This chapter covers AWS Config and its managed rules, a core service for compliance auditing and security monitoring on AWS. For the CLF-C02 exam, this falls under Domain 2: Security and Compliance (Objective 2.4 – Explain compliance governance strategies). Config questions appear frequently, typically asking you to identify which service provides continuous monitoring of resource configurations and compliance with internal policies. Understanding Config rules, the difference between managed and custom rules, and how Config integrates with other services is essential for scoring well in this domain.
Jump to a section
Imagine you own a chain of restaurants. You have strict rules: refrigerators must be below 40°F, fire extinguishers must be inspected monthly, and hand-wash sinks must have soap. You can't personally check every restaurant every hour. So you hire a team of inspectors (AWS Config) who live in each restaurant full-time. They continuously monitor every fridge, extinguisher, and sink. You write down the rules (Config rules) like 'fridge temp < 40°F' or 'fire extinguisher inspection date within 30 days'. Whenever a rule is violated—say a fridge hits 45°F—the inspector instantly flags it, sends you an alert (Amazon SNS notification), and logs the violation with a timestamp and details (Config timeline). The inspector doesn't fix the problem (that's for the manager—AWS Systems Manager or Lambda), but they provide a complete history of every violation so you can prove to health inspectors that you caught and addressed issues. You can even automate responses: if a fridge is too warm, the inspector can trigger an automatic cooldown (Lambda remediation). This is exactly how AWS Config works: continuous monitoring of AWS resource configurations against rules, with a complete history of changes and compliance status.
What is AWS Config and What Problem Does It Solve?
AWS Config is a fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance. It continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.
Without AWS Config, tracking resource configurations across hundreds or thousands of resources is nearly impossible. Teams manually check settings, rely on scripts that run periodically, or discover misconfigurations only after a security incident. AWS Config solves this by providing a continuous, auditable record of resource configuration changes and automated compliance checks.
How AWS Config Works — The Mechanism
AWS Config works by first discovering all supported AWS resources in your account and region. It then records a configuration item (CI) for each resource every time a change occurs. A configuration item includes metadata about the resource (ARN, type, ID), its current configuration (JSON), and relationships to other resources. These CIs are stored in a configuration history file that is delivered to an Amazon S3 bucket you specify.
Config rules are the core of compliance evaluation. A Config rule is essentially a function that evaluates your resource configurations against desired settings. You can choose from over 100 AWS managed rules (pre-defined) or create custom rules using AWS Lambda. Each rule is associated with one or more resource types and a trigger type (see below). When a resource change triggers a rule evaluation, the rule returns one of these compliance states: COMPLIANT, NON_COMPLIANT, NOT_APPLICABLE, or INSUFFICIENT_DATA.
Trigger Types: - Configuration changes: The rule is triggered when a resource that matches the rule's scope changes. For example, a rule that checks if S3 buckets have versioning enabled triggers when any S3 bucket is created or updated. - Periodic: The rule runs at a frequency you specify (every 1, 3, 6, 12, or 24 hours). Useful for rules that check external factors, like whether an IAM user has logged in within the last 90 days. - Hybrid: Some rules can be triggered by both configuration changes and periodically.
Key Tiers, Configurations, and Pricing
AWS Config has two main components: Configuration Recording and Config Rules.
Configuration Recording: - Records configuration changes for all supported resources in a region. - Stores configuration history and configuration snapshots in an S3 bucket. - Provides a configuration timeline for each resource, viewable in the AWS Config console. - Pricing: $0.003 per configuration item recorded per region (as of 2025). The first 100,000 configuration items per month are free.
Config Rules: - Managed rules: No additional cost for the rule itself, but you pay for evaluations. $0.001 per rule evaluation per region. - Custom rules: You pay for Lambda invocations in addition to the evaluation fee. - Pricing example: If you have 10 managed rules evaluating 1,000 resources each, that's 10,000 evaluations. At $0.001 per evaluation, that's $10 per month plus S3 storage costs.
Multi-Account and Multi-Region Aggregation: - AWS Config Aggregators allow you to aggregate compliance data from multiple accounts and regions into a single view. This is essential for enterprises with many accounts. - An aggregator collects configuration and compliance data from source accounts and regions, giving you a centralized dashboard.
