{"id":259,"date":"2026-04-13T09:42:27","date_gmt":"2026-04-13T09:42:27","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/aws-config-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-management-and-governance\/"},"modified":"2026-04-13T09:42:27","modified_gmt":"2026-04-13T09:42:27","slug":"aws-config-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-management-and-governance","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/aws-config-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-management-and-governance\/","title":{"rendered":"AWS Config Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Management and governance"},"content":{"rendered":"\n

Category<\/h2>\n\n\n\n

Management and governance<\/p>\n\n\n\n

1. Introduction<\/h2>\n\n\n\n

AWS Config is an AWS Management and governance service that continuously records your AWS resource configurations, tracks how they change over time, and evaluates those configurations against rules you define.<\/p>\n\n\n\n

In simple terms: AWS Config is \u201cconfiguration history + compliance checks for AWS resources.\u201d It helps you answer questions like: What changed? When? Who\/what might have caused it? Is this resource compliant with our standards?<\/em><\/p>\n\n\n\n

Technically, AWS Config uses a configuration recorder<\/strong> in each AWS Region to capture configuration items (metadata about supported AWS resources). It delivers these items to an Amazon S3 bucket<\/strong> (and optionally publishes notifications to Amazon SNS<\/strong>) and can evaluate recorded resources with AWS Config Rules<\/strong> and Conformance Packs<\/strong>. You can aggregate data across accounts and Regions with a configuration aggregator<\/strong>, query it with advanced queries<\/strong>, and integrate it with services like AWS Organizations<\/strong>, Amazon EventBridge<\/strong>, AWS Systems Manager<\/strong>, and AWS Security Hub<\/strong>.<\/p>\n\n\n\n

The problem AWS Config solves is governance at scale: maintaining visibility and control over how<\/em> your cloud infrastructure is configured\u2014across accounts, Regions, and teams\u2014without relying on ad-hoc scripts or manual audits.<\/p>\n\n\n\n

2. What is AWS Config?<\/h2>\n\n\n\n

Official purpose<\/h3>\n\n\n\n

AWS Config is designed to help you assess, audit, and evaluate<\/strong> the configurations of your AWS resources. It provides resource inventory<\/strong>, configuration history<\/strong>, change notifications<\/strong>, and compliance evaluation<\/strong> against your desired configuration rules.<\/p>\n\n\n\n

Official docs: https:\/\/docs.aws.amazon.com\/config\/latest\/developerguide\/WhatIsConfig.html<\/p>\n\n\n\n

Core capabilities<\/h3>\n\n\n\n

Key capabilities include:<\/p>\n\n\n\n

    \n
  • Configuration recording<\/strong> of supported resource types (configuration items).<\/li>\n
  • Configuration history<\/strong> and resource timeline<\/strong> for change analysis.<\/li>\n
  • Configuration snapshots<\/strong> (point-in-time exports).<\/li>\n
  • Compliance evaluation<\/strong> using:<\/li>\n
  • AWS managed rules<\/strong><\/li>\n
  • Custom rules<\/strong> (typically backed by AWS Lambda)<\/li>\n
  • Conformance Packs<\/strong> (collections of rules)<\/li>\n
  • Remediation<\/strong> support (commonly through AWS Systems Manager Automation for managed remediation actions).<\/li>\n
  • Notifications<\/strong> of configuration and compliance changes (SNS \/ EventBridge integrations).<\/li>\n
  • Multi-account and multi-Region aggregation<\/strong> using configuration aggregators.<\/li>\n
  • Querying<\/strong> across your recorded configuration data using AWS Config advanced queries<\/strong> (SQL-like query language for supported resource properties).<\/li>\n<\/ul>\n\n\n\n

    Major components<\/h3>\n\n\n\n
      \n
    • Configuration recorder<\/strong>: Collects configuration changes for selected resource types in a Region.<\/li>\n
    • Delivery channel<\/strong>: Sends configuration items and snapshots to an S3 bucket; can also send notifications to an SNS topic.<\/li>\n
    • Configuration item (CI)<\/strong>: The recorded representation of a resource\u2019s configuration at a point in time.<\/li>\n
    • AWS Config Rules<\/strong>: Evaluate whether resources comply with desired settings.<\/li>\n
    • Conformance Packs<\/strong>: Packaged sets of rules and optional remediation settings to enforce standards at scale.<\/li>\n
    • Configuration aggregator<\/strong>: Central view across accounts\/Regions (often in a security or governance account).<\/li>\n
    • Remediation actions<\/strong>: Automated fixes triggered for noncompliance (often via Systems Manager).<\/li>\n
    • Advanced queries<\/strong>: Search and analyze configuration state across resources.<\/li>\n<\/ul>\n\n\n\n

      Service type<\/h3>\n\n\n\n

      AWS Config is a managed governance service<\/strong>. You don\u2019t deploy servers for it; you configure it and AWS runs the recording, storage delivery, and evaluation workflows.<\/p>\n\n\n\n

      Scope: regional\/global and account considerations<\/h3>\n\n\n\n
        \n
      • Regional service<\/strong>: AWS Config is configured per Region<\/strong>. You enable it in each Region you want to record.<\/li>\n
      • Global resources<\/strong>: Some AWS resources are \u201cglobal\u201d (for example, certain IAM resources). AWS Config supports recording global resources, but the recording happens in a selected Region. The exact behavior can vary by resource type\u2014verify the \u201cglobal resource\u201d behavior in the official docs for your use case.<\/li>\n
      • Account-scoped<\/strong> by default: AWS Config records resources in the current AWS account and Region unless you use AWS Organizations<\/strong> features (organization rules \/ conformance packs) and\/or an aggregator<\/strong>.<\/li>\n<\/ul>\n\n\n\n

        How it fits into the AWS ecosystem<\/h3>\n\n\n\n

        AWS Config complements (but does not replace) other governance and security services:<\/p>\n\n\n\n

          \n
        • AWS CloudTrail<\/strong> answers: \u201cWho called what API and when?\u201d<\/li>\n
        • AWS Config<\/strong> answers: \u201cWhat is the configuration now, what was it before, and is it compliant?\u201d<\/li>\n
        • Amazon CloudWatch<\/strong> focuses on metrics\/logs\/alarms and operational telemetry.<\/li>\n
        • AWS Security Hub<\/strong> aggregates security findings; AWS Config can be one data source and policy signal.<\/li>\n
        • AWS Organizations<\/strong> provides multi-account management; AWS Config can enforce and report compliance across the organization.<\/li>\n
        • AWS Systems Manager<\/strong> can automate remediation actions for noncompliant resources.<\/li>\n<\/ul>\n\n\n\n

          3. Why use AWS Config?<\/h2>\n\n\n\n

          Business reasons<\/h3>\n\n\n\n
            \n
          • Reduce audit effort<\/strong> by having configuration history and compliance evidence available on demand.<\/li>\n
          • Lower risk of outages<\/strong> caused by unintended infrastructure changes.<\/li>\n
          • Standardize governance<\/strong> across teams and accounts with centrally defined rules and conformance packs.<\/li>\n
          • Improve accountability<\/strong>: change history and compliance status support internal controls and reporting.<\/li>\n<\/ul>\n\n\n\n

            Technical reasons<\/h3>\n\n\n\n
              \n
            • Track configuration drift<\/strong> from infrastructure-as-code baselines.<\/li>\n
            • Detect unintended changes<\/strong> across compute, networking, storage, IAM-related configurations (where supported).<\/li>\n
            • Build automated guardrails<\/strong>: continuous evaluation and auto-remediation patterns.<\/li>\n
            • Enable incident investigations<\/strong>: resource timelines help correlate changes with incidents.<\/li>\n<\/ul>\n\n\n\n

              Operational reasons<\/h3>\n\n\n\n
                \n
              • Continuous visibility<\/strong> rather than periodic manual checks.<\/li>\n
              • Event-driven operations<\/strong>: react to compliance changes via SNS\/EventBridge.<\/li>\n
              • Central reporting<\/strong>: aggregators provide one-pane views across environments.<\/li>\n<\/ul>\n\n\n\n

                Security\/compliance reasons<\/h3>\n\n\n\n
                  \n
                • Prove compliance<\/strong> for common policies (encryption enabled, public access blocked, MFA enabled, restricted security groups, etc.), using AWS managed rules or custom rules.<\/li>\n
                • Detect risky changes<\/strong> quickly (for example, an S3 bucket becoming public).<\/li>\n
                • Support frameworks<\/strong> via conformance packs (AWS provides sample packs; verify availability and suitability in official docs).<\/li>\n<\/ul>\n\n\n\n

                  Scalability\/performance reasons<\/h3>\n\n\n\n
                    \n
                  • AWS Config scales with your environment without you managing collectors.<\/li>\n
                  • Data is delivered to S3 and can be queried and integrated into data\/analytics pipelines if needed.<\/li>\n<\/ul>\n\n\n\n

                    When teams should choose AWS Config<\/h3>\n\n\n\n

                    Choose AWS Config when you need any of the following:\n– Reliable configuration history for supported AWS resources\n– Continuous compliance evaluation across accounts\/Regions\n– Governance automation and evidence for audits\n– A standardized way to express \u201cresource configuration requirements\u201d as rules<\/p>\n\n\n\n

                    When teams should not choose AWS Config<\/h3>\n\n\n\n

                    AWS Config is not the right tool when:\n– You only need API audit logs (use AWS CloudTrail<\/strong>).\n– You need vulnerability scanning (use Amazon Inspector<\/strong> or other security scanners).\n– You need real-time performance monitoring (use Amazon CloudWatch<\/strong>, AWS X-Ray<\/strong>, etc.).\n– Your environment is extremely cost-sensitive and you only need a narrow set of checks\u2014consider enabling AWS Config for a limited scope, or using IaC checks in CI\/CD plus periodic targeted audits.\n– You need to manage\/patch instances (use AWS Systems Manager<\/strong>).<\/p>\n\n\n\n

