This chapter covers AWS Config Rules and Conformance Packs, which are essential for continuous compliance monitoring in AWS. For the SOA-C02 exam, approximately 10-15% of questions in the Security domain (Objective 4.2) test your ability to configure, evaluate, and troubleshoot managed and custom Config rules, as well as deploy conformance packs. Mastering these concepts is critical because the exam expects you to understand how to automate compliance checks, remediate violations, and manage rules at scale using AWS Organizations.
Jump to a section
Imagine a large office building with hundreds of rooms, each room representing an AWS resource (EC2, S3 bucket, IAM role). The building code (compliance rules) says every room must have a fire extinguisher, exit signs, and no blocked hallways. Instead of hiring human inspectors to walk around checking each room manually, you install automated sensor kits in every room that continuously monitor these conditions. Each sensor kit is a Config rule—a piece of logic that checks a specific requirement. When a sensor detects a violation (e.g., a missing fire extinguisher), it sends an alert to the central security console (AWS Config dashboard) and can even trigger an automatic response, like a janitor bot that places a fire extinguisher. Conformance packs are like pre-assembled bundles of sensor kits tailored for specific types of buildings (e.g., a hospital requires more stringent rules than a warehouse). You deploy a conformance pack to apply a standardized set of rules across all rooms, ensuring consistent compliance without manual effort. Just as sensors don't prevent fires but detect hazards, Config rules don't block noncompliant actions—they evaluate resources after they exist and report compliance status.
What is AWS Config and Why Does It Exist?
AWS Config is a fully managed service that provides a detailed inventory of your AWS resources and continuously records configuration changes. It enables you to evaluate resource configurations against desired policies using Config rules. The primary purpose is to achieve compliance auditing, security analysis, and operational troubleshooting. Without Config, you would need to manually audit resources using scripts or third-party tools, which is error-prone and does not scale.
How Config Rules Work Internally
A Config rule is essentially a Lambda function (or a built-in function) that evaluates whether a resource configuration complies with a policy. When you enable a Config rule, AWS Config triggers evaluations based on: - Configuration changes: Whenever a supported resource is created, updated, or deleted, Config records the change and invokes the rule's evaluation function. - Periodic evaluations: You can set a frequency (e.g., every 1, 3, 6, 12, or 24 hours) for rules that need to check resources regardless of changes.
The evaluation function receives a JSON payload containing the resource's configuration and metadata. It returns a compliance status: COMPLIANT, NON_COMPLIANT, NOT_APPLICABLE, or INSUFFICIENT_DATA. The rule can also include remediation actions using AWS Systems Manager Automation documents.
Key Components, Values, Defaults, and Timers
- Managed Rules: Pre-built rules provided by AWS (e.g., s3-bucket-public-read-prohibited). They cover common compliance frameworks like PCI DSS, HIPAA, and CIS Benchmarks.
- Custom Rules: You write your own evaluation logic in a Lambda function. You define the rule in JSON or YAML and associate it with the Lambda ARN.
- Trigger Types:
- Configuration changes: Evaluates when a resource changes. Supported for resources listed in the Config resource schema.
- Periodic: Evaluates at a fixed interval (e.g., TwentyFour_Hours).
- Evaluation Results: Config stores the latest compliance status for each resource-rule pair. You can view results in the console or via API.
- Remediation: You can associate a Systems Manager Automation document (SSM doc) with a rule. When a resource is noncompliant, you can automatically run remediation (e.g., attach a policy, stop an instance). Manual or automatic remediation can be triggered.
- Aggregators: For multi-account/region compliance, use an aggregator to collect compliance data from multiple accounts and regions into a single view.
Configuration and Verification Commands
To create a managed rule using AWS CLI:
aws configservice put-config-rule --config-rule '{
"ConfigRuleName": "s3-bucket-public-read-prohibited",
"Source": {
"Owner": "AWS",
"SourceIdentifier": "S3_BUCKET_PUBLIC_READ_PROHIBITED"
}
}'To create a custom rule:
aws configservice put-config-rule --config-rule '{
"ConfigRuleName": "check-ec2-tags",
"Source": {
"Owner": "CUSTOM_LAMBDA",
"SourceIdentifier": "arn:aws:lambda:us-east-1:123456789012:function:my-tag-check",
"SourceDetails": [
{
"EventSource": "aws.config",
"MessageType": "ConfigurationItemChangeNotification"
}
]
},
"Scope": {
"ComplianceResourceTypes": ["AWS::EC2::Instance"]
}
}'To list compliance status:
aws configservice get-compliance-details-by-config-rule --config-rule-name s3-bucket-public-read-prohibitedConformance Packs
A conformance pack is a collection of AWS Config rules and remediation actions that can be deployed together as a single entity. It uses a YAML or JSON template to define the rules, parameters, and remediation. Conformance packs are especially useful for implementing standardized compliance across multiple accounts using AWS Organizations. You can deploy a conformance pack to an entire organization, specific OUs, or individual accounts.