Comparison to On-Premises or Competing Approaches
In on-premises environments, configuration management is often done with tools like Chef, Puppet, Ansible, or manual spreadsheets. These tools are typically used for provisioning and enforcing configurations, but they lack continuous auditing and historical tracking. AWS Config is different because it is not an enforcement tool (it does not prevent changes) but an auditing and monitoring tool. It records what changed, when, and by whom (via CloudTrail integration), providing a complete audit trail.
Competing AWS services include: - AWS CloudTrail: Records API calls, not resource configurations. CloudTrail tells you who made a change; Config tells you what the resource looks like after the change. - AWS Systems Manager: Can enforce configurations via State Manager, but does not provide the same historical record or compliance dashboard. - AWS Security Hub: Consumes findings from Config and other services, but does not perform the underlying configuration evaluations.
When to Use AWS Config vs Alternatives
Use AWS Config when you need:
Continuous compliance monitoring against internal policies or regulatory standards (e.g., PCI DSS, HIPAA).
A historical record of configuration changes for auditing or incident investigation.
Automated responses to non-compliant resources (via EventBridge and Lambda).
A centralized view of compliance across multiple accounts and regions.
Do not use AWS Config when:
You need to prevent changes in real time (use AWS Organizations Service Control Policies or IAM permissions).
You need to enforce configurations (use Systems Manager State Manager or AWS CloudFormation).
You only need API-level auditing (use CloudTrail).
Managed Rules Deep Dive
AWS provides over 100 managed rules that cover common security and compliance checks. Examples relevant to CLF-C02: - s3-bucket-public-read-prohibited: Checks if S3 buckets allow public read access. - iam-user-no-policies-check: Checks that IAM users do not have inline or attached policies (best practice is to use groups or roles). - restricted-common-ports: Checks if security groups allow unrestricted access to common ports (e.g., SSH port 22 from 0.0.0.0/0). - cloudtrail-enabled: Checks that CloudTrail is enabled in the region. - ec2-volume-inuse-check: Checks if EBS volumes are attached to instances (prevents orphaned volumes).
Each managed rule has a defined resource type, trigger type, and parameters you can customize. For example, the restricted-common-ports rule allows you to specify which ports to check and what CIDR range is considered 'restricted'.
Custom Rules with AWS Lambda
If a managed rule does not meet your needs, you can create a custom rule using a Lambda function. The Lambda function receives an event with the configuration item and must return a compliance result. For example, you might create a custom rule that checks if RDS instances have automated backups enabled with a retention period of at least 7 days. The Lambda function would parse the RDS configuration, check the backup retention period, and return COMPLIANT or NON_COMPLIANT.
Remediation Actions
AWS Config can automatically remediate non-compliant resources using AWS Systems Manager Automation documents. For example, if an S3 bucket becomes publicly readable, Config can trigger a Systems Manager Automation document that modifies the bucket policy to block public access. This is set up in the Config rule's remediation action section. You can also manually remediate by clicking a button in the Config console.
Integration with Other Services
Amazon S3: Configuration history and snapshots are stored in S3.
Amazon SNS: Config can send notifications when resources become non-compliant.
AWS CloudTrail: Config uses CloudTrail to capture API calls that trigger configuration changes.
AWS Lambda: Used for custom rules and remediation.
AWS EventBridge: Config sends events when compliance state changes, allowing you to trigger workflows.
AWS Security Hub: Ingests Config findings for a broader security view.
Limits and Defaults
Config supports over 100 resource types (constantly expanding).
Maximum number of Config rules per region per account: 150 (default, can be increased).
Maximum number of configuration items per resource per day: 100 (soft limit).
Configuration history files are delivered to S3 every 6 hours.
Configuration snapshots are taken every 24 hours by default (you can configure the frequency).
Enable AWS Config in a Region
First, navigate to the AWS Config console and choose a region. Click 'Get started' or 'Settings'. You must specify an S3 bucket to store configuration history and snapshots. Optionally, you can set up an SNS topic for notifications. AWS Config will start recording configuration changes for all supported resources in that region. By default, it records all resource types. You can also choose to record specific resource types to reduce costs. The recording begins immediately, and within minutes you can see a list of resources in the Config dashboard.
