with AWS Security Hub, AWS CloudTrail, and AWS Lambda for automated remediation. You can set up automatic remediation actions, such as triggering a Lambda function to automatically remove a public bucket policy when a rule flags it. The service maintains a complete audit trail of every evaluation, which can be exported to Amazon S3 or streamed to Amazon CloudWatch Logs. All of this works under the AWS shared responsibility model: AWS manages the infrastructure of the Config service, and you are responsible for defining and managing the rules.
AWS Config Rules are region‑specific. Each rule exists in a single AWS region and applies only to resources in that region. To enforce rules across all regions, you must create the rule in each region or use an AWS Organizations‑based approach with conformance packs. Conformance packs are collections of Config Rules and remediation actions that can be deployed across multiple accounts and regions using AWS Organizations. This allows large enterprises to enforce consistent security policies across hundreds of accounts. The pricing for AWS Config Rules is based on the number of rule evaluations performed per month, with the first 10,000 evaluations free for the first year of AWS Config usage. For certification exams, you should remember that Config Rules are not the same as AWS Trusted Advisor checks; Trusted Advisor provides best‑practice recommendations, while Config Rules enforce specific, customizable compliance policies.
Internally, AWS Config uses a resource configuration snapshot model. When you enable AWS Config, it records the configuration of supported resources as configuration items (CIs). Each CI contains metadata about the resource, its current configuration, and a timestamp. Config Rules compare the latest CI against the rule’s condition. For custom rules using Lambda, the Lambda function must be properly configured with the necessary IAM permissions to read the resource configuration and to invoke the function from AWS Config. A common gotcha is forgetting to attach the AWSLambdaBasicExecutionRole or a similar policy that allows logs to be written to CloudWatch. The rule evaluation can be synchronous (for change‑triggered rules) or asynchronous (for periodic rules). Synchronous evaluations happen immediately after a configuration change, while asynchronous evaluations happen on a schedule. Resource types are added to AWS Config over time, so not all AWS services are supported yet. As of this writing, over 270 AWS resource types are supported. You should check the AWS Config Developer Guide for the current list.
For exam questions, you need to understand the rule evaluation lifecycle: a resource change triggers an evaluation, the rule engine evaluates the resource, and the compliance result is stored. You also need to know that Config Rules can be evaluated using the AWS Config console, CLI, or API, and that the results can be aggregated via AWS Config Aggregators to see compliance across multiple accounts and regions. An important detail is that AWS Config Rules do not prevent a change from happening; they only report after the fact. For proactive prevention, you would use AWS Service Control Policies (SCPs) in AWS Organizations or IAM policies. Config Rules are detective, not preventative. This distinction is crucial for exam questions about security controls.
Real-Life Example
Imagine you are the manager of a large office building with 100 separate offices. The building has a safety rulebook that every office must follow. One of the rules says, “Every office must have a working fire extinguisher mounted on the wall near the door.” Another rule says, “All emergency exit signs must be lit, and the doors must never be blocked.” Each week, you walk through all 100 offices and check each one against the rulebook. If you find an office without a fire extinguisher, you write a note and leave it on the desk. The next week, you check again to see if the extinguisher has been installed. This process is manual, time‑consuming, and you might miss a few offices. Now, imagine you could install smart sensors in every office that automatically check for fire extinguishers and exit signs. If a fire extinguisher is missing, the sensor sends a text message to the office occupant and also to you. You would know about the problem instantly, and you could follow up without having to walk the halls. That smart sensor system is what AWS Config Rules do for your cloud resources.
In this analogy, each office is an AWS resource, such as an S3 bucket or an EC2 instance. The rulebook is the set of AWS Config Rules you define. The fire extinguisher rule might map to a rule that says “all S3 buckets must have default encryption enabled.” The exit sign rule might map to “EC2 instances must not have public IP addresses attached.” The weekly walkthrough is like running periodic AWS Config Rules on a schedule. But the best part of AWS Config Rules is that they can also run immediately after any change is made to an office. If someone moves a fire extinguisher out of an office, the sensor triggers an alert right away. In AWS Config, this is the change‑triggered rule. It runs the evaluation the moment a resource configuration changes, so you know about violations in near‑real time.
