This chapter covers AWS Artifact and AWS Config, two essential services for security compliance on AWS. For the CLF-C02 exam, this falls under Domain 2: Security and Compliance, specifically Objective 2.4: 'Identify the components of the AWS shared responsibility model' and related compliance concepts. While not a large percentage of the exam, understanding these services is critical for questions about auditing, compliance reporting, and configuration monitoring. We will explore what each service does, how they work, their key features, and how they differ from each other and from other AWS services.
Jump to a section
Imagine your company must prove to auditors that every employee follows security rules. You have two helpers: a filing cabinet named AWS Artifact and a security guard named AWS Config. The filing cabinet contains pre-organized, signed documents (like SOC reports and ISO certificates) that prove your building meets industry standards. You don't create these documents; you just pull them out and hand them to auditors. The security guard, on the other hand, watches every door and window in real time. He knows every rule you've set (e.g., 'No door may be left unlocked after 6 PM') and checks continuously. If a door is left open, he writes a report and sends an alert. He also keeps a detailed log of every time a door was opened or closed, who did it, and whether it complied with the rule. The guard doesn't stop the door from opening—he just watches, records, and alerts. Together, the filing cabinet gives you the proof that your building is certified, and the guard gives you ongoing evidence that your daily operations follow your own rules. This is exactly how AWS Artifact provides on-demand access to AWS compliance reports, while AWS Config continuously monitors and records your resource configurations against desired policies.
What is AWS Artifact?
AWS Artifact is a self-service portal that provides on-demand access to AWS compliance reports and agreements. It solves the problem of how to prove to auditors, customers, or regulators that AWS infrastructure meets various security standards. Instead of requesting documents from AWS support and waiting days, you can download them instantly. AWS Artifact contains two main types of documents: AWS compliance reports (e.g., SOC reports, PCI reports, ISO certifications) and AWS agreements (e.g., Business Associate Addendum for HIPAA). These documents are pre-signed by AWS and are valid for a specific period.
How AWS Artifact Works
You access AWS Artifact through the AWS Management Console or API. Once there, you can browse available reports by category (e.g., SOC, PCI, FedRAMP) or by service. Each report is a PDF that includes the scope, date, and AWS's attestation. For agreements, you can review, accept, or manage them. AWS Artifact does not require any configuration of your resources; it simply provides the documents. Behind the scenes, AWS undergoes regular audits by third-party assessors, and the resulting reports are uploaded to Artifact. You can also subscribe to notifications when new reports are available.
Key Features of AWS Artifact
On-demand access: Download reports anytime.
Agreements: Accept agreements like the Business Associate Addendum (BAA) for HIPAA compliance.
Reports: SOC 1/2/3, PCI DSS, ISO 27001, FedRAMP, and more.
Notifications: Set up to receive alerts when reports are updated.
Organizational view: In AWS Organizations, you can centrally manage agreements for all accounts.
What is AWS Config?
AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. It solves the problem of knowing what resources you have, how they are configured, and whether those configurations comply with your internal policies or industry standards. AWS Config continuously records configuration changes and provides a detailed history. It also allows you to define rules (called Config rules) that check your resources against desired configurations.
How AWS Config Works
When you enable AWS Config, it starts recording configuration items for supported resources (over 300 resource types). A configuration item is a snapshot of a resource at a point in time, including attributes like instance type, security group rules, tags, etc. Config stores these items in a history file in an S3 bucket you specify. You can also set up Config rules, which are either AWS managed rules (e.g., 's3-bucket-public-read-prohibited') or custom rules written in AWS Lambda. Config evaluates resources against these rules and records compliance status (Compliant, Non-compliant, or Not applicable). It can trigger remediation actions via Systems Manager Automation or send notifications via Amazon SNS.
Key Features of AWS Config
Configuration history: View the timeline of changes for each resource.
Configuration snapshots: Take a point-in-time view of all resources.
Config rules: Evaluate compliance (managed or custom).
Remediation: Automatically fix non-compliant resources.
Aggregators: View compliance across multiple accounts and regions.
Conformance packs: Deploy a collection of rules and remediation actions as a single entity.
Pricing
AWS Artifact: Free to use. No cost for downloading reports or managing agreements.
AWS Config: You pay per configuration item recorded and per Config rule evaluation. There is a free tier of 100,000 configuration items per month. After that, $0.003 per configuration item. Rule evaluations are $0.001 per evaluation for managed rules, $0.01 for custom rules. Costs can add up if you have many resources and rules.