                    4. Where is AWS Config used?<\/h2>\n\n\n\n

                    Industries<\/h3>\n\n\n\n

                    AWS Config is widely used in regulated and security-conscious environments, including:\n– Finance and fintech\n– Healthcare and life sciences\n– Government and public sector\n– SaaS providers (SOC 2 \/ ISO 27001 programs)\n– Retail and e-commerce (security and change governance)<\/p>\n\n\n\n

                    Team types<\/h3>\n\n\n\n
                      \n
                    • Cloud platform engineering teams implementing governance guardrails<\/li>\n
                    • Security engineering \/ cloud security teams monitoring posture<\/li>\n
                    • DevOps \/ SRE teams investigating configuration drift and incidents<\/li>\n
                    • Compliance and audit teams generating evidence<\/li>\n
                    • IT operations teams managing change control processes<\/li>\n<\/ul>\n\n\n\n

                      Workloads and architectures<\/h3>\n\n\n\n
                        \n
                      • Multi-account AWS Organizations architectures (prod\/dev\/shared services\/security)<\/li>\n
                      • Microservices platforms (EKS\/ECS\/Lambda) where supporting infrastructure needs policy checks<\/li>\n
                      • Data platforms (S3, KMS, IAM, Lake Formation-related governance\u2014where supported)<\/li>\n
                      • Network-heavy environments (VPC, security groups, NACLs, route tables\u2014where supported)<\/li>\n<\/ul>\n\n\n\n

                        Real-world deployment contexts<\/h3>\n\n\n\n
                          \n
                        • Central governance account aggregates Config data from workload accounts.<\/li>\n
                        • Organization conformance packs enforce baseline controls across accounts.<\/li>\n
                        • EventBridge triggers remediation or ticketing when a resource becomes noncompliant.<\/li>\n<\/ul>\n\n\n\n

                          Production vs dev\/test usage<\/h3>\n\n\n\n
                            \n
                          • Production<\/strong>: Typically enabled broadly, with centralized aggregation and carefully designed rules to avoid noise.<\/li>\n
                          • Dev\/test<\/strong>: Often enabled with fewer rules or limited resource recording to control costs, while still providing drift visibility.<\/li>\n<\/ul>\n\n\n\n

                            5. Top Use Cases and Scenarios<\/h2>\n\n\n\n

                            Below are realistic scenarios where AWS Config is commonly applied.<\/p>\n\n\n\n

                            1) Detect and alert on public S3 buckets<\/h3>\n\n\n\n
                              \n
                            • Problem:<\/strong> Buckets accidentally become public due to policy or ACL changes.<\/li>\n
                            • Why AWS Config fits:<\/strong> Records S3 bucket configuration changes and evaluates against managed rules.<\/li>\n
                            • Example scenario:<\/strong> A developer applies a bucket policy allowing s3:GetObject<\/code> to Principal: *<\/code>. AWS Config flags noncompliance and triggers an EventBridge rule to notify security.<\/li>\n<\/ul>\n\n\n\n

                              2) Enforce encryption-at-rest standards<\/h3>\n\n\n\n
                                \n
                              • Problem:<\/strong> Some storage resources are created without encryption.<\/li>\n
                              • Why AWS Config fits:<\/strong> Managed rules can detect encryption settings across supported services.<\/li>\n
                              • Example scenario:<\/strong> A new EBS volume is created without encryption (where relevant). AWS Config rule detects noncompliance; Systems Manager Automation remediates by snapshot + re-create (remediation feasibility depends on resource type\u2014verify in docs).<\/li>\n<\/ul>\n\n\n\n

                                3) Track security group exposure (0.0.0.0\/0)<\/h3>\n\n\n\n
                                  \n
                                • Problem:<\/strong> Inbound access from the internet is unintentionally opened.<\/li>\n
                                • Why AWS Config fits:<\/strong> Records security group changes and evaluates ingress rules.<\/li>\n
                                • Example scenario:<\/strong> Port 22 is opened to 0.0.0.0\/0<\/code>. AWS Config flags it; a Lambda-based custom rule checks exception tags and escalates if missing.<\/li>\n<\/ul>\n\n\n\n

                                  4) Required tags enforcement (cost allocation, ownership)<\/h3>\n\n\n\n
                                    \n
                                  • Problem:<\/strong> Resources lack required tags, making cost allocation and ownership unclear.<\/li>\n
                                  • Why AWS Config fits:<\/strong> Managed rule patterns can require tags and report noncompliance.<\/li>\n
                                  • Example scenario:<\/strong> New S3 buckets must have Owner<\/code> and CostCenter<\/code>. AWS Config rule flags missing tags and routes a notification to the owning team.<\/li>\n<\/ul>\n\n\n\n

                                    5) Change investigation and incident correlation<\/h3>\n\n\n\n
                                      \n
                                    • Problem:<\/strong> Service outage occurs; you need to know what infrastructure changed.<\/li>\n
                                    • Why AWS Config fits:<\/strong> Resource timeline shows configuration changes over time.<\/li>\n
                                    • Example scenario:<\/strong> An application loses connectivity to a database. AWS Config timeline shows a NACL change 10 minutes before the incident.<\/li>\n<\/ul>\n\n\n\n

                                      6) Drift detection from IaC standards<\/h3>\n\n\n\n
                                        \n
                                      • Problem:<\/strong> Infrastructure created by Terraform\/CloudFormation drifts due to console edits.<\/li>\n
                                      • Why AWS Config fits:<\/strong> Tracks changes outside your IaC pipelines.<\/li>\n
                                      • Example scenario:<\/strong> Someone manually modifies an IAM role trust policy. AWS Config records the delta and can trigger a workflow to revert via IaC.<\/li>\n<\/ul>\n\n\n\n

                                        7) Multi-account compliance reporting for auditors<\/h3>\n\n\n\n
                                          \n
                                        • Problem:<\/strong> Auditors require evidence of controls across all accounts and Regions.<\/li>\n
                                        • Why AWS Config fits:<\/strong> Aggregators provide centralized views of compliance status.<\/li>\n
                                        • Example scenario:<\/strong> Security team generates compliance reports across 50 accounts using an aggregator and exports evidence from S3 snapshots.<\/li>\n<\/ul>\n\n\n\n

                                          8) Continuous compliance baselines with conformance packs<\/h3>\n\n\n\n
                                            \n
                                          • Problem:<\/strong> Managing dozens of rules individually becomes hard.<\/li>\n
                                          • Why AWS Config fits:<\/strong> Conformance packs package rules and (optionally) remediation settings.<\/li>\n
                                          • Example scenario:<\/strong> The platform team deploys a baseline conformance pack to all accounts, ensuring consistent enforcement.<\/li>\n<\/ul>\n\n\n\n

                                            9) Automated remediation for common misconfigurations<\/h3>\n\n\n\n
                                              \n
                                            • Problem:<\/strong> Teams repeatedly make the same configuration mistakes.<\/li>\n
                                            • Why AWS Config fits:<\/strong> Integrates with Systems Manager Automation runbooks for remediation (where supported).<\/li>\n
                                            • Example scenario:<\/strong> If an S3 bucket has public access settings disabled, automatically apply a remediation that blocks public access (verify supported remediation actions for the specific rule\/resource).<\/li>\n<\/ul>\n\n\n\n

                                              10) Governance for ephemeral environments<\/h3>\n\n\n\n
                                                \n
                                              • Problem:<\/strong> Short-lived environments are created and destroyed; governance must keep up.<\/li>\n
                                              • Why AWS Config fits:<\/strong> Continuous recording catches changes during the environment lifecycle.<\/li>\n
                                              • Example scenario:<\/strong> A preview environment creates many security groups. AWS Config ensures no security group becomes internet-open without an exception tag.<\/li>\n<\/ul>\n\n\n\n

                                                11) Proving control effectiveness over time<\/h3>\n\n\n\n
                                                  \n
                                                • Problem:<\/strong> You must show that controls were consistently enforced, not just at audit time.<\/li>\n
                                                • Why AWS Config fits:<\/strong> Maintains historical compliance evaluation results and configuration history (retention details vary\u2014verify current retention behavior in official docs).<\/li>\n
                                                • Example scenario:<\/strong> Quarterly audit requires proof that encryption controls were continuously monitored.<\/li>\n<\/ul>\n\n\n\n

                                                  12) Centralized governance in AWS Organizations<\/h3>\n\n\n\n
                                                    \n
                                                  • Problem:<\/strong> Business units manage their own accounts; central governance needs guardrails.<\/li>\n
                                                  • Why AWS Config fits:<\/strong> Organization-level deployment patterns and aggregation enable centralized policy with distributed execution.<\/li>\n
                                                  • Example scenario:<\/strong> Security account deploys organization conformance packs and aggregates compliance results for executive reporting.<\/li>\n<\/ul>\n\n\n\n

                                                    6. Core Features<\/h2>\n\n\n\n

                                                    This section focuses on important AWS Config capabilities used in real environments.<\/p>\n\n\n\n

                                                    6.1 Configuration recording (configuration items)<\/h3>\n\n\n\n
                                                      \n
                                                    • What it does:<\/strong> Records configuration changes for supported resource types in a Region.<\/li>\n
                                                    • Why it matters:<\/strong> Without recording, you can\u2019t reconstruct historical configuration state.<\/li>\n
                                                    • Practical benefit:<\/strong> Enables timelines, drift investigations, and compliance evaluation.<\/li>\n
                                                    • Limitations\/caveats:<\/strong><\/li>\n
                                                    • Not all AWS resource types are supported; check the official \u201csupported resource types\u201d list.<\/li>\n
                                                    • Recording can increase costs if you record many resource types across many accounts\/Regions.<\/li>\n<\/ul>\n\n\n\n