This analogy also helps you understand how AWS Config Rules help with compliance audits. Suppose your building has to pass a safety inspection every year. Instead of scrambling to check every office the week before the inspection, you can show the inspector the sensor logs from the previous 12 months, proving that every office had a fire extinguisher on every day of the year. In the same way, AWS Config maintains a compliance history, so you can prove to an auditor that your cloud resources have been compliant over a period of time. This is extremely valuable for regulations like HIPAA or PCI where you need to show continuous compliance.
Finally, think about the cost savings. Without the sensor system, you would have to hire a person to walk the building every day. With the sensors, you invest once in the sensors and then get real‑time reports for free after that. AWS Config Rules reduce the manual effort of cloud auditing and configuration management. They help you avoid costly security breaches by catching misconfigurations early, and they provide a clear paper trail for compliance. That is why they are a core part of any secure AWS architecture and a frequent topic on certification exams.
Why This Term Matters
AWS Config Rules matter because they transform cloud security and compliance from a manual, error‑prone process into an automated, continuous, and auditable system. In a real IT environment, you often have hundreds or thousands of resources running across multiple regions and accounts. Manually checking each resource’s configuration is impossible, and even if you automate the checks with scripts, you lose the valuable audit trail and the integration with other AWS services. Config Rules provide a centralized, managed way to define, evaluate, and track compliance. For example, a company handling credit card transactions must comply with PCI DSS, which requires that all data at rest is encrypted. You can create a Config Rule that checks every Amazon RDS database, Amazon EBS volume, and S3 bucket to ensure encryption is enabled. If a new developer launches an unencrypted database, the rule flags it automatically, and you can set up an automatic remediation action to encrypt it or delete it. This catch‑and‑fix cycle happens within minutes, preventing a potential compliance violation and a fine.
Another real‑world scenario is managing cost and security in a multi‑account environment. Using AWS Organizations and Config Rules, you can define a baseline of rules that every account must follow. For instance, you can enforce that no security group allows inbound SSH from 0.0.0.0/0 (the entire internet). If an account creates a security group that violates that rule, Config Rules mark it as noncompliant, and you can trigger a Lambda function to revoke the rule or notify the account owner. This prevents the common mistake of leaving a port open to the internet, which leads to data breaches. Without Config Rules, you would need to manually audit security groups or rely on infrequent manual checks.
Config Rules provide a compliance scoreboard. AWS Config Aggregator lets you view compliance across all accounts and regions in a single dashboard. This makes it easy for a security team to see which accounts have the most violations and focus remediation efforts. For IT operations, the history of evaluations can be used to demonstrate compliance during an audit. You can export all compliance data to S3 and retain it for years. This is far more reliable than maintaining spreadsheets or manual logs.
Cost is another factor. AWS Config Rules are not free at scale, but the cost is often much lower than the cost of a data breach or a compliance fine. For example, the average cost of a data breach in 2024 was over $4 million, while Config Rule evaluations cost a few cents per evaluation. Investing in a few well‑designed rules can save your organization millions. Config Rules help you enforce best practices that reduce the attack surface and improve operational stability. For instance, a rule that ensures all EC2 instances are launched from approved AMIs helps prevent the use of insecure or outdated images. Another rule that checks for CloudTrail being enabled in every region ensures you have complete audit logs for incident response.
AWS Config Rules are a foundational tool for security, compliance, and governance in the cloud. They automate policy enforcement, provide continuous monitoring, generate auditable records, and integrate with other AWS services for remediation. For IT professionals, understanding Config Rules is not just about passing an exam; it is about running a secure, well‑managed cloud environment that meets regulatory requirements and internal standards.