Comparison to On-Premises
On-premises, compliance evidence often requires manual collection of logs, screenshots, and configuration dumps. AWS Artifact automates the evidence of AWS's security posture, but you still need to prove your own configurations. AWS Config automates the collection of your configuration history and compliance status, replacing manual audits. However, Config does not prevent misconfigurations; it only detects them. For prevention, you would use AWS Service Control Policies (SCPs) or AWS IAM policies.
When to Use AWS Artifact vs AWS Config
Use AWS Artifact when you need to provide proof of AWS's compliance certifications to auditors or customers.
Use AWS Config when you need to monitor and audit your own resource configurations for internal or regulatory compliance.
They are complementary: Artifact covers AWS's side of the shared responsibility model, while Config covers your side.
AWS Config Conformance Packs
Conformance packs are collections of Config rules and remediation actions that can be deployed together. They are packaged as YAML templates. For example, a conformance pack for PCI DSS might include rules like 's3-bucket-ssl-requests-only' and 'ec2-ebs-encryption-by-default'. This simplifies deploying compliance frameworks across multiple accounts.
AWS Config Aggregators
An aggregator is a resource that collects configuration and compliance data from multiple AWS accounts and regions into a single view. This is useful for large organizations using AWS Organizations. The aggregator can be set up in a central account and then you can view compliance across all member accounts.
AWS Config Rules – Managed vs Custom
Managed rules: Pre-defined by AWS, e.g., 'rds-instance-public-access-check', 'iam-user-mfa-enabled'. You simply enable them and set parameters.
Custom rules: You write a Lambda function that evaluates resources. This gives flexibility for specific compliance needs.
AWS Config Limitations
Config does not monitor all AWS services; only supported ones.
Config rules are evaluated on a periodic basis (e.g., every hour) or when a configuration change occurs.
Config does not block changes; it only records and alerts. For blocking, use SCPs or IAM.
Config has a limit of 100 rules per region per account (soft limit, can be increased).
AWS Artifact Reports Validity
Reports are typically valid for one year or until the next audit. AWS Artifact shows the report's date and expiration. You should check that the report covers the period you are being audited for.
Enable AWS Config
First, navigate to the AWS Config console and click 'Get started'. You must specify an S3 bucket to store configuration history and snapshot files. Optionally, you can enable Amazon SNS notifications for configuration changes and compliance changes. You also choose which resource types to record; by default, it records all supported resources. AWS Config will then start recording configuration items for existing resources and track future changes. Behind the scenes, Config uses a configuration recorder that runs in your account. The recorder captures a configuration item each time a resource is created, updated, or deleted. There is a default limit of 100 configuration recorders per account per region, but you typically only need one.
Set up Config Rules
After enabling Config, you can add rules. In the console, go to 'Rules' and click 'Add rule'. You can choose from AWS managed rules like 's3-bucket-public-read-prohibited' or create a custom rule using a Lambda function. For managed rules, you can set parameters such as 'Require MFA for IAM users'. Each rule runs on a schedule (e.g., every hour) or when a configuration change occurs. Config evaluates each applicable resource against the rule and marks it as Compliant, Non-compliant, or Not applicable. Non-compliant resources are listed with details. You can also set up automatic remediation using Systems Manager Automation documents. For example, if an S3 bucket becomes public, Config can trigger a Lambda function to make it private.
View Compliance Dashboard
In the Config console, the 'Dashboard' shows an overview of compliance status across all rules. You can see the number of compliant vs non-compliant resources. Drill down into specific rules to see which resources are non-compliant and why. The 'Timeline' for a resource shows its configuration history and compliance status over time. This helps in forensic analysis. For example, if a security group was opened to the world, you can see exactly when it changed and who made the change (via CloudTrail integration). Config also integrates with AWS Security Hub to aggregate findings.
Download AWS Artifact Reports
To download a compliance report, go to the AWS Artifact console. Under 'Reports', browse the categories: SOC, PCI, ISO, FedRAMP, etc. Click on a report to see its details, including the scope and validity period. Then click 'Download' to get the PDF. The report is signed by AWS and includes the auditor's opinion. For agreements, go to 'Agreements' and you can view, accept, or manage agreements like the Business Associate Addendum. When you accept an agreement, it becomes effective for your account. In AWS Organizations, you can accept agreements on behalf of all member accounts.
Set Up AWS Artifact Notifications
To stay informed about new reports or updates, you can set up notifications. In the Artifact console, go to 'Notifications' and create a subscription. You can specify which report types you are interested in (e.g., SOC 2). AWS Artifact will send an email to the subscribed addresses when a new report is available or when an existing report is updated. This is useful for compliance teams that need to refresh their evidence regularly. Notifications are free. Alternatively, you can use AWS Health events to track report updates.