                                                      6.2 Configuration history and timeline<\/h3>\n\n\n\n
                                                        \n
                                                      • What it does:<\/strong> Provides change history per resource (what changed and when).<\/li>\n
                                                      • Why it matters:<\/strong> Root cause analysis often requires knowing exactly what changed.<\/li>\n
                                                      • Practical benefit:<\/strong> Faster incident investigation and reduced mean time to recovery (MTTR).<\/li>\n
                                                      • Limitations\/caveats:<\/strong> Timeline fidelity depends on supported properties and recording settings.<\/li>\n<\/ul>\n\n\n\n

                                                        6.3 Configuration snapshots<\/h3>\n\n\n\n
                                                          \n
                                                        • What it does:<\/strong> Produces point-in-time exports of configuration for recorded resources, delivered to S3.<\/li>\n
                                                        • Why it matters:<\/strong> Snapshots are useful for audits and offline analysis.<\/li>\n
                                                        • Practical benefit:<\/strong> Repeatable evidence capture for compliance programs.<\/li>\n
                                                        • Limitations\/caveats:<\/strong> Snapshots and stored objects can increase S3 storage costs.<\/li>\n<\/ul>\n\n\n\n

                                                          6.4 Configuration change notifications (SNS \/ EventBridge)<\/h3>\n\n\n\n
                                                            \n
                                                          • What it does:<\/strong> Sends notifications when resources change configuration and when compliance status changes.<\/li>\n
                                                          • Why it matters:<\/strong> Enables event-driven workflows (alerting, ticketing, remediation).<\/li>\n
                                                          • Practical benefit:<\/strong> Integrate with existing operations tooling.<\/li>\n
                                                          • Limitations\/caveats:<\/strong> Notifications can be noisy if scope is broad and environments are highly dynamic\u2014filtering and tuning is important.<\/li>\n<\/ul>\n\n\n\n

                                                            6.5 AWS Config Rules (managed and custom)<\/h3>\n\n\n\n
                                                              \n
                                                            • What it does:<\/strong> Evaluates resources against desired configuration settings.<\/li>\n
                                                            • Why it matters:<\/strong> Provides continuous compliance rather than periodic checks.<\/li>\n
                                                            • Practical benefit:<\/strong> Detects misconfigurations early.<\/li>\n
                                                            • Limitations\/caveats:<\/strong><\/li>\n
                                                            • Some managed rules apply only to specific resource types or Regions.<\/li>\n
                                                            • Custom rules typically require a Lambda function (and its operational lifecycle).<\/li>\n<\/ul>\n\n\n\n

                                                              6.6 Conformance Packs<\/h3>\n\n\n\n
                                                                \n
                                                              • What it does:<\/strong> Deploys a collection of rules and optional remediation settings as a single unit.<\/li>\n
                                                              • Why it matters:<\/strong> Governance at scale requires packaging, versioning, and repeatability.<\/li>\n
                                                              • Practical benefit:<\/strong> Standard baselines across accounts\/Regions.<\/li>\n
                                                              • Limitations\/caveats:<\/strong> Conformance packs still evaluate underlying rules; cost scales with evaluations and scope.<\/li>\n<\/ul>\n\n\n\n

                                                                6.7 Remediation actions (commonly via Systems Manager Automation)<\/h3>\n\n\n\n
                                                                  \n
                                                                • What it does:<\/strong> Automates fixes for certain noncompliant findings using AWS-managed or custom remediation documents.<\/li>\n
                                                                • Why it matters:<\/strong> Reduces manual effort and speeds up risk reduction.<\/li>\n
                                                                • Practical benefit:<\/strong> \u201cDetect and fix\u201d loops for common misconfigurations.<\/li>\n
                                                                • Limitations\/caveats:<\/strong><\/li>\n
                                                                • Not every rule\/resource supports automatic remediation.<\/li>\n
                                                                • Remediation can be risky if applied blindly; approvals and guardrails matter.<\/li>\n<\/ul>\n\n\n\n

                                                                  6.8 Multi-account and multi-Region aggregation<\/h3>\n\n\n\n
                                                                    \n
                                                                  • What it does:<\/strong> Collects configuration and compliance data across accounts and Regions into a central aggregator.<\/li>\n
                                                                  • Why it matters:<\/strong> Enterprise AWS usage is typically multi-account.<\/li>\n
                                                                  • Practical benefit:<\/strong> Single place to query and report compliance posture.<\/li>\n
                                                                  • Limitations\/caveats:<\/strong> Cross-account permissions and AWS Organizations setup must be correct.<\/li>\n<\/ul>\n\n\n\n

                                                                    6.9 Advanced queries<\/h3>\n\n\n\n
                                                                      \n
                                                                    • What it does:<\/strong> Lets you query recorded resource configuration state using a SQL-like query language (AWS Config query).<\/li>\n
                                                                    • Why it matters:<\/strong> Faster ad-hoc investigations and reporting without exporting data.<\/li>\n
                                                                    • Practical benefit:<\/strong> Identify patterns (e.g., untagged resources, security group rules, encryption settings) quickly.<\/li>\n
                                                                    • Limitations\/caveats:<\/strong> Query coverage depends on what AWS Config records and how resource properties are modeled.<\/li>\n<\/ul>\n\n\n\n

                                                                      6.10 Integration with AWS Organizations<\/h3>\n\n\n\n
                                                                        \n
                                                                      • What it does:<\/strong> Enables governance patterns across organizational units (OUs) and accounts, including delegated administration and organization-level deployments (capabilities vary\u2014verify current organization-level features in docs).<\/li>\n
                                                                      • Why it matters:<\/strong> Central governance without manually configuring every account.<\/li>\n
                                                                      • Practical benefit:<\/strong> Consistent compliance posture across the org.<\/li>\n
                                                                      • Limitations\/caveats:<\/strong> Requires correct Organizations setup and careful permission design.<\/li>\n<\/ul>\n\n\n\n

                                                                        7. Architecture and How It Works<\/h2>\n\n\n\n

                                                                        High-level architecture<\/h3>\n\n\n\n

                                                                        At a high level:<\/p>\n\n\n\n

                                                                          \n
                                                                        1. You enable AWS Config in a Region.<\/li>\n
                                                                        2. The configuration recorder<\/strong> discovers and records supported resources as configuration items<\/strong>.<\/li>\n
                                                                        3. AWS Config delivers configuration items and snapshots to an S3 bucket<\/strong> (and optionally publishes to SNS<\/strong>).<\/li>\n
                                                                        4. AWS Config Rules<\/strong> evaluate resources and store compliance results.<\/li>\n
                                                                        5. Events can flow to EventBridge<\/strong> and\/or notifications to SNS<\/strong> for automation and alerting.<\/li>\n
                                                                        6. In multi-account setups, a configuration aggregator<\/strong> centralizes data for reporting and queries.<\/li>\n<\/ol>\n\n\n\n

                                                                          Request\/data\/control flow<\/h3>\n\n\n\n
                                                                            \n
                                                                          • Data plane (recording):<\/strong> AWS Config observes resource configuration state and changes (implementation is managed by AWS).<\/li>\n
                                                                          • Control plane (your actions):<\/strong> You configure recorders, delivery channels, rules, conformance packs, remediation, aggregators, and permissions.<\/li>\n
                                                                          • Storage:<\/strong> Configuration history and snapshots are delivered to S3; compliance results are available via the AWS Config console and APIs.<\/li>\n<\/ul>\n\n\n\n

                                                                            Integrations with related services<\/h3>\n\n\n\n

                                                                            Common integrations include:\n– Amazon S3<\/strong>: required destination for configuration history and snapshots.\n– Amazon SNS<\/strong>: optional notifications for configuration changes and evaluation results.\n– Amazon EventBridge<\/strong>: receive AWS Config events for workflows.\n– AWS Lambda<\/strong>: custom rules (and sometimes custom remediation).\n– AWS Systems Manager<\/strong>: remediation actions via Automation runbooks.\n– AWS Organizations<\/strong>: centralized governance, aggregation, and org-wide deployment patterns.\n– AWS CloudTrail<\/strong>: correlate \u201cwho changed\u201d (CloudTrail) with \u201cwhat changed\u201d (Config).\n– AWS Security Hub<\/strong>: posture management and findings aggregation (integration patterns vary; verify in official docs for your region and use case).<\/p>\n\n\n\n

                                                                            Dependency services<\/h3>\n\n\n\n

                                                                            Minimum dependencies to run AWS Config in a Region:\n– An S3 bucket<\/strong> for delivery (in the same account, typically).\n– An IAM role for AWS Config (often a service-linked role<\/strong>).<\/p>\n\n\n\n

                                                                            Security\/authentication model<\/h3>\n\n\n\n
                                                                              \n
                                                                            • AWS Config uses IAM to assume a role to access S3 and publish to SNS.<\/li>\n
                                                                            • Access to AWS Config APIs and console is controlled by IAM policies.<\/li>\n
                                                                            • Cross-account aggregation requires explicit authorization (often via Organizations-managed authorization or aggregator permissions).<\/li>\n<\/ul>\n\n\n\n