How It Appears in Exam Questions
In certification exams, AWS Config Rule questions typically fall into three patterns: scenario‑based selection questions, configuration design questions, and troubleshooting questions. In scenario‑based questions, you are given a company requirement and asked to choose the best AWS service to meet that requirement. For example, a question might describe a company that needs to continuously monitor their S3 buckets for public read access and receive an email when a bucket is opened to the public. The answer would be AWS Config Rules with an SNS notification, not AWS Trusted Advisor (which is a manual check) or AWS Inspector (which scans for vulnerabilities). Another scenario might ask you to ensure every EC2 instance has a specific tag. The correct approach is to create a custom Config Rule using Lambda to check for the tag, and then set up an SNS topic for alerts.
Configuration design questions focus on how to set up Config Rules correctly. For instance, you might be asked to design a solution that enforces a security policy across 50 accounts in an AWS Organization. The best answer would be to use a conformance pack that is deployed via the management account to all member accounts and regions. A common distractor is to suggest creating the Config Rule in each account manually, which is not efficient. Another design question might ask about how to automatically remediate a noncompliant S3 bucket. The correct answer involves using an AWS Config rule with an automatic remediation action that triggers an AWS Systems Manager Automation document to modify the bucket policy. You need to know that the remediation action requires an IAM role for Config to invoke the automation.
Troubleshooting questions present a situation where something is not working as expected. For example, you created a custom Config Rule with a Lambda function, but no evaluations are running. Potential causes: the Lambda function lacks permissions to be invoked by AWS Config, the resource type is not supported by AWS Config, or the trigger type is misconfigured. Another common troubleshooting scenario: the Config Rule shows “N/A” for a resource. This often means that the resource was deleted, or the rule does not apply to that resource type. You may also see a question where compliance results are not appearing in the Config console. The cause could be that AWS Config is not enabled in that region, or the rule is in a different region than the resource.
Another pattern is comparing services. You might be asked which service is best for detecting a specific misconfiguration. For example, you need to detect if an IAM role has too permissive trust policies. The best option is AWS Config with a custom rule, because IAM is a supported resource type. AWS Identity and Access Management Access Analyzer could also detect suspicious trust policies, but the question may specify that you need a custom policy beyond the standard checks. The key is to read the question carefully: if it says “custom rule” or “continuous evaluation,” it is pointing to Config. If it says “reviewing IAM policies for unintended access,” IAM Access Analyzer is more appropriate.
Finally, exam questions might ask about pricing or limits. For example, how often a periodic rule can evaluate resources. The answer is every 1 hour, 3 hours, 6 hours, 12 hours, or 24 hours. A common trick is that you cannot set a custom interval like every 30 minutes. Change‑triggered rules evaluate when the configuration changes, so no schedule is needed. Understanding these nuances is critical for getting the right answer on exam day.
Practise AWS Config Rules Questions
Test your understanding with exam-style practice questions.
Example Scenario
A mid‑sized e‑commerce startup uses AWS for its online store. The company processes credit card payments and must comply with PCI DSS, which requires that all S3 buckets storing customer data have encryption enabled and that public access is blocked. The startup has five developers and a single AWS account with 80 S3 buckets. The DevOps team manually checks the bucket configurations once a month, but a recent near‑miss where a developer left a new bucket public for three days highlighted the need for automation. The company decides to implement AWS Config Rules to continuously monitor their S3 buckets.
First, the team enables AWS Config in the us‑east‑1 region and selects all resource types, including S3 buckets. They then navigate to the AWS Config console and create a new rule using the managed rule “s3-bucket-public-read-prohibited.” This rule will automatically evaluate every existing and new S3 bucket in the region and mark it noncompliant if the bucket policy allows public read access. They also create a second rule using the managed rule “s3-bucket-ssl-requests-only” to ensure all bucket access uses HTTPS. For each rule, they configure an Amazon SNS topic that sends an email to the security team whenever a rule marks a bucket as noncompliant.