Key points:
Conformance packs support managed rules, custom rules, and remediation actions.
They can include parameters to customize rule behavior (e.g., the required tag key).
When you deploy a conformance pack, AWS Config creates the rules defined in the template.
You can update a conformance pack by deploying a new version; AWS Config updates the rules accordingly.
Conformance packs are regional; you must deploy them in each region where you need compliance.
You can use AWS-provided sample conformance pack templates for common frameworks (e.g., Operational-Best-Practices-for-HIPDA).
Interaction with Related Technologies
AWS Config + AWS Organizations: Use PutOrganizationConformancePack to deploy a conformance pack to all accounts in an organization. This requires trusted access with AWS Config enabled.
AWS Config + AWS Security Hub: Security Hub consumes Config rule findings as security checks. Enable Config recording and rules to populate Security Hub controls.
AWS Config + AWS Systems Manager: Remediation actions are defined as SSM Automation documents. You can create custom documents or use AWS-managed ones.
AWS Config + AWS CloudTrail: CloudTrail logs API calls that change resources; Config records the state after the change. Together they provide a complete audit trail.
Common Pitfalls
Resource scope: A rule that does not specify a resource scope will evaluate all supported resources in the region, which can increase costs and evaluation time.
Trigger type mismatch: For rules that need to evaluate on changes, use the ConfigurationItemChangeNotification trigger. For periodic checks, use ScheduledNotification.
Lambda permissions: Custom rules require a resource-based policy on the Lambda function allowing Config to invoke it. Without it, the rule will show INSUFFICIENT_DATA.
Conformance pack limits: Maximum of 50 conformance packs per account per region, and each pack can contain up to 400 rules. Exceeding these limits causes deployment failures.
Step-by-Step: Deploying a Conformance Pack
Prepare the template – Write a YAML/JSON template defining rules and remediation.
Upload to S3 – Conformance pack templates must be stored in an S3 bucket in the same region.
Deploy via Console/CLI – Use put-conformance-pack command or the console to deploy.
Verify rules created – Check the Config console for the rules created by the conformance pack.
Monitor compliance – Use aggregator to view compliance across accounts.
Define Compliance Requirements
First, identify the specific compliance standards your organization must meet, such as PCI DSS, HIPAA, or CIS Benchmarks. For each requirement, determine which AWS resources are in scope and what configuration attributes must be checked. For example, a PCI requirement might mandate that all S3 buckets block public access. This step involves mapping each requirement to a potential Config rule (managed or custom). Document the expected compliance state for each resource type.
Create or Select Config Rules
Choose managed rules from the AWS Config managed rules library if they match your requirements. Managed rules are maintained by AWS and cover many common checks. If no managed rule exists, create a custom rule using a Lambda function. The Lambda function receives a ConfigurationItem object and must return a compliance evaluation. Ensure the Lambda function has the necessary IAM role to read resource configurations and write compliance results.
Deploy Rules and Configure Triggers
Use the AWS CLI, SDK, or CloudFormation to deploy each rule. Specify the trigger type: either configuration changes (evaluates on every resource change) or periodic (evaluates at a set interval). For configuration change triggers, Config automatically invokes the rule when a resource changes. For periodic triggers, set a frequency (e.g., 24 hours). Be mindful of costs: more frequent evaluations incur higher charges.
Set Up Remediation Actions
For noncompliant resources, you can automate remediation using AWS Systems Manager Automation documents. Create an SSM document that performs the corrective action (e.g., attach a policy, stop an instance). Associate the document with the Config rule. You can choose to run remediation automatically when a resource becomes noncompliant, or manually approve it. Ensure the Automation execution role has permissions to modify the target resources.
Deploy Conformance Packs for Multi-Account
If managing multiple accounts, create a conformance pack template that includes all desired rules and remediation. Store the template in an S3 bucket. Use `put-organization-conformance-pack` to deploy to all accounts in your AWS Organization. This ensures consistent compliance across the entire organization. Monitor the deployment status in the Config console.
Monitor and Remediate Continuously
Regularly review compliance dashboard in AWS Config. Use Config aggregators to get a cross-account, cross-region view. Set up Amazon EventBridge rules to trigger notifications on compliance state changes. For example, send an SNS alert when a resource becomes noncompliant. Periodically review and update rules as new resources or requirements emerge. Use Config's advanced queries to find noncompliant resources quickly.
Enterprise Scenario 1: PCI DSS Compliance for a Payment Processing Company
A company processing credit card transactions must comply with PCI DSS. They use hundreds of EC2 instances, S3 buckets, and RDS databases across multiple accounts. The security team needs to ensure that:
All S3 buckets block public access.
EC2 instances do not have public IP addresses.