                                                                              Networking model<\/h3>\n\n\n\n
                                                                                \n
                                                                              • AWS Config is an AWS-managed service accessed via AWS APIs.<\/li>\n
                                                                              • If you need private connectivity from VPC-only networks, investigate VPC endpoints (AWS PrivateLink)<\/strong> availability for AWS Config in your Regions. Availability can vary\u2014verify in official docs:<\/li>\n
                                                                              • VPC endpoints overview: https:\/\/docs.aws.amazon.com\/vpc\/latest\/privatelink\/what-is-privatelink.html<\/li>\n<\/ul>\n\n\n\n

                                                                                Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n
                                                                                  \n
                                                                                • CloudTrail<\/strong> logs AWS Config API calls (who created rules, changed recorders, etc.).<\/li>\n
                                                                                • CloudWatch<\/strong> can be used to monitor related automation (Lambda, Systems Manager).<\/li>\n
                                                                                • AWS Config<\/strong> itself becomes part of your governance baseline\u2014treat its configuration as critical infrastructure (IaC, version control, change management).<\/li>\n<\/ul>\n\n\n\n

                                                                                  Simple architecture diagram<\/h3>\n\n\n\n
                                                                                  flowchart LR\n  R[AWS Resources\\n(EC2, S3, SGs, etc.)] --> CR[AWS Config\\nConfiguration Recorder]\n  CR --> S3[(Amazon S3\\nConfig bucket)]\n  CR --> SNS[(Amazon SNS\\noptional notifications)]\n  CR --> RULES[AWS Config Rules\\nManaged\/Custom]\n  RULES --> COMPLIANCE[Compliance Results\\nConsole\/API]\n<\/code><\/pre>\n\n\n\n
                                                                                  Production-style architecture diagram (multi-account)<\/h3>\n\n\n\n
                                                                                  flowchart TB\n  subgraph Org[AWS Organizations]\n    subgraph Sec[Security \/ Governance Account]\n      AGG[AWS Config Aggregator]\n      S3C[(Central S3 bucket\\n(optional for reports\/artifacts))]\n      SH[AWS Security Hub\\n(optional)]\n      EB[Amazon EventBridge\\nRules]\n      ITSM[Ticketing\/ChatOps\\n(optional)]\n    end\n\n    subgraph Prod[Production Account(s)]\n      CRP[AWS Config Recorder]\n      DC1[Delivery Channel]\n      S3P[(S3 bucket for Config delivery)]\n      RULESP[AWS Config Rules\\n+ Conformance Packs]\n      SSM[AWS Systems Manager\\nAutomation Remediation]\n    end\n\n    subgraph Dev[Dev\/Test Account(s)]\n      CRD[AWS Config Recorder]\n      S3D[(S3 bucket)]\n      RULESD[Rules tuned for dev]\n    end\n  end\n\n  CRP --> DC1 --> S3P\n  CRP --> RULESP\n  RULESP --> EB\n  EB --> ITSM\n  RULESP --> SSM\n\n  CRD --> S3D\n  CRP --> AGG\n  CRD --> AGG\n  AGG --> SH\n  AGG --> S3C\n<\/code><\/pre>\n\n\n\n
                                                                                  8. Prerequisites<\/h2>\n\n\n\n
                                                                                  AWS account requirements<\/h3>\n\n\n\n
                                                                                    \n
                                                                                  • An AWS account with billing enabled.<\/li>\n
                                                                                  • If doing multi-account governance: AWS Organizations set up (optional for this lab).<\/li>\n<\/ul>\n\n\n\n
                                                                                    Permissions \/ IAM roles<\/h3>\n\n\n\n
                                                                                    You need permissions to:\n– Create or manage AWS Config components: recorders, delivery channels, rules.\n– Create and manage S3 bucket and bucket policy.\n– Create service-linked role (recommended) or IAM role for AWS Config.\n– Optional: SNS topic and policy.<\/p>\n\n\n\n
                                                                                    A practical set of permissions for the lab:\n– config:*<\/code> (or at minimum: config:PutConfigurationRecorder<\/code>, config:PutDeliveryChannel<\/code>, config:StartConfigurationRecorder<\/code>, config:PutConfigRule<\/code>, config:Describe*<\/code>, config:Get*<\/code>, config:Delete*<\/code>)\n– s3:CreateBucket<\/code>, s3:PutBucketPolicy<\/code>, s3:PutEncryptionConfiguration<\/code>, s3:PutBucketPublicAccessBlock<\/code>, s3:ListBucket<\/code>, s3:DeleteObject<\/code>, s3:DeleteBucket<\/code>\n– iam:CreateServiceLinkedRole<\/code> (if creating service-linked role)\n– Optional sns:*<\/code> for topic setup<\/p>\n\n\n\n
                                                                                    Billing requirements<\/h3>\n\n\n\n
                                                                                    AWS Config is a paid service (usage-based). Even small labs can incur charges if left running.<\/p>\n\n\n\n
                                                                                    Tools<\/h3>\n\n\n\n
                                                                                      \n
                                                                                    • AWS Management Console (optional, but helpful)<\/li>\n
                                                                                    • AWS CLI v2 recommended:<\/li>\n
                                                                                    • Install: https:\/\/docs.aws.amazon.com\/cli\/latest\/userguide\/getting-started-install.html<\/li>\n
                                                                                    • jq<\/code> is helpful for formatting outputs (optional)<\/li>\n<\/ul>\n\n\n\n
                                                                                      Region availability<\/h3>\n\n\n\n
                                                                                      AWS Config is available in many AWS Regions, but not necessarily all. Verify availability for your target Region in AWS Regional Services list:\n– https:\/\/aws.amazon.com\/about-aws\/global-infrastructure\/regional-product-services\/<\/p>\n\n\n\n
                                                                                      Quotas \/ limits<\/h3>\n\n\n\n
                                                                                      AWS Config has service quotas (for example, number of rules, conformance packs, recorders). Check Service Quotas<\/strong> for AWS Config in your account\/Region:\n– https:\/\/docs.aws.amazon.com\/servicequotas\/latest\/userguide\/intro.html<\/p>\n\n\n\n
                                                                                      Prerequisite services<\/h3>\n\n\n\n
                                                                                        \n
                                                                                      • Amazon S3 (for delivery channel)<\/li>\n
                                                                                      • IAM (role\/service-linked role)<\/li>\n
                                                                                      • Optional: SNS, EventBridge, Lambda, Systems Manager (for more advanced patterns)<\/li>\n<\/ul>\n\n\n\n
                                                                                        9. Pricing \/ Cost<\/h2>\n\n\n\n
                                                                                        AWS Config pricing is usage-based<\/strong> and varies by Region. Do not rely on fixed numbers from third-party sources; always confirm in the official pricing page.<\/p>\n\n\n\n
                                                                                        Official pricing:\n– https:\/\/aws.amazon.com\/config\/pricing\/\n– AWS Pricing Calculator: https:\/\/calculator.aws\/#\/<\/p>\n\n\n\n
                                                                                        Pricing dimensions (how you get charged)<\/h3>\n\n\n\n
                                                                                        AWS Config costs typically come from:<\/p>\n\n\n\n
                                                                                          \n
                                                                                        1. \n
                                                                                          Configuration items recorded<\/strong>\n   – Each recorded configuration item can generate charges.\n   – The number depends on how many resources you record and how frequently they change.<\/p>\n<\/li>\n
                                                                                        2. \n
                                                                                          Rule evaluations<\/strong>\n   – AWS Config Rules evaluate resources (periodically and\/or on change, depending on rule type and configuration).\n   – Costs scale with number of rules * number of resources evaluated * evaluation frequency.<\/p>\n<\/li>\n
                                                                                        3. \n
                                                                                          Conformance packs<\/strong>\n   – Conformance packs are collections of rules. Cost is generally tied to the evaluations of the included rules (verify exact billing behavior on the pricing page).<\/p>\n<\/li>\n
                                                                                        4. \n
                                                                                          Optional delivery and storage<\/strong>\n   – S3 storage<\/strong> for configuration history and snapshots.\n   – SNS<\/strong> message delivery costs if you use notifications.\n   – KMS<\/strong> costs if you use SSE-KMS encryption for S3\/SNS.\n   – Data transfer<\/strong> costs are usually minimal for in-region delivery to S3, but cross-region\/cross-account patterns can introduce additional costs\u2014verify based on your architecture.<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                          Free tier<\/h3>\n\n\n\n
                                                                                          AWS Config has historically not had a broad free tier like some services; any free tier or limited trial offers can change. Verify current free-tier status on the pricing page.<\/p>\n\n\n\n
                                                                                          Cost drivers (what makes bills go up)<\/h3>\n\n\n\n
                                                                                            \n
                                                                                          • Enabling AWS Config in many Regions<\/strong>.<\/li>\n
                                                                                          • Recording all supported resource types<\/strong> in accounts with many resources.<\/li>\n
                                                                                          • High-change environments (autoscaling, CI\/CD-driven infra changes).<\/li>\n
                                                                                          • Large numbers of rules and conformance pack rules.<\/li>\n
                                                                                          • Frequent periodic evaluations.<\/li>\n<\/ul>\n\n\n\n
                                                                                            Hidden or indirect costs<\/h3>\n\n\n\n
                                                                                              \n
                                                                                            • S3 bucket growth over time (snapshots and continuous delivery).<\/li>\n
                                                                                            • KMS request costs if encrypting at rest with customer-managed keys.<\/li>\n
                                                                                            • Lambda costs for custom rules and remediation.<\/li>\n
                                                                                            • Systems Manager Automation execution costs (if applicable to your remediations).<\/li>\n
                                                                                            • Operational overhead: rule tuning, exception handling, governance workflows.<\/li>\n<\/ul>\n\n\n\n
                                                                                              Network\/data transfer implications<\/h3>\n\n\n\n
                                                                                                \n
                                                                                              • In many setups, Config delivers to S3 in the same account and Region\u2014data transfer costs are typically low.<\/li>\n
                                                                                              • If you centralize delivery across Regions or accounts, review S3 and inter-region data transfer pricing.<\/li>\n<\/ul>\n\n\n\n
                                                                                                How to optimize cost<\/h3>\n\n\n\n
                                                                                                  \n
                                                                                                • Record only the resource types you need<\/strong> (instead of \u201call supported\u201d) where feasible.<\/li>\n
                                                                                                • Start with a small set of high-value rules<\/strong> and expand gradually.<\/li>\n
                                                                                                • Prefer change-triggered evaluations<\/strong> where appropriate to reduce periodic evaluation volume (depends on rule type).<\/li>\n
                                                                                                • Use aggregation<\/strong> for visibility, but keep delivery\/storage strategy intentional.<\/li>\n