Scenario 1: SOC 2 Audit for a SaaS Company A SaaS company running on AWS needs to provide SOC 2 Type II report to its enterprise customers. The compliance team uses AWS Artifact to download the latest AWS SOC 2 report, which covers the AWS infrastructure. This proves that AWS has the necessary controls. However, the company also needs to prove that its own application configurations comply with SOC 2 requirements. They enable AWS Config and set up managed rules like 'iam-user-mfa-enabled' and 'ec2-ebs-encryption-by-default'. Config continuously monitors and flags any non-compliant resources. Before the audit, the team runs a configuration snapshot and exports the compliance report. This saves weeks of manual evidence collection. Cost: Config costs about $0.003 per configuration item; for a typical account with 500 resources, it might be $1.50/month plus rule evaluations. Misconfiguration: If Config is not enabled, the team would have to manually check each resource, risking missed non-compliant items and audit failure.
Scenario 2: PCI DSS Compliance for an E-commerce Platform An e-commerce company must comply with PCI DSS. They use AWS Artifact to download the AWS PCI DSS attestation of compliance, covering the cloud infrastructure. For their own cardholder data environment, they use AWS Config with conformance packs. They deploy a PCI DSS conformance pack that includes rules like 'ec2-instances-in-vpc', 'rds-storage-encrypted', and 's3-bucket-logging-enabled'. Config automatically evaluates all relevant resources. When a developer launches an EC2 instance without encryption, Config marks it non-compliant and triggers a remediation action that terminates the instance (or sends an alert). This enforces security policies without manual intervention. Cost: Conformance packs are free; you only pay for the underlying rules and configuration items. Misconfiguration: If they forget to enable Config in all regions, some resources might be unmonitored, leading to compliance gaps.
Scenario 3: Multi-Account Compliance Monitoring A large enterprise uses AWS Organizations with hundreds of accounts. The central security team needs a single pane of glass for compliance. They set up an AWS Config aggregator in the management account. The aggregator collects configuration and compliance data from all member accounts and regions. They then create a custom Config rule that checks for prohibited resource types (e.g., no unapproved instance types). The aggregator shows which accounts are non-compliant. The team uses AWS Artifact to download the AWS ISO 27001 certificate for the entire organization. This setup saves time and ensures consistent compliance. Cost: Aggregator is free; you pay for Config usage in each account. Misconfiguration: If the aggregator is not properly configured with the necessary permissions, it will not collect data, giving a false sense of security.
What CLF-C02 Tests Objective 2.4 asks you to identify components of the AWS shared responsibility model. AWS Artifact and AWS Config are key components for compliance. The exam tests your understanding of what each service does and which side of the shared responsibility model they support. AWS Artifact provides evidence of AWS's compliance with third-party audits (AWS's responsibility). AWS Config helps you monitor your own resource configurations (your responsibility).
Common Wrong Answers 1. 'AWS Artifact can be used to monitor my resource configurations.' This is wrong because Artifact only provides reports and agreements; it does not monitor resources. Candidates confuse Artifact with Config. 2. 'AWS Config can generate compliance reports for SOC 2.' Config provides compliance status based on rules, but it does not generate third-party audit reports. That is Artifact's job. 3. 'AWS Config prevents non-compliant configurations.' Config only detects and alerts; it does not block changes. For prevention, you need SCPs or IAM. 4. 'AWS Artifact is a paid service.' Artifact is free; Config has costs.
Specific Terms on the Exam - 'Configuration item' (CI): The record of a resource at a point in time. - 'Config rule': A rule that evaluates resources. - 'Conformance pack': A collection of rules and remediation. - 'Aggregator': Central view of multiple accounts. - 'Business Associate Addendum (BAA)': An agreement available in Artifact for HIPAA. - 'SOC, PCI, ISO, FedRAMP': Report types in Artifact.
Tricky Distinctions - AWS Artifact vs AWS Config: Artifact is for pre-existing compliance evidence; Config is for ongoing monitoring. - AWS Config vs AWS CloudTrail: CloudTrail records API calls (who did what), while Config records configuration state (what changed). They are complementary. - AWS Config vs AWS Trusted Advisor: Trusted Advisor gives recommendations for cost, performance, security, and fault tolerance; Config focuses on compliance with rules.