Add a Managed Config Rule
In the Config console, click 'Rules', then 'Add rule'. Choose 'Add managed rule' and search for a rule like 's3-bucket-public-read-prohibited'. You can leave default parameters or customize them (e.g., specify which buckets to evaluate). The rule's trigger type is usually 'Configuration changes', meaning it evaluates the rule whenever an S3 bucket is created or updated. Click 'Save'. The rule will start evaluating existing resources and new changes. Within a few minutes, you will see compliance results in the dashboard.
View Compliance Results and Timeline
Go to the Config dashboard. Under 'Resources', you can see a list of all recorded resources. Click on a resource (e.g., an S3 bucket) to see its configuration timeline. The timeline shows every configuration change with a timestamp, the configuration details, and the compliance status of each rule associated with that resource. This is invaluable for auditing: you can see exactly when a bucket became public and which rule flagged it. You can also view the overall compliance summary showing how many resources are compliant vs. non-compliant per rule.
Set Up Remediation for Non-Compliant Resources
For a Config rule that has a known remediation, you can automate fixing non-compliant resources. In the rule's details, click 'Actions', then 'Manage remediation'. Choose an AWS Systems Manager Automation document that performs the fix (e.g., 'AWS-DisableS3BucketPublicReadWrite'). Configure parameters if needed. You can choose to auto-remediate (immediately fix when non-compliant) or manual remediation (approve first). Once set, whenever a resource becomes non-compliant, Config triggers the automation document to fix it. This closes the loop from detection to correction.
Aggregate Compliance Across Accounts
If you have multiple AWS accounts, create a Config Aggregator. In the Config console, go to 'Aggregators' and click 'Add aggregator'. Choose 'Create aggregator' and specify source accounts and regions. You can add individual account IDs or use AWS Organizations to automatically include all accounts in an organization. The aggregator collects configuration and compliance data from all sources into a single dashboard. This is essential for enterprise compliance reporting. You can view a unified compliance score and drill down into specific accounts or regions.
Scenario 1: Financial Services Compliance (PCI DSS)
A fintech startup needs to comply with PCI DSS, which requires monitoring of security configurations. They enable AWS Config across all accounts and enable managed rules like 'ec2-ebs-encryption-by-default' (checks that EBS volumes are encrypted), 'cloudtrail-enabled', and 's3-bucket-logging-enabled'. They set up a custom rule to check that RDS instances have encryption at rest. The Config dashboard gives them a real-time compliance score. When a developer accidentally launches an unencrypted EBS volume, Config flags it as non-compliant and sends an alert via SNS. The security team then uses the configuration timeline to see who created the volume and when. They also set up auto-remediation using Systems Manager to automatically encrypt the volume. Cost: ~$50/month for 500 resources and 20 rules. Without Config, they would need manual audits and risk non-compliance fines.
Scenario 2: Enterprise Multi-Account Governance
A large enterprise with 200 AWS accounts uses AWS Organizations. They enable Config in every account and region, and create an aggregator in a central security account. They enable managed rules for all accounts, such as 'iam-user-no-policies-check' (enforces IAM best practices) and 'restricted-common-ports' (prevents open SSH). The central security team views compliance across all accounts from one dashboard. When a new account is created via Organizations, Config automatically starts recording and evaluating rules. They discover that several accounts have security groups allowing SSH from 0.0.0.0/0. The team uses the aggregator to identify all affected accounts and resources, then sends a notification to account owners. They also create a remediation action that automatically removes the offending rule. This central visibility is impossible without Config and the aggregator.
What Goes Wrong When Misconfigured
Common mistakes include: (1) Not enabling Config in all regions—attackers can use an unmonitored region. (2) Not setting up an SNS topic for alerts—violations go unnoticed. (3) Over-customizing rules with wrong parameters—causing false positives or missing violations. (4) Forgetting to set up remediation—non-compliant resources remain for days. (5) Not aggregating across accounts—compliance blind spots in subsidiary accounts. In one case, a company failed a PCI audit because they only monitored US East (N. Virginia) but had resources in EU (Ireland) that were not recorded.