Within a week, the system catches two violations. A developer created a bucket for a demo but accidentally left it world‑readable. The Config Rule evaluated the bucket seconds after creation and sent an alert. The security team received the email, investigated, and fixed the bucket policy within 15 minutes. They also set up a custom Config Rule using Lambda to check that every bucket has a specific tag “DataClassification” with a value of “PCI” or “Internal.” This custom rule runs as a periodic check every 24 hours. If a bucket is missing the tag, it marks it noncompliant. The team adds an automatic remediation action that applies the missing tag with a default value of “Unclassified” so they can identify and find the owner later.
After three months, the company undergoes a PCI compliance audit. The auditor asks for evidence that all S3 buckets have been encrypted and not publicly accessible for the entire period. The DevOps team exports the AWS Config compliance history for the last 90 days to an S3 bucket and presents it. The auditor sees that the Config Rules ran over 2,000 evaluations and that the only violations were the two early ones that were promptly fixed. The audit passes without any noncompliance findings. The CTO is happy because the manual monthly checks are no longer needed, and the team is alerted within minutes of any misconfiguration. This scenario shows how AWS Config Rules provide continuous compliance, automated alerts, and auditable records, all while reducing manual overhead.
Common Mistakes
Believing that AWS Config Rules can prevent a change from being made.
AWS Config Rules are detective, not preventative. They evaluate resources after a configuration change has already been made and report noncompliance, but they do not block the change. For preventing unwanted changes, you need AWS Service Control Policies or IAM policies.
Understand that Config Rules are used for detection and reporting. Use SCPs or IAM to actively deny actions that would create noncompliant resources.
Thinking that a single AWS Config Rule applies to all regions automatically.
AWS Config Rules are regional resources. A rule created in one region only applies to resources in that region. To enforce a rule across multiple regions, you must create the rule in each region or use a conformance pack with AWS Organizations.
Deploy Config Rules in every region where you have resources. Use AWS Config Aggregator to view compliance across regions.
Confusing AWS Config Rules with AWS Trusted Advisor.
Trusted Advisor provides best‑practice checks that you can view, but you cannot customize them. Config Rules allow you to define custom rules using Lambda or choose from many managed rules. Config Rules also provide continuous evaluation and a compliance history, whereas Trusted Advisor checks are updated on a fixed schedule.
Use Trusted Advisor for high‑level best practices that you cannot customize. Use Config Rules for specific, customizable compliance policies that you need to enforce continuously.
Assuming that a managed Config Rule covers all resource types that might be relevant.
Managed rules only evaluate against the specific resource type they are designed for. For example, the rule ‘ec2-instance-in-vpc’ only checks EC2 instances, not other resources like Lambda functions or RDS databases. If you need to check a different resource type, you must find or create a rule that covers it.
Check the list of managed rules in the AWS documentation and choose the rule that matches the resource type you want to evaluate. If no managed rule exists, create a custom rule using Lambda.
Not setting up the necessary IAM permissions for a custom Config Rule using Lambda.
The Lambda function must have an IAM role that allows AWS Config to invoke it, and the function needs permissions to read the resource configuration and write logs to CloudWatch. If these permissions are missing, the rule evaluation fails silently or shows an error.
Create a Lambda role with the AWS managed policy ‘AWSLambdaBasicExecutionRole’ for logging and attach a custom policy that includes config:PutEvaluations permission. Also, configure the Lambda function’s resource‑based policy to allow AWS Config to invoke it.
Thinking that Config Rules will automatically fix noncompliant resources without additional configuration.
By default, Config Rules only evaluate and report compliance. Automatic remediation requires you to configure an AWS Systems Manager Automation document or a Lambda function as a remediation action. Without that, you have to fix violations manually.