Decision Rule for Multiple Choice If the question asks about 'proving compliance to auditors' or 'downloading reports', the answer is AWS Artifact. If it asks about 'monitoring resource configurations' or 'ensuring resources follow policies', the answer is AWS Config. If it asks about 'automatically fixing non-compliant resources', look for Config with remediation, not Artifact.
AWS Artifact is a free service for downloading AWS compliance reports and managing agreements like BAA.
AWS Config continuously records configuration changes and evaluates resources against rules.
Config rules can be AWS managed or custom (Lambda-based).
Config conformance packs deploy a group of rules and remediation actions as a template.
Config aggregators provide a multi-account, multi-region compliance view.
Artifact covers AWS's side of shared responsibility; Config covers your side.
Config does not prevent non-compliant actions; it only detects and alerts.
Common exam wrong answer: 'AWS Artifact monitors resources' – it does not.
Common exam wrong answer: 'AWS Config generates SOC reports' – it does not.
Enable AWS Config in all regions for comprehensive compliance coverage.
These come up on the exam all the time. Here's how to tell them apart.
AWS Artifact
Provides pre-signed compliance reports (SOC, PCI, ISO, etc.)
No cost to use
Does not monitor your resources
Used for auditor evidence of AWS's compliance
Reports are static PDFs
AWS Config
Monitors and records resource configurations
Pay per configuration item and rule evaluation
Evaluates resources against rules you define
Used for auditing your own resource compliance
Provides real-time compliance status and history
Mistake
AWS Artifact can monitor my AWS resources for compliance.
Correct
AWS Artifact only provides downloadable compliance reports and agreements. It does not monitor or evaluate your resources. For monitoring, use AWS Config.
Mistake
AWS Config can generate SOC 2 or PCI DSS reports.
Correct
AWS Config provides compliance status based on your rules, but it does not produce third-party audit reports. SOC and PCI reports come from AWS Artifact.
Mistake
AWS Config blocks non-compliant resource creation.
Correct
AWS Config only records and evaluates configurations; it does not block changes. To block, use IAM policies or Service Control Policies (SCPs).
Mistake
AWS Artifact is a paid service.
Correct
AWS Artifact is free to use. There is no charge for downloading reports or managing agreements.
Mistake
AWS Config is only for EC2 instances.
Correct
AWS Config supports over 300 resource types, including S3 buckets, RDS databases, IAM users, Lambda functions, and many more.
AWS Artifact provides on-demand access to AWS compliance reports and agreements (like SOC, PCI, ISO). It is free and does not monitor your resources. AWS Config continuously records resource configurations and evaluates them against rules you define. It helps you audit your own compliance. In short, Artifact is for AWS's compliance evidence; Config is for your own configuration monitoring.
Yes, AWS Config has a pay-per-use pricing model. You pay per configuration item recorded ($0.003 per item after free tier of 100,000 items per month) and per Config rule evaluation ($0.001 per evaluation for managed rules, $0.01 for custom rules). There is no upfront cost. The free tier covers 100,000 configuration items per month for the first year. Costs can vary based on the number of resources and rules.
Yes, AWS Config can trigger automatic remediation actions using AWS Systems Manager Automation. When a resource is found non-compliant, Config can run a predefined remediation action, such as stopping an EC2 instance or applying a security group. This is configured in the Config rule settings under 'Remediation'. However, remediation is optional; by default, Config only records and alerts.
Go to the AWS Artifact console in the AWS Management Console. Under 'Reports', select 'SOC' and then choose the SOC 2 report. Click 'Download' to get the PDF. The report is signed by AWS and includes the auditor's opinion. You can also set up notifications for when new reports are available. Artifact is free to use.
A conformance pack is a collection of AWS Config rules and remediation actions that can be deployed together as a single entity. It is defined using a YAML template. Conformance packs help you quickly apply a compliance framework (e.g., PCI DSS, HIPAA) across multiple accounts and regions. You only pay for the underlying Config rules and configuration items.
Yes, AWS Artifact provides the Business Associate Addendum (BAA) under 'Agreements'. You can review and accept the BAA, which is required for HIPAA compliance. Once accepted, it applies to your account. In AWS Organizations, you can accept it for all member accounts. The BAA is free to accept.
AWS Config evaluates resources when a configuration change occurs (triggered evaluation) and on a periodic schedule (e.g., every hour). You can set the frequency for periodic evaluations (1 hour, 3 hours, 6 hours, 12 hours, or 24 hours). Some rules are only triggered by changes, while others run periodically. The evaluation mode is configurable per rule.
You've just covered AWS Artifact and AWS Config — now see how well it sticks with free CLF-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?