What CLF-C02 Tests on This Objective
Domain 2: Security and Compliance, Objective 2.4: 'Explain compliance governance strategies'. The exam expects you to know:
The purpose of AWS Config: continuous monitoring and recording of AWS resource configurations.
The difference between AWS Config and AWS CloudTrail (Config records configurations; CloudTrail records API calls).
That Config rules can be managed (pre-built) or custom (using Lambda).
That Config can integrate with AWS Security Hub and AWS Systems Manager for remediation.
That Config provides configuration history and compliance snapshots.
Common managed rules: s3-bucket-public-read-prohibited, restricted-common-ports, cloudtrail-enabled.
Most Common Wrong Answers and Why
'AWS Config prevents unauthorized changes.' Wrong: Config is detective, not preventive. It detects and alerts on changes but does not block them. Candidates confuse it with IAM policies or SCPs.
'AWS Config is used for cost tracking.' Wrong: Cost tracking is AWS Cost Explorer or AWS Budgets. Config is about configurations, not costs.
'AWS Config records API calls.' Wrong: That's CloudTrail. Config records the state of resources after API calls. A common trap question: 'Which service records who made a change?' Answer: CloudTrail. 'Which service records what the resource looks like after the change?' Answer: Config.
'All Config rules are free.' Wrong: Managed rules have no upfront cost but you pay per evaluation. Custom rules incur Lambda costs. The first 100,000 configuration items are free, but evaluations are charged.
'Config automatically fixes non-compliant resources.' Wrong: Config can trigger remediation via Systems Manager Automation, but you must configure it. By default, it only evaluates and reports.
Specific Terms That Appear on the Exam
Configuration item (CI): The record of a resource's configuration at a point in time.
Configuration history: A collection of CIs for a resource over time.
Configuration snapshot: A point-in-time view of all resources in a region.
Config rule: A rule that evaluates resources against desired configurations.
Compliance state: COMPLIANT, NON_COMPLIANT, NOT_APPLICABLE, INSUFFICIENT_DATA.
Aggregator: A resource that collects Config data from multiple accounts and regions.
Tricky Distinctions
Config vs. CloudTrail: Config records 'what' (resource state), CloudTrail records 'who' (API caller). Both are needed for full auditability.
Config vs. Systems Manager State Manager: State Manager enforces configurations (e.g., ensures a specific software version is installed), while Config only evaluates and reports. They can work together: Config detects drift, State Manager corrects it.
Config vs. Security Hub: Security Hub aggregates findings from multiple services (including Config) and provides a security score. Config is the source of configuration compliance data.
Decision Rule for Multiple-Choice Questions
If the question mentions 'continuous monitoring of resource configurations', 'compliance with internal policies', 'configuration history', or 'audit trail of resource changes', the answer is almost certainly AWS Config. If it mentions 'API activity' or 'who made a change', the answer is CloudTrail. If it mentions 'security findings from multiple sources', the answer is Security Hub. If it mentions 'enforcing a configuration', the answer is Systems Manager State Manager or CloudFormation.
AWS Config continuously monitors and records AWS resource configurations and changes.
Config rules evaluate resources against desired configurations; compliance states are COMPLIANT, NON_COMPLIANT, NOT_APPLICABLE, or INSUFFICIENT_DATA.
Managed rules are pre-built; custom rules use AWS Lambda.
Config does not automatically fix issues unless remediation is configured via Systems Manager Automation.
Config integrates with CloudTrail, SNS, EventBridge, Security Hub, and Systems Manager.
Configuration history is stored in S3; configuration snapshots are taken every 24 hours by default.
Config Aggregators allow centralized compliance viewing across multiple accounts and regions.
Common managed rules include s3-bucket-public-read-prohibited, restricted-common-ports, and cloudtrail-enabled.
Config is a detective control, not preventive; it does not block changes.
CLF-C02 tests the distinction between Config (resource configuration) and CloudTrail (API calls).
These come up on the exam all the time. Here's how to tell them apart.
