AWS Explained
    Management & Governance
    📊Management & Governance

    AWS Config

    Track resources; Configurations and compliance over time

    Config is like a security camera system that records every change to your AWS resources. It tracks configuration history: 'who changed this security group and when?' or 'what did this S3 bucket's settings look like last month?' Config also evaluates resources against rules: 'are all EBS volumes encrypted?' or 'do all EC2 instances have approved AMIs?' It's like having a compliance auditor who continuously checks your infrastructure and alerts you when something violates your policies. Perfect for security, compliance, and troubleshooting, since you can see exactly what changed and when.

    Config records configuration changes as configuration items (CIs) stored in S3. It creates a configuration timeline showing resource state over time. Config Rules evaluate resources against desired configurations; AWS provides managed rules (pre-built) and you can create custom rules (Lambda functions). Rules can be triggered by configuration changes or run periodically.

    Key Capabilities

    • Records the full configuration history of every AWS resource over time, giving you a point-in-time snapshot of what any resource looked like at any past moment
    • Config Rules evaluate resources against desired configuration states; rules can be AWS Managed (150+ pre-built) or Custom (Lambda-backed logic)
    • Conformance Packs bundle multiple rules into a single deployable unit aligned to compliance frameworks including CIS, PCI-DSS, and HIPAA
    • Remediation actions automatically fix non-compliant resources using Systems Manager Automation runbooks triggered by a rule evaluation
    • Multi-account and multi-region aggregation consolidates compliance data from all accounts and regions into a single aggregator account
    • Configuration change timeline visualization shows the sequence of configuration changes on a resource alongside CloudTrail events for correlation during incident investigation

    Gotchas & Constraints

    Gotcha #1: Config charges per configuration item recorded and per rule evaluation, and costs can add up in large environments. Gotcha #2: Config records configuration, not data; it won't show S3 object contents, only bucket settings. Constraints: Maximum 1,000 Config Rules per region, configuration items retained indefinitely in S3 (you pay S3 storage costs), and rule evaluation can take several minutes.

    A financial services company must prove compliance with PCI DSS and SOC 2. Auditors ask: 'Are all S3 buckets encrypted? Are all databases in private subnets? Do all EC2 instances have approved AMIs?' Manually checking 1,000 resources across 20 accounts is impossible. They enable AWS Config in all accounts and regions, creating an aggregator in a central compliance account. They deploy a conformance pack for PCI DSS: Config automatically creates 50+ rules checking encryption, network isolation, logging, and access controls. Config evaluates all resources and shows 200 non-compliant items: 50 unencrypted S3 buckets, 30 databases in public subnets, 120 instances with unapproved AMIs. They configure automatic remediation: Config triggers Systems Manager to enable S3 encryption and terminate non-compliant instances. For audits, they export Config compliance reports showing 100% compliance. When a developer accidentally makes an S3 bucket public, Config detects it within 10 minutes and sends an SNS alert.

    The Result

    continuous compliance monitoring, automated remediation, and audit-ready reports.

    Official AWS Documentation