                                                                                                • Implement lifecycle policies for the S3 bucket where appropriate (ensure it meets audit retention needs).<\/li>\n<\/ul>\n\n\n\n
                                                                                                  Example low-cost starter estimate (how to think about it)<\/h3>\n\n\n\n
                                                                                                  A low-cost approach typically looks like:\n– Enable AWS Config in one Region<\/strong>.\n– Record a limited set of resource types<\/strong> (for example, S3 buckets only).\n– Deploy 1\u20133 managed rules<\/strong> (tagging, public access, encryption).\n– Avoid custom rules until needed.<\/p>\n\n\n\n
                                                                                                  To estimate accurately:\n– Use the AWS Pricing Calculator and model configuration items and rule evaluations.\n– Validate with a short trial in a non-production account and observe usage metrics.<\/p>\n\n\n\n
                                                                                                  Example production cost considerations<\/h3>\n\n\n\n
                                                                                                  In production, costs usually reflect:\n– Multiple accounts and Regions.\n– Broad recording scopes.\n– Many rules and conformance packs.\n– Remediation and event-driven automation.\n– Long-term S3 retention.<\/p>\n\n\n\n
                                                                                                  A realistic enterprise cost model should be reviewed quarterly and aligned to governance outcomes (which rules provide value, what noise can be reduced).<\/p>\n\n\n\n
                                                                                                  10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n
                                                                                                  Objective<\/h3>\n\n\n\n
                                                                                                  Enable AWS Config in one AWS Region with a minimal scope, deliver configuration history to an S3 bucket, and create a managed AWS Config rule to enforce required tags on S3 buckets.<\/p>\n\n\n\n
                                                                                                  Lab Overview<\/h3>\n\n\n\n
                                                                                                  You will:\n1. Create an S3 bucket to store AWS Config data (securely).\n2. Create (or ensure) the AWS Config service-linked role exists.\n3. Create an AWS Config configuration recorder and delivery channel using AWS CLI.\n4. Start the recorder and verify configuration items are being delivered.\n5. Add a managed AWS Config rule (required-tags<\/code>) to check required tags on S3 buckets.\n6. Create a test S3 bucket without required tags to observe noncompliance, then fix it.\n7. Clean up to stop charges.<\/p>\n\n\n\n
                                                                                                  This lab is designed to be low-cost by recording only S3 buckets<\/strong> in a single Region, but charges may still apply. Don\u2019t leave AWS Config running unintentionally.<\/p>\n\n\n\n
                                                                                                  \n\n\n\n
                                                                                                  Step 1: Set environment variables and verify AWS CLI identity<\/h3>\n\n\n\n
                                                                                                  Choose a Region where you want to run the lab (example: us-east-1<\/code>).<\/p>\n\n\n\n
                                                                                                  export AWS_REGION=\"us-east-1\"\nexport AWS_ACCOUNT_ID=\"$(aws sts get-caller-identity --query Account --output text)\"\naws sts get-caller-identity\n<\/code><\/pre>\n\n\n\n
                                                                                                  Expected outcome:<\/strong> You see your account ID, ARN, and user\/role in the output.<\/p>\n\n\n\n
                                                                                                  \n\n\n\n
                                                                                                  Step 2: Create an S3 bucket for AWS Config delivery (secure baseline)<\/h3>\n\n\n\n
                                                                                                  Pick a globally unique bucket name.<\/p>\n\n\n\n
                                                                                                  export CONFIG_BUCKET=\"my-aws-config-delivery-${AWS_ACCOUNT_ID}-${AWS_REGION}\"\naws s3api create-bucket \\\n  --bucket \"${CONFIG_BUCKET}\" \\\n  --region \"${AWS_REGION}\" \\\n  $( [ \"${AWS_REGION}\" = \"us-east-1\" ] && echo \"\" || echo \"--create-bucket-configuration LocationConstraint=${AWS_REGION}\" )\n<\/code><\/pre>\n\n\n\n
                                                                                                  Enable bucket versioning (recommended for audit artifacts):<\/p>\n\n\n\n
                                                                                                  aws s3api put-bucket-versioning \\\n  --bucket \"${CONFIG_BUCKET}\" \\\n  --versioning-configuration Status=Enabled\n<\/code><\/pre>\n\n\n\n
                                                                                                  Enable default encryption (SSE-S3). For SSE-KMS, verify the required KMS permissions and key policy.<\/p>\n\n\n\n
                                                                                                  aws s3api put-bucket-encryption \\\n  --bucket \"${CONFIG_BUCKET}\" \\\n  --server-side-encryption-configuration '{\n    \"Rules\": [\n      {\n        \"ApplyServerSideEncryptionByDefault\": {\n          \"SSEAlgorithm\": \"AES256\"\n        }\n      }\n    ]\n  }'\n<\/code><\/pre>\n\n\n\n
                                                                                                  Block public access:<\/p>\n\n\n\n
                                                                                                  aws s3api put-public-access-block \\\n  --bucket \"${CONFIG_BUCKET}\" \\\n  --public-access-block-configuration '{\n    \"BlockPublicAcls\": true,\n    \"IgnorePublicAcls\": true,\n    \"BlockPublicPolicy\": true,\n    \"RestrictPublicBuckets\": true\n  }'\n<\/code><\/pre>\n\n\n\n
                                                                                                  Expected outcome:<\/strong> The bucket exists, is encrypted, versioned, and not publicly accessible.<\/p>\n\n\n\n
                                                                                                  \n\n\n\n
                                                                                                  Step 3: Add the S3 bucket policy that allows AWS Config to write<\/h3>\n\n\n\n
                                                                                                  AWS Config needs permissions to:\n– Get bucket ACL\n– List bucket (for prefix checks)\n– Put objects into the AWS Config prefix with the correct ACL<\/p>\n\n\n\n
                                                                                                  Apply a bucket policy (adjust if your organization uses stricter controls). This pattern follows AWS\u2019s typical recommended policy structure; verify the latest recommended policy in official docs for AWS Config S3 delivery.<\/p>\n\n\n\n
                                                                                                  cat > \/tmp\/aws-config-bucket-policy.json <<EOF\n{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Sid\": \"AWSConfigBucketPermissionsCheck\",\n      \"Effect\": \"Allow\",\n      \"Principal\": { \"Service\": \"config.amazonaws.com\" },\n      \"Action\": \"s3:GetBucketAcl\",\n      \"Resource\": \"arn:aws:s3:::${CONFIG_BUCKET}\"\n    },\n    {\n      \"Sid\": \"AWSConfigBucketExistenceCheck\",\n      \"Effect\": \"Allow\",\n      \"Principal\": { \"Service\": \"config.amazonaws.com\" },\n      \"Action\": \"s3:ListBucket\",\n      \"Resource\": \"arn:aws:s3:::${CONFIG_BUCKET}\"\n    },\n    {\n      \"Sid\": \"AWSConfigBucketDelivery\",\n      \"Effect\": \"Allow\",\n      \"Principal\": { \"Service\": \"config.amazonaws.com\" },\n      \"Action\": \"s3:PutObject\",\n      \"Resource\": \"arn:aws:s3:::${CONFIG_BUCKET}\/AWSLogs\/${AWS_ACCOUNT_ID}\/Config\/*\",\n      \"Condition\": {\n        \"StringEquals\": {\n          \"s3:x-amz-acl\": \"bucket-owner-full-control\"\n        }\n      }\n    }\n  ]\n}\nEOF\n\naws s3api put-bucket-policy \\\n  --bucket \"${CONFIG_BUCKET}\" \\\n  --policy file:\/\/\/tmp\/aws-config-bucket-policy.json\n<\/code><\/pre>\n\n\n\n
                                                                                                  Expected outcome:<\/strong> Bucket policy is applied successfully.<\/p>\n\n\n\n
                                                                                                  \n\n\n\n
                                                                                                  Step 4: Create (or verify) the AWS Config service-linked role<\/h3>\n\n\n\n
                                                                                                  AWS Config commonly uses a service-linked role named AWSServiceRoleForConfig<\/strong>.<\/p>\n\n\n\n
                                                                                                  Try creating it (if it already exists, AWS will return an error you can safely ignore).<\/p>\n\n\n\n
                                                                                                  aws iam create-service-linked-role --aws-service-name config.amazonaws.com\n<\/code><\/pre>\n\n\n\n
                                                                                                  If you get an \u201calready exists\u201d error, proceed.<\/p>\n\n\n\n
                                                                                                  Expected outcome:<\/strong> Service-linked role exists for AWS Config.<\/p>\n\n\n\n
                                                                                                  \n\n\n\n
                                                                                                  Step 5: Create the delivery channel<\/h3>\n\n\n\n
                                                                                                  A delivery channel tells AWS Config where to deliver data (S3 is required; SNS is optional).<\/p>\n\n\n\n
                                                                                                  Create a delivery channel named default<\/code> (or another name). Many setups use default<\/code>, but naming is up to you.<\/p>\n\n\n\n
                                                                                                  cat > \/tmp\/aws-config-delivery-channel.json <<EOF\n{\n  \"name\": \"default\",\n  \"s3BucketName\": \"${CONFIG_BUCKET}\",\n  \"s3KeyPrefix\": \"config\"\n}\nEOF\n\naws configservice put-delivery-channel \\\n  --delivery-channel file:\/\/\/tmp\/aws-config-delivery-channel.json \\\n  --region \"${AWS_REGION}\"\n<\/code><\/pre>\n\n\n\n
                                                                                                  Expected outcome:<\/strong> Delivery channel is created.<\/p>\n\n\n\n
                                                                                                  \n\n\n\n
                                                                                                  Step 6: Create the configuration recorder (record only S3 buckets)<\/h3>\n\n\n\n
                                                                                                  To keep cost and noise low, record a narrow set of resource types. Here we record only S3 buckets.<\/p>\n\n\n\n
                                                                                                  cat > \/tmp\/aws-config-recorder.json <<EOF\n{\n  \"name\": \"default\",\n  \"roleARN\": \"arn:aws:iam::${AWS_ACCOUNT_ID}:role\/aws-service-role\/config.amazonaws.com\/AWSServiceRoleForConfig\",\n  \"recordingGroup\": {\n    \"allSupported\": false,\n    \"includeGlobalResourceTypes\": false,\n    \"resourceTypes\": [\"AWS::S3::Bucket\"]\n  }\n}\nEOF\n\naws configservice put-configuration-recorder \\\n  --configuration-recorder file:\/\/\/tmp\/aws-config-recorder.json \\\n  --region \"${AWS_REGION}\"\n<\/code><\/pre>\n\n\n\n
                                                                                                  Expected outcome:<\/strong> Recorder is created\/updated.<\/p>\n\n\n\n
                                                                                                  \n\n\n\n
                                                                                                  Step 7: Start the configuration recorder<\/h3>\n\n\n\n
                                                                                                  aws configservice start-configuration-recorder \\\n  --configuration-recorder-name default \\\n  --region \"${AWS_REGION}\"\n<\/code><\/pre>\n\n\n\n
                                                                                                  Expected outcome:<\/strong> Recorder starts successfully.<\/p>\n\n\n\n
                                                                                                  \n\n\n\n
                                                                                                  Step 8: Verify AWS Config is running and delivering data<\/h3>\n\n\n\n
                                                                                                  Check recorder status:<\/p>\n\n\n\n
                                                                                                  aws configservice describe-configuration-recorder-status \\\n  --region \"${AWS_REGION}\"\n<\/code><\/pre>\n\n\n\n
                                                                                                  Look for:\n– recording: true<\/code>\n– lastStatus: SUCCESS<\/code> (or similar)<\/p>\n\n\n\n
                                                                                                  Check that objects are appearing in S3 (may take several minutes):<\/p>\n\n\n\n
                                                                                                  aws s3 ls \"s3:\/\/${CONFIG_BUCKET}\/\" --recursive | head\n<\/code><\/pre>\n\n\n\n