RDS instances are encrypted at rest.
Security groups do not allow unrestricted inbound SSH (port 22).
They deploy AWS Config with managed rules such as s3-bucket-public-read-prohibited, ec2-instance-no-public-ip, rds-storage-encrypted, and restricted-ssh. They create a conformance pack template that includes these rules and deploy it to all accounts using AWS Organizations. For any noncompliant resources, they set up automatic remediation via SSM Automation: for example, automatically attaching a policy to block public access on S3 buckets. They also configure Config aggregators in a central audit account to view compliance across all accounts. Common issues: forgetting to enable Config recording in all regions, or not granting the Config recorder role sufficient permissions to describe resources.
Enterprise Scenario 2: Tagging Compliance for a Large Enterprise
A multinational corporation requires all resources to have specific tags (e.g., CostCenter, Environment, Owner) for cost allocation and governance. They have thousands of resources across hundreds of accounts. They create a custom Config rule that checks for the presence and value of required tags on EC2 instances, volumes, and S3 buckets. The rule triggers on configuration changes and runs periodically every 6 hours. They deploy this rule via a conformance pack to all accounts. When a resource is missing a tag, an automatic remediation runs a Lambda function that adds the missing tag with a default value. However, they must ensure the remediation Lambda has permissions to tag resources across accounts. Performance: with thousands of resources, the evaluation time is manageable but they need to monitor Lambda concurrency limits. Misconfiguration: if the rule's scope is not set correctly, it may evaluate unsupported resources and return NOT_APPLICABLE, causing confusion.
Scenario 3: CIS Benchmark Compliance for a Financial Institution
A bank must adhere to the CIS AWS Foundations Benchmark. They use the AWS-provided conformance pack template Operational-Best-Practices-for-CIS-AWS-Foundations-Benchmark. This template includes over 40 rules covering IAM, logging, monitoring, and networking. They deploy it to their production and non-production accounts. They customize parameters such as the SNS topic ARN for alerts. They also enable automatic remediation for critical rules, like enabling CloudTrail in all regions. However, they discover that some rules conflict with existing configurations (e.g., the CIS rule requiring VPC flow logs enabled on all VPCs causes noncompliance for VPCs that intentionally disable flow logs due to cost). They create exemptions by using Config rule parameters to exclude certain resources. They also use Config advanced queries to generate custom reports for auditors.
What SOA-C02 Tests on Config Rules and Conformance Packs
The exam objective 4.2 (Manage security and compliance) specifically tests your ability to:
Implement and validate AWS Config rules (managed and custom).
Deploy conformance packs using AWS Organizations.
Troubleshoot compliance evaluation failures.
Configure remediation actions.
Common Wrong Answers and Why Candidates Choose Them
"Config rules can prevent noncompliant actions" – This is false. Config rules are detective, not preventive. They evaluate resources after they are created. Candidates confuse Config with Service Control Policies (SCPs) or IAM policies that can deny actions.
"Custom rules must be written in Python" – AWS Lambda supports multiple languages; the exam does not restrict to Python. Candidates may assume Python because of common examples, but any Lambda runtime works.
"Conformance packs are global" – Conformance packs are regional. To cover multiple regions, you must deploy them in each region. Candidates might think they are global like CloudFront.
"Remediation is automatic by default" – When you associate a remediation action, it is not automatically triggered. You must set the action to automatic or manual. The default is manual.
Specific Numbers and Terms Appearing on the Exam
Maximum number of conformance packs per account per region: 50.
Maximum number of rules per conformance pack: 400.
Periodic evaluation frequencies: 1, 3, 6, 12, or 24 hours (the exact strings used in API: One_Hour, Three_Hours, Six_Hours, Twelve_Hours, TwentyFour_Hours).
Managed rule source identifiers: e.g., S3_BUCKET_PUBLIC_READ_PROHIBITED, EC2_INSTANCE_NO_PUBLIC_IP.
Trigger types: ConfigurationItemChangeNotification and ScheduledNotification.
Compliance values: COMPLIANT, NON_COMPLIANT, NOT_APPLICABLE, INSUFFICIENT_DATA.
Edge Cases and Exceptions
If a custom rule Lambda function returns an error or times out (default timeout 3 seconds, max 5 minutes), the evaluation result is INSUFFICIENT_DATA.
If the Config recorder is not recording the resource type that a rule evaluates, the rule will have no data and show NOT_APPLICABLE for that resource.
Conformance pack deployment can fail if the template exceeds 50 KB or references an invalid SSM document.
When using PutOrganizationConformancePack, you must enable trusted access between AWS Config and AWS Organizations.
How to Eliminate Wrong Answers
If a question asks about preventing a noncompliant resource from being created, the answer is NOT Config – it is SCP or IAM.
If a question mentions deploying rules to all accounts in an organization, the correct approach is PutOrganizationConformancePack or using an aggregator, not manually creating rules in each account.
