Inventory, timeline, rules, and automated remediation for your AWS footprint
AWS Config continuously records configuration changes to supported resources and evaluates them against rules you select. It answers: What did this security group look like last Tuesday? and Which S3 buckets are non-compliant right now? Results feed compliance reporting, drift detection, and Security Hub.
The configuration recorder captures point-in-time configuration items and relationships (for example, which ENI is attached to which instance). Enable recording in each Region you operate; use the service-linked role and delivery channel to an S3 bucket for history and audit.
| Rule identifier | Intent |
|---|---|
S3_BUCKET_PUBLIC_READ_PROHIBITED | Fails if bucket ACLs or policies allow public read. |
IAM_PASSWORD_POLICY | Checks account password policy for length, complexity, reuse, and max age. |
EC2_SECURITY_GROUP_ATTACHED_TO_ENI | Detects unused security groups (cleanup hygiene). |
ROOT_ACCOUNT_MFA_ENABLED | Ensures root user has MFA. |
Use AWS Lambda (custom Config rule) or CloudFormation Guard-style guard rules where offered to express organization-specific logic: tagging standards, allowed AMIs, encryption requirements, or cross-resource constraints. Custom rules return COMPLIANT, NON_COMPLIANT, or NOT_APPLICABLE.
Conformance packs bundle a set of Config rules and optional remediation documents for a framework slice (for example CIS AWS Foundations, operational security baselines). Deploy packs from Organizations management accounts to standardize guardrails across OUs.
Attach SSM Automation documents or custom automation to non-compliant findings: auto-enable S3 Block Public Access, revoke overly permissive SG rules, enable encryption by default. Always test in sandbox; use manual approval for destructive fixes.
Config sends rule evaluations to Security Hub as controls and findings in the standardized format. Hub lets you deduplicate, score, and route alongside GuardDuty and Inspector for a unified risk queue.
Illustrative UI — not live data.