                                                                                                  Expected outcome:<\/strong> You see AWS Config delivery objects under a prefix like:\nAWSLogs\/<account-id>\/Config\/<region>\/...<\/code> and\/or your s3KeyPrefix<\/code>.<\/p>\n\n\n\n
                                                                                                  If you see nothing, wait 5\u201310 minutes and retry, especially right after first enablement.<\/p>\n\n\n\n
                                                                                                  \n\n\n\n
                                                                                                  Step 9: Create a managed AWS Config rule for required tags on S3 buckets<\/h3>\n\n\n\n
                                                                                                  We\u2019ll use the managed rule required-tags<\/code><\/strong> and require two tags: Owner<\/code> and CostCenter<\/code>.<\/p>\n\n\n\n
                                                                                                  cat > \/tmp\/aws-config-rule-required-tags.json <<EOF\n{\n  \"ConfigRuleName\": \"s3-required-tags\",\n  \"Description\": \"Require Owner and CostCenter tags on S3 buckets\",\n  \"Scope\": {\n    \"ComplianceResourceTypes\": [\"AWS::S3::Bucket\"]\n  },\n  \"Source\": {\n    \"Owner\": \"AWS\",\n    \"SourceIdentifier\": \"REQUIRED_TAGS\"\n  },\n  \"InputParameters\": \"{ \\\"tag1Key\\\": \\\"Owner\\\", \\\"tag2Key\\\": \\\"CostCenter\\\" }\"\n}\nEOF\n\naws configservice put-config-rule \\\n  --config-rule file:\/\/\/tmp\/aws-config-rule-required-tags.json \\\n  --region \"${AWS_REGION}\"\n<\/code><\/pre>\n\n\n\n
                                                                                                  Expected outcome:<\/strong> The rule is created. Evaluation can take a few minutes.<\/p>\n\n\n\n
                                                                                                  \n\n\n\n
                                                                                                  Step 10: Create a test S3 bucket without tags and observe noncompliance<\/h3>\n\n\n\n
                                                                                                  Create a new bucket:<\/p>\n\n\n\n
                                                                                                  export TEST_BUCKET=\"aws-config-tag-test-${AWS_ACCOUNT_ID}-${AWS_REGION}\"\naws s3api create-bucket \\\n  --bucket \"${TEST_BUCKET}\" \\\n  --region \"${AWS_REGION}\" \\\n  $( [ \"${AWS_REGION}\" = \"us-east-1\" ] && echo \"\" || echo \"--create-bucket-configuration LocationConstraint=${AWS_REGION}\" )\n<\/code><\/pre>\n\n\n\n
                                                                                                  Wait a few minutes, then check compliance for the rule:<\/p>\n\n\n\n
                                                                                                  aws configservice get-compliance-details-by-config-rule \\\n  --config-rule-name \"s3-required-tags\" \\\n  --compliance-types NON_COMPLIANT \\\n  --region \"${AWS_REGION}\"\n<\/code><\/pre>\n\n\n\n
                                                                                                  Expected outcome:<\/strong> The new bucket should appear as NON_COMPLIANT<\/code> (after AWS Config records it and the rule evaluates it).<\/p>\n\n\n\n
                                                                                                  If it doesn\u2019t show up yet:\n– Wait a few more minutes\n– Re-run the compliance query\n– Optionally trigger re-evaluation (not always necessary)<\/p>\n\n\n\n
                                                                                                  You can also check overall rule compliance summary:<\/p>\n\n\n\n
                                                                                                  aws configservice describe-compliance-by-config-rule \\\n  --config-rule-names \"s3-required-tags\" \\\n  --region \"${AWS_REGION}\"\n<\/code><\/pre>\n\n\n\n
                                                                                                  \n\n\n\n
                                                                                                  Step 11: Fix the bucket by applying required tags<\/h3>\n\n\n\n
                                                                                                  Add the required tags:<\/p>\n\n\n\n
                                                                                                  aws s3api put-bucket-tagging \\\n  --bucket \"${TEST_BUCKET}\" \\\n  --tagging 'TagSet=[{Key=Owner,Value=PlatformTeam},{Key=CostCenter,Value=CC-1234}]' \\\n  --region \"${AWS_REGION}\"\n<\/code><\/pre>\n\n\n\n
                                                                                                  Wait for re-evaluation (or trigger it).<\/p>\n\n\n\n
                                                                                                  Trigger an on-demand evaluation:<\/p>\n\n\n\n
                                                                                                  aws configservice start-config-rules-evaluation \\\n  --config-rule-names \"s3-required-tags\" \\\n  --region \"${AWS_REGION}\"\n<\/code><\/pre>\n\n\n\n
                                                                                                  Now query compliant resources:<\/p>\n\n\n\n
                                                                                                  aws configservice get-compliance-details-by-config-rule \\\n  --config-rule-name \"s3-required-tags\" \\\n  --compliance-types COMPLIANT \\\n  --region \"${AWS_REGION}\"\n<\/code><\/pre>\n\n\n\n
                                                                                                  Expected outcome:<\/strong> The test bucket becomes COMPLIANT<\/code>.<\/p>\n\n\n\n
                                                                                                  \n\n\n\n
                                                                                                  Validation<\/h3>\n\n\n\n
                                                                                                  Use this checklist:<\/p>\n\n\n\n
                                                                                                    \n
                                                                                                  1. \n
                                                                                                    Recorder status shows recording: true<\/code>:\n   bash\n   aws configservice describe-configuration-recorder-status --region \"${AWS_REGION}\"<\/code><\/p>\n<\/li>\n
                                                                                                  2. \n
                                                                                                    S3 bucket contains AWS Config objects:\n   bash\n   aws s3 ls \"s3:\/\/${CONFIG_BUCKET}\/\" --recursive | head -n 20<\/code><\/p>\n<\/li>\n
                                                                                                  3. \n
                                                                                                    Rule exists and returns evaluations:\n   bash\n   aws configservice describe-config-rules --config-rule-names \"s3-required-tags\" --region \"${AWS_REGION}\"\n   aws configservice describe-compliance-by-config-rule --config-rule-names \"s3-required-tags\" --region \"${AWS_REGION}\"<\/code><\/p>\n<\/li>\n
                                                                                                  4. \n
                                                                                                    Test bucket compliance changes after tagging.<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                    \n\n\n\n
                                                                                                    Troubleshooting<\/h3>\n\n\n\n
                                                                                                    Common issues and fixes:<\/p>\n\n\n\n
                                                                                                      \n
                                                                                                    1. \n
                                                                                                      InsufficientDeliveryPolicyException<\/code> or delivery failures<\/strong>\n   – Cause: S3 bucket policy is missing or incorrect.\n   – Fix: Re-check the bucket policy statements and the resource ARN paths. Confirm the bucket is in the same account and the policy allows config.amazonaws.com<\/code>.<\/p>\n<\/li>\n
                                                                                                    2. \n
                                                                                                      Recorder won\u2019t start (NoAvailableDeliveryChannelException<\/code>)<\/strong>\n   – Cause: You attempted to start the recorder before creating the delivery channel.\n   – Fix: Create delivery channel first, then start the recorder.<\/p>\n<\/li>\n
                                                                                                    3. \n
                                                                                                      No objects appear in S3<\/strong>\n   – Cause: Initial delivery can take time; or resource scope is too narrow and there are no matching resources.\n   – Fix: Wait 5\u201315 minutes; create a resource of the recorded type (we created an S3 bucket); verify recorder status is SUCCESS<\/code>.<\/p>\n<\/li>\n
                                                                                                    4. \n
                                                                                                      Rule shows INSUFFICIENT_DATA<\/code><\/strong>\n   – Cause: AWS Config hasn\u2019t recorded the resource yet, or rule evaluation hasn\u2019t run.\n   – Fix: Wait; trigger evaluation with start-config-rules-evaluation<\/code>.<\/p>\n<\/li>\n
                                                                                                    5. \n
                                                                                                      Access denied creating service-linked role<\/strong>\n   – Cause: Missing iam:CreateServiceLinkedRole<\/code>.\n   – Fix: Use an admin role, or have your IAM admins create the role.<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                      \n\n\n\n
                                                                                                      Cleanup<\/h3>\n\n\n\n
                                                                                                      To avoid ongoing charges, remove the rule and stop AWS Config.<\/p>\n\n\n\n
                                                                                                        \n
                                                                                                      1. \n
                                                                                                        Delete the AWS Config rule:\n   bash\n   aws configservice delete-config-rule \\\n     --config-rule-name \"s3-required-tags\" \\\n     --region \"${AWS_REGION}\"<\/code><\/p>\n<\/li>\n
                                                                                                      2. \n
                                                                                                        Stop the recorder:\n   bash\n   aws configservice stop-configuration-recorder \\\n     --configuration-recorder-name default \\\n     --region \"${AWS_REGION}\"<\/code><\/p>\n<\/li>\n
                                                                                                      3. \n
                                                                                                        Delete delivery channel (must delete before recorder in many cases):\n   bash\n   aws configservice delete-delivery-channel \\\n     --delivery-channel-name default \\\n     --region \"${AWS_REGION}\"<\/code><\/p>\n<\/li>\n
                                                                                                      4. \n
                                                                                                        Delete configuration recorder:\n   bash\n   aws configservice delete-configuration-recorder \\\n     --configuration-recorder-name default \\\n     --region \"${AWS_REGION}\"<\/code><\/p>\n<\/li>\n
                                                                                                      5. \n
                                                                                                        Delete test bucket (must be empty first):\n   bash\n   aws s3 rm \"s3:\/\/${TEST_BUCKET}\" --recursive\n   aws s3api delete-bucket --bucket \"${TEST_BUCKET}\" --region \"${AWS_REGION}\"<\/code><\/p>\n<\/li>\n
                                                                                                      6. \n
                                                                                                        Delete Config delivery bucket content and bucket:\n   bash\n   aws s3 rm \"s3:\/\/${CONFIG_BUCKET}\" --recursive\n   aws s3api delete-bucket --bucket \"${CONFIG_BUCKET}\" --region \"${AWS_REGION}\"<\/code><\/p>\n<\/li>\n
                                                                                                      7. \n
                                                                                                        Optional: Keep the service-linked role (recommended in many orgs). If you must remove it, verify no other Region\/account usage depends on it.<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                        11. Best Practices<\/h2>\n\n\n\n
                                                                                                        Architecture best practices<\/h3>\n\n\n\n
                                                                                                          \n
                                                                                                        • Use a multi-account strategy<\/strong>: separate workload accounts from a central security\/governance account.<\/li>\n
                                                                                                        • Aggregate centrally<\/strong> using AWS Config aggregators for cross-account visibility.<\/li>\n
                                                                                                        • Standardize baselines<\/strong> with conformance packs (version them and roll out progressively).<\/li>\n