AWS Config
Records resource configurations and changes over time
Evaluates compliance using rules (managed or custom)
Provides configuration history and snapshots
Can trigger remediation via Systems Manager
Priced per configuration item and per rule evaluation
AWS CloudTrail
Records API calls and user activity
Does not evaluate compliance; provides logs
Provides event history for auditing
Cannot trigger remediation directly
Priced per management event and data event
Mistake
AWS Config automatically fixes non-compliant resources.
Correct
Config only evaluates and reports compliance. To automatically remediate, you must configure a remediation action using AWS Systems Manager Automation. Without that, Config does not make any changes.
Mistake
AWS Config records all API calls made to AWS.
Correct
Config records the state of resources, not the API calls. CloudTrail records API calls. Config uses CloudTrail to detect changes that trigger evaluations, but it does not store API call logs.
Mistake
Config rules are free and unlimited.
Correct
Managed rules have no upfront cost, but you pay per rule evaluation ($0.001/evaluation). Custom rules incur Lambda costs. There is also a default limit of 150 rules per region per account.
Mistake
AWS Config can prevent a misconfiguration from happening.
Correct
Config is a detective control, not a preventive one. It detects and alerts on non-compliant configurations after they occur. To prevent changes, use IAM policies, Service Control Policies (SCPs), or AWS CloudFormation guard.
Mistake
AWS Config is only for security-related rules.
Correct
Config can evaluate any resource configuration for compliance with internal policies, which can include operational best practices, cost optimization, and tagging compliance, not just security.
AWS Config records the configuration state of your AWS resources and tracks changes over time, providing a configuration history. AWS CloudTrail records API calls made to the AWS environment, including who made the call, from where, and when. Config tells you what a resource looks like; CloudTrail tells you who changed it. Both are essential for a complete audit trail. On the exam, if the question mentions 'resource configuration changes' or 'compliance', think Config. If it mentions 'API activity' or 'user actions', think CloudTrail.
No, by default AWS Config only evaluates and reports compliance. However, you can configure remediation actions using AWS Systems Manager Automation documents. When a resource becomes non-compliant, Config can trigger an automation document that automatically fixes the issue. For example, if an S3 bucket is publicly readable, Config can invoke a document that blocks public access. You must set this up manually; it is not automatic. On the exam, remember that Config is detective, not preventive, unless remediation is explicitly configured.
AWS Config has two main pricing components: configuration recording and rule evaluations. Configuration recording costs $0.003 per configuration item recorded per region (first 100,000 items free per month). Rule evaluations cost $0.001 per evaluation per region. Custom rules also incur AWS Lambda charges. There are no upfront costs. For example, if you have 10 rules evaluating 1,000 resources each, that's 10,000 evaluations per month at $10. The exam may ask about pricing, so know the free tier limits and per-item costs.
Yes, you can use an AWS Config Aggregator to aggregate configuration and compliance data from multiple AWS accounts and regions into a single view. The aggregator can be set up to pull data from individual account IDs or automatically from all accounts in an AWS Organization. This is essential for enterprise governance. On the exam, if a question asks how to view compliance across all accounts, the answer is a Config Aggregator.
Managed rules are pre-defined Config rules provided by AWS that check for common best practices and security configurations. Examples include 's3-bucket-public-read-prohibited' (checks for public read on S3 buckets), 'restricted-common-ports' (checks security group rules), and 'cloudtrail-enabled' (checks if CloudTrail is on). You can deploy them with a few clicks and customize parameters. They are free to use, but you pay for evaluations. The exam expects you to recognize these rule names and their purposes.
A configuration item (CI) is the record of a resource's configuration at a specific point in time. It includes metadata (ARN, type, region), the configuration details in JSON, and relationships to other resources. When a resource changes, Config creates a new CI. The collection of CIs over time forms the configuration history. CIs are stored in an S3 bucket you specify. On the exam, know that a CI is the fundamental unit of data in AWS Config.
AWS Config uses AWS CloudTrail to detect changes to resources. When an API call is made that modifies a supported resource, CloudTrail records the event. Config then picks up that event and records the new configuration state of the resource. This is why CloudTrail must be enabled for Config to work properly. The exam may test this integration: Config relies on CloudTrail for change detection.
You've just covered AWS Config Rules and Compliance — now see how well it sticks with free CLF-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?