For custom rules, remember that the Lambda function must have a resource-based policy allowing Config to invoke it. Without it, the rule will never trigger.
When troubleshooting INSUFFICIENT_DATA, check that the rule's trigger type matches the resource changes, and that the Lambda function has correct permissions and is not throwing errors.
Config rules are detective; they evaluate resources after creation and report compliance status.
Managed rules are provided by AWS; custom rules use Lambda functions.
Trigger types: configuration changes or periodic (1, 3, 6, 12, 24-hour intervals).
Compliance values: COMPLIANT, NON_COMPLIANT, NOT_APPLICABLE, INSUFFICIENT_DATA.
Conformance packs are regional; max 50 per account per region, max 400 rules per pack.
Remediation uses SSM Automation documents; default is manual.
Use OrganizationConformancePack to deploy to all accounts in AWS Organizations.
Custom rules require a resource-based policy on Lambda allowing Config invocation.
Config aggregators provide cross-account, cross-region compliance view.
If a rule returns INSUFFICIENT_DATA, check Lambda permissions, timeouts, and trigger configuration.
These come up on the exam all the time. Here's how to tell them apart.
Managed Config Rules
Pre-built by AWS; no coding required.
Cover common compliance frameworks (CIS, HIPAA, etc.).
Maintained by AWS; updates automatically.
Cannot customize logic beyond parameters.
Limited to checks that AWS has implemented.
Custom Config Rules
Written by you using Lambda functions.
Can implement any custom logic.
You maintain the Lambda code and handle updates.
Full control over evaluation logic and output.
Requires additional IAM and Lambda setup.
Mistake
AWS Config rules can block noncompliant resource creation.
Correct
Config rules are detective, not preventive. They evaluate resources after they exist and report compliance. To prevent creation, use Service Control Policies (SCPs) or IAM policies.
Mistake
Custom Config rules must be written in Python.
Correct
Custom rules can use any Lambda-supported runtime (Python, Node.js, Java, Go, etc.). The exam does not mandate a specific language.
Mistake
Conformance packs are globally deployed across all regions automatically.
Correct
Conformance packs are regional. You must deploy them in each region where you want compliance checks. They are not global.
Mistake
Remediation actions run automatically as soon as a resource becomes noncompliant.
Correct
By default, remediation is manual. You must explicitly set the action to automatic (e.g., via the console or API) to trigger it automatically.
Mistake
A Config rule evaluates all resources in the account by default.
Correct
A rule evaluates only the resource types specified in its scope. If no scope is defined, it evaluates all supported resources in the region. You can limit scope to specific resource types or even specific resources.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
First, write a Lambda function that receives a ConfigurationItem and returns a compliance evaluation. The function must have an IAM role with permissions to read resource configurations. Then, use the AWS Config console or CLI to create a rule with Owner = CUSTOM_LAMBDA and the Lambda ARN. Specify trigger type (configuration change or periodic). Finally, ensure the Lambda function has a resource-based policy that allows Config to invoke it. Test by creating a resource that should be noncompliant.
A Config rule is a single compliance check. A conformance pack is a collection of multiple Config rules (and optionally remediation actions) that can be deployed together using a template. Conformance packs are designed for multi-account/region deployments and enable consistent compliance across an organization. You can think of a conformance pack as a bundle of rules that you deploy as a unit.
Yes, by associating a remediation action with the rule. Remediation uses AWS Systems Manager Automation documents. You can set the remediation to run automatically when a resource becomes noncompliant, or manually. For automatic remediation, you must enable automatic remediation in the rule settings. The Automation document must have permissions to modify the resource.
Use an AWS Config aggregator. An aggregator collects compliance data from multiple accounts and regions into a single view. You can create an aggregator in a central account and authorize source accounts to share data. Alternatively, use conformance packs deployed via AWS Organizations to get aggregated compliance data in the organization's management account.
This means the rule could not evaluate the resource. Common causes: (1) The Lambda function does not have permission to be invoked by Config (missing resource policy). (2) The Lambda function timed out or threw an error. (3) The rule's trigger type does not match the resource changes (e.g., periodic rule but resource never changes). (4) The Config recorder is not recording the resource type. Check the Lambda logs in CloudWatch for errors.
Per account per region: maximum 50 conformance packs. Each conformance pack can contain up to 400 rules. The template file size must be less than 50 KB. If you exceed these limits, deployment will fail. You can request service quota increases.
Use the AWS CLI command `aws configservice put-organization-conformance-pack` or the AWS Console. You must have trusted access enabled between AWS Config and AWS Organizations. The template must be stored in an S3 bucket in the same region. This will deploy the conformance pack to all current and future accounts in the organization.
You've just covered AWS Config Rules and Conformance Packs — now see how well it sticks with free SOA-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?