For automatic remediation, set up a remediation action in the Config Rule settings. Choose an SSM document or a custom Lambda function that performs the fix, and ensure the required IAM role is assigned.
Exam Trap — Don't Get Fooled
{"trap":"On the exam, you are given a scenario where a company wants to automatically detect and correct misconfigured security groups that allow SSH from 0.0.0.0/0. You see two answer options: one says use AWS Config Rules with auto‑remediation, and the other says use AWS Service Control Policies to deny the creation of such security groups.
Which is correct? The trap is that both seem valid, but the question might specify that the company already has existing security groups that need to be fixed, not just prevent new ones.","why_learners_choose_it":"Learners often pick SCPs because they think preventing is better than detecting.
They also remember that SCPs are preventative, and they might overapply the concept. They forget that SCPs cannot fix existing noncompliant resources; they only apply to future actions. The question likely asks for a solution that both detects and corrects existing misconfigurations."
,"how_to_avoid_it":"Read the question carefully. If the question mentions existing resources that need to be corrected, the correct answer is to use AWS Config Rules with an auto‑remediation action. SCPs can prevent new misconfigurations but do not fix existing ones.
For a complete solution, you might use both, but on a single‑answer multiple‑choice question, Config Rules with auto‑remediation is the best choice when existing resources need to be remediated."
Commonly Confused With
AWS Trusted Advisor is a service that provides best‑practice recommendations based on AWS well‑architected reviews, but it does not allow you to create custom rules and does not run continuous evaluations against your own policies. AWS Config Rules, on the other hand, let you define your own rules and run them continuously, either based on configuration changes or on a schedule. Trusted Advisor is more of a static advisory tool, while Config Rules are a dynamic compliance enforcement tool.
If you want to ensure that no S3 bucket allows public read access, a Config Rule can constantly watch and alert you instantly. Trusted Advisor would simply show a check result that updates periodically, and you cannot customize the check.
SCPs are a type of policy used in AWS Organizations to set permission boundaries that prevent accounts from making certain API calls. They are preventative, meaning they can block an action before it happens. Config Rules are detective; they report on what has already happened. SCPs cannot evaluate existing resources, while Config Rules can. SCPs are applied at the organizational level, while Config Rules exist per region and per account.
If you want to prevent anyone from ever enabling public access on an S3 bucket, you would use an SCP to deny the s3:PutBucketPolicy action. If you want to find out which of your existing buckets are already public, you would use a Config Rule.
Amazon Inspector is a vulnerability management service that scans your EC2 instances and container images for software vulnerabilities and unintended network exposure. Config Rules do not scan for vulnerabilities; they check configuration settings. Inspector finds known CVEs, while Config Rules check for configuration drift like missing encryption or wrong security group rules.
Use Amazon Inspector to find if an EC2 instance has an outdated package with a known vulnerability. Use an AWS Config Rule to check that the same EC2 instance has the mandatory ‘Environment’ tag.
AWS Security Hub is a central security posture management service that aggregates findings from multiple AWS services, including AWS Config Rules, AWS GuardDuty, and Amazon Inspector, and provides a unified dashboard. Config Rules are a source of findings for Security Hub. Security Hub does not itself evaluate resource configurations; it collects and orchestrates findings. Config Rules are the actual evaluators.
You might configure a Config Rule to detect noncompliant buckets. That rule’s findings appear in Security Hub as a security issue. Security Hub then helps you view and prioritize those findings alongside other security alerts.
AWS CloudTrail records API calls made in your account for auditing and forensic analysis. It records who made a change and when. Config Rules do not record API calls; they evaluate the resulting state of the resource. CloudTrail tells you that someone changed an S3 bucket policy; Config Rules tell you whether that change made the bucket noncompliant.
If you need to know which user added a public access policy to an S3 bucket, use CloudTrail. If you need to know whether that bucket is currently compliant, use a Config Rule.