                                                                                                        • Design for exceptions<\/strong>: define how teams request exceptions (tags, parameter store allowlists, separate OUs, or rule logic).<\/li>\n<\/ul>\n\n\n\n
                                                                                                          IAM\/security best practices<\/h3>\n\n\n\n
                                                                                                            \n
                                                                                                          • Prefer service-linked role<\/strong> unless you have strict custom requirements.<\/li>\n
                                                                                                          • Use least privilege<\/strong> for operators who manage rules vs. those who only view compliance.<\/li>\n
                                                                                                          • Protect S3 delivery bucket:<\/li>\n
                                                                                                          • Block public access<\/li>\n
                                                                                                          • Enforce encryption<\/li>\n
                                                                                                          • Restrict bucket policy to AWS Config service principal and your account<\/li>\n
                                                                                                          • Use SSE-KMS<\/strong> where required, but ensure KMS key policy allows AWS Config and operational users appropriately.<\/li>\n<\/ul>\n\n\n\n
                                                                                                            Cost best practices<\/h3>\n\n\n\n
                                                                                                              \n
                                                                                                            • Record only what you need<\/strong> (resource types) especially in dev\/test.<\/li>\n
                                                                                                            • Limit the number of rules to those that directly support risk reduction or audit requirements.<\/li>\n
                                                                                                            • Prefer managed rules when they meet requirements (less custom code to run and maintain).<\/li>\n
                                                                                                            • Use S3 lifecycle policies carefully (align with audit retention policies first).<\/li>\n<\/ul>\n\n\n\n
                                                                                                              Performance best practices<\/h3>\n\n\n\n
                                                                                                                \n
                                                                                                              • Avoid overly chatty automation triggered by every compliance event; filter by severity and environment.<\/li>\n
                                                                                                              • Tune periodic evaluations\u2014use change-triggered where appropriate.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                Reliability best practices<\/h3>\n\n\n\n
                                                                                                                  \n
                                                                                                                • Treat AWS Config setup as foundational governance<\/strong>:<\/li>\n
                                                                                                                • Deploy via Infrastructure as Code (CloudFormation\/Terraform\/CDK).<\/li>\n
                                                                                                                • Use CI\/CD to version rules and conformance packs.<\/li>\n
                                                                                                                • Use alarms\/notifications on recorder status failures (you can build operational checks around AWS Config APIs and EventBridge events).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                  Operations best practices<\/h3>\n\n\n\n
                                                                                                                    \n
                                                                                                                  • Establish a process for:<\/li>\n
                                                                                                                  • Rule lifecycle (create \u2192 test \u2192 deploy \u2192 tune \u2192 retire)<\/li>\n
                                                                                                                  • Handling false positives<\/li>\n
                                                                                                                  • Managing remediation approvals and rollbacks<\/li>\n
                                                                                                                  • Use consistent naming:<\/li>\n
                                                                                                                  • Rule names: env-domain-control<\/code> (e.g., prod-s3-public-access-blocked<\/code>)<\/li>\n
                                                                                                                  • Conformance packs: baseline-security-v1<\/code><\/li>\n
                                                                                                                  • Tag governance resources too (S3 buckets, SNS topics, automation functions).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                    Governance\/tagging\/naming best practices<\/h3>\n\n\n\n
                                                                                                                      \n
                                                                                                                    • Define required tags and enforce them via AWS Config plus IaC checks.<\/li>\n
                                                                                                                    • Use AWS Organizations OUs to separate environments and apply different baselines per OU.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                      12. Security Considerations<\/h2>\n\n\n\n
                                                                                                                      Identity and access model<\/h3>\n\n\n\n
                                                                                                                        \n
                                                                                                                      • AWS Config service role<\/strong>: AWS Config assumes a role to deliver to S3\/SNS and to evaluate resources.<\/li>\n
                                                                                                                      • User\/automation access<\/strong>: Controlled by IAM policies for AWS Config APIs:<\/li>\n
                                                                                                                      • Read-only roles for auditors<\/li>\n
                                                                                                                      • Admin roles for governance\/platform team<\/li>\n
                                                                                                                      • Cross-account<\/strong>: Aggregators and organization deployments require explicit trust and authorizations.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                        Encryption<\/h3>\n\n\n\n
                                                                                                                          \n
                                                                                                                        • S3 delivery bucket encryption<\/strong>: Use SSE-S3 or SSE-KMS depending on requirements.<\/li>\n
                                                                                                                        • SNS encryption<\/strong> (if used): Consider SSE-KMS for SNS topics where mandated.<\/li>\n
                                                                                                                        • In transit<\/strong>: AWS service APIs use TLS.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                          Network exposure<\/h3>\n\n\n\n
                                                                                                                            \n
                                                                                                                          • AWS Config is managed and accessed via AWS APIs; your main exposure considerations are:<\/li>\n
                                                                                                                          • Who can call AWS Config APIs<\/li>\n
                                                                                                                          • Who can read the S3 delivered data<\/li>\n
                                                                                                                          • Consider VPC endpoints if your environment restricts internet egress; verify AWS Config endpoint support in your Regions.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                            Secrets handling<\/h3>\n\n\n\n
                                                                                                                              \n
                                                                                                                            • AWS Config itself doesn\u2019t require you to store secrets.<\/li>\n
                                                                                                                            • Custom rules\/remediation (Lambda, SSM) might\u2014use AWS Secrets Manager<\/strong> or SSM Parameter Store<\/strong> for secrets rather than embedding secrets in code.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                              Audit\/logging<\/h3>\n\n\n\n
                                                                                                                                \n
                                                                                                                              • Enable AWS CloudTrail<\/strong> organization trails to log AWS Config API calls.<\/li>\n
                                                                                                                              • Log and monitor changes to:<\/li>\n
                                                                                                                              • Recorder settings<\/li>\n
                                                                                                                              • Delivery channel destinations<\/li>\n
                                                                                                                              • Rules and conformance packs<\/li>\n
                                                                                                                              • Remediation configurations<\/li>\n
                                                                                                                              • Consider a \u201cgovernance change approval\u201d workflow for modifications to AWS Config baselines.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                Compliance considerations<\/h3>\n\n\n\n
                                                                                                                                  \n
                                                                                                                                • Map rules\/conformance packs to your control framework (CIS, NIST, ISO, SOC 2).<\/li>\n
                                                                                                                                • Maintain evidence:<\/li>\n
                                                                                                                                • S3 snapshots and delivered history<\/li>\n
                                                                                                                                • Compliance reports from aggregators<\/li>\n
                                                                                                                                • Ensure retention meets policy (S3 lifecycle must not delete evidence prematurely).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                  Common security mistakes<\/h3>\n\n\n\n
                                                                                                                                    \n
                                                                                                                                  • Delivering to an S3 bucket without blocking public access.<\/li>\n
                                                                                                                                  • Allowing broad IAM permissions to disable AWS Config or delete rules.<\/li>\n
                                                                                                                                  • Auto-remediating production resources without guardrails\/approvals.<\/li>\n
                                                                                                                                  • Not enabling AWS Config in critical Regions (governance blind spots).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                    Secure deployment recommendations<\/h3>\n\n\n\n
                                                                                                                                      \n
                                                                                                                                    • Use a dedicated, locked-down S3 bucket for delivery with strict bucket policy.<\/li>\n