Step-by-Step Breakdown
Enable AWS Config
Before using Config Rules, you must enable AWS Config in your AWS account and region. You specify which resource types to record, and you can choose to record all resources or specific types. You also configure an S3 bucket to store configuration snapshots and an SNS topic for notifications. This step is foundational because Config cannot evaluate resources it is not monitoring.
Choose or create a Config Rule
You decide whether to use a managed rule provided by AWS or write a custom rule with AWS Lambda. Managed rules cover common compliance requirements like ‘always use encrypted EBS volumes’ or ‘restrict SSH access.’ For unique requirements, you create a custom rule. This step matters because the rule determines exactly what is checked.
Define rule parameters and trigger type
Each rule has parameters that control its behavior, such as the frequency of evaluation for periodic rules or the specific values to check (e.g., the allowed AMI ID). You choose whether the rule runs on configuration changes (change‑triggered) or on a schedule (periodic). Change‑triggered catches issues quickly; periodic rules provide regular snapshots.
Enable the rule
After creating and configuring the rule, you enable it. The rule begins evaluating resources immediately for change‑triggered rules or on the next scheduled run for periodic rules. At this point, you can monitor the compliance status in the AWS Config console.
Evaluation runs and compliance status is recorded
When a resource configuration changes or when the scheduled time comes, AWS Config runs the rule’s evaluation logic. It compares the resource configuration against the rule’s condition. If the resource matches the condition, it is marked COMPLIANT; if not, it is marked NON_COMPLIANT. The result is stored in the AWS Config timeline for that resource, along with a timestamp and a compliance status.
Notifications and remediation (optional)
You can set up an Amazon SNS topic to send alerts when a resource becomes noncompliant. You can also configure automatic remediation via an AWS Systems Manager Automation document or a Lambda function that takes corrective action, such as removing a public bucket policy. This step closes the loop from detection to action, making the process automated.
Compliance reporting and aggregation
Over time, AWS Config collects compliance data for all resources. You can view the compliance dashboard in the AWS Config console, use the AWS Config API to query compliance, or set up an AWS Config Aggregator to view compliance across multiple accounts and regions. This step provides audit‑ready evidence and helps you track improvements.
Learn This Topic Fully
This glossary page explains what AWS Config Rules means. For a complete lesson with labs and practice, see the topic guide.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
SAA-C03SAA-C03 →SOA-C02SOA-C02 →220-1102CompTIA A+ Core 2 →CS0-003CompTIA CySA+ →PT0-003CompTIA PenTest+ →SC-900SC-900 →MD-102MD-102 →CDLGoogle CDL →ISC2 CCISC2 CC →Related Glossary Terms
Amazon CloudWatch is a monitoring service for AWS resources and applications that collects metrics, logs, and events to help you observe and troubleshoot your cloud infrastructure.
An anti-malware policy is a set of rules and procedures that an organization enforces to prevent, detect, and remove malicious software from its computers and networks.
An anti-spam policy is a set of rules and filters used by email systems to automatically detect and block unwanted, unsolicited, or harmful messages before they reach a user's inbox.
Attack simulation training is a Microsoft 365 security tool that lets IT administrators run realistic phishing and password-attack campaigns against their own users to identify vulnerabilities and improve security awareness.
An audit is a systematic, independent review of IT systems, processes, and controls to verify compliance with policies, standards, and regulations.
An audit log is a chronological record of security-relevant events and user activities within a system, used for monitoring, compliance, and forensic analysis.
Quick Knowledge Check
1.Which of the following is required for an AWS Config managed rule to evaluate resources?
2.What is the primary difference between a managed rule and a custom rule in AWS Config?
3.When you run 'describe-compliance-by-config-rule' for a rule, what does 'NON_COMPLIANT' status mean for a resource?
4.Which AWS Config rule trigger type causes the rule to run at a fixed frequency, such as every hour?
5.What happens to an AWS Config rule evaluation if the rule's IAM role lacks permissions to describe the resource being evaluated?