                                                                                                                                    • Use AWS Organizations and delegated admin to centralize governance.<\/li>\n
                                                                                                                                    • Deploy and manage AWS Config settings using IaC and change control.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                      13. Limitations and Gotchas<\/h2>\n\n\n\n
                                                                                                                                      Known limitations \/ boundaries<\/h3>\n\n\n\n
                                                                                                                                        \n
                                                                                                                                      • AWS Config only records supported resource types<\/strong> and only the properties it is designed to track.<\/li>\n
                                                                                                                                      • Some resources are global or have special recording considerations.<\/li>\n
                                                                                                                                      • Rule evaluation timing is not always immediate; expect eventual consistency.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                        Quotas<\/h3>\n\n\n\n
                                                                                                                                          \n
                                                                                                                                        • Quotas exist for rules, conformance packs, aggregators, and more. Values can change.<\/li>\n
                                                                                                                                        • Always check Service Quotas<\/strong> in your account\/Region for AWS Config.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                          Regional constraints<\/h3>\n\n\n\n
                                                                                                                                            \n
                                                                                                                                          • Not all Regions may support every AWS Config capability equally.<\/li>\n
                                                                                                                                          • Verify feature availability (for example, specific managed rules, remediation actions, organization features) in official docs for your Regions.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                            Pricing surprises<\/h3>\n\n\n\n
                                                                                                                                              \n
                                                                                                                                            • Recording \u201call supported resource types\u201d across many Regions can generate significant configuration items.<\/li>\n
                                                                                                                                            • Periodic rules across many resources can generate high evaluation counts.<\/li>\n
                                                                                                                                            • S3 storage and KMS usage can grow quietly over time.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                              Compatibility issues<\/h3>\n\n\n\n
                                                                                                                                                \n
                                                                                                                                              • Custom rules require maintaining Lambda runtime compatibility and permissions.<\/li>\n
                                                                                                                                              • Remediation actions can fail if IAM permissions or resource constraints prevent changes.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                Operational gotchas<\/h3>\n\n\n\n
                                                                                                                                                  \n
                                                                                                                                                • You must create a delivery channel<\/strong> before starting the recorder.<\/li>\n
                                                                                                                                                • Deleting AWS Config components has dependencies (stop recorder, delete delivery channel, etc.).<\/li>\n
                                                                                                                                                • High-volume environments can generate many notifications; plan filtering and routing.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                  Migration challenges<\/h3>\n\n\n\n
                                                                                                                                                    \n
                                                                                                                                                  • If migrating from ad-hoc scripts or third-party tooling, the main work is:<\/li>\n
                                                                                                                                                  • Defining rule intent<\/li>\n
                                                                                                                                                  • Handling exceptions<\/li>\n
                                                                                                                                                  • Mapping policies to managed rules or building custom rules<\/li>\n
                                                                                                                                                  • Managing rollout without breaking teams<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                    Vendor-specific nuances<\/h3>\n\n\n\n
                                                                                                                                                      \n
                                                                                                                                                    • AWS Config is AWS-native and integrates deeply with AWS services; cross-cloud governance requires additional tooling (see comparisons).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                      14. Comparison with Alternatives<\/h2>\n\n\n\n
                                                                                                                                                      AWS Config is best compared with services that provide governance, compliance checks, and configuration tracking.<\/p>\n\n\n\n
                                                                                                                                                      Comparison table<\/h3>\n\n\n\n
                                                                                                                                                      \n\n\n\n\n\n\n\n\n\n\n\n
                                                                                                                                                      Option<\/th>\nBest For<\/th>\nStrengths<\/th>\nWeaknesses<\/th>\nWhen to Choose<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                      AWS Config<\/strong><\/td>\nAWS resource configuration history + compliance<\/td>\nNative AWS integration; config timeline; managed\/custom rules; conformance packs; aggregators<\/td>\nCost can grow at scale; only supported resource types; eventual consistency<\/td>\nYou need continuous compliance + config history in AWS<\/td>\n<\/tr>\n
                                                                                                                                                      AWS CloudTrail<\/strong><\/td>\nAPI activity auditing (\u201cwho did what\u201d)<\/td>\nStrong audit trail; forensic detail; integrates with detection tooling<\/td>\nNot a configuration state database; doesn\u2019t directly evaluate compliance<\/td>\nUse alongside Config for investigations and audit<\/td>\n<\/tr>\n
                                                                                                                                                      AWS Security Hub<\/strong><\/td>\nSecurity posture management and findings aggregation<\/td>\nCentralizes findings across services; compliance standards views<\/td>\nDepends on other data sources; not a full config history system<\/td>\nUse for security reporting; pair with Config for governance controls<\/td>\n<\/tr>\n
                                                                                                                                                      AWS Systems Manager<\/strong><\/td>\nOps management + automation<\/td>\nRemediation automation; patching; inventory; runbooks<\/td>\nNot a compliance evaluator by itself<\/td>\nUse for remediation actions triggered by Config<\/td>\n<\/tr>\n
                                                                                                                                                      Azure Policy (Microsoft Azure)<\/strong><\/td>\nAzure governance and compliance<\/td>\nStrong policy-as-code, enforcement modes<\/td>\nAzure-specific<\/td>\nMulti-cloud orgs: use Azure Policy in Azure; use Config in AWS<\/td>\n<\/tr>\n
                                                                                                                                                      Google Cloud Organization Policy \/ Cloud Asset Inventory<\/strong><\/td>\nGCP governance and asset inventory<\/td>\nOrg-level constraints; asset visibility<\/td>\nGCP-specific; different model than AWS Config rules<\/td>\nUse in GCP; combine with AWS Config for multi-cloud<\/td>\n<\/tr>\n
                                                                                                                                                      Cloud Custodian (open source)<\/strong><\/td>\nMulti-cloud policy automation<\/td>\nFlexible; supports multiple clouds<\/td>\nRequires hosting\/ops; policy maintenance<\/td>\nWhen you want cross-cloud policies with self-managed control<\/td>\n<\/tr>\n
                                                                                                                                                      OPA \/ policy-as-code in CI<\/strong><\/td>\nPrevent misconfigurations before deploy<\/td>\nFast feedback; shift-left<\/td>\nDoesn\u2019t track post-deploy drift alone<\/td>\nCombine with AWS Config for continuous drift\/compliance<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                      15. Real-World Example<\/h2>\n\n\n\n
                                                                                                                                                      Enterprise example (regulated organization)<\/h3>\n\n\n\n
                                                                                                                                                        \n
                                                                                                                                                      • Problem:<\/strong> A financial services company runs 200+ AWS accounts across multiple Regions. Auditors require continuous evidence that encryption, logging, and network exposure policies are enforced, and security needs centralized reporting.<\/li>\n
                                                                                                                                                      • Proposed architecture:<\/strong><\/li>\n
                                                                                                                                                      • Enable AWS Config in all required Regions in all workload accounts.<\/li>\n
                                                                                                                                                      • Use AWS Organizations to manage multi-account governance.<\/li>\n
                                                                                                                                                      • Deploy organization conformance packs<\/strong> (baseline security controls) to all OUs; apply stricter packs to production OUs.<\/li>\n
                                                                                                                                                      • Configure a central AWS Config aggregator<\/strong> in the security account to collect compliance and configuration data.<\/li>\n
                                                                                                                                                      • Route compliance change events to EventBridge and create tickets for critical noncompliance.<\/li>\n
                                                                                                                                                      • Use Systems Manager Automation for safe, pre-approved remediations (e.g., enforce S3 public access block) and require approvals for high-risk remediations.<\/li>\n
                                                                                                                                                      • Why AWS Config was chosen:<\/strong><\/li>\n
                                                                                                                                                      • Native configuration history and compliance evaluation.<\/li>\n
                                                                                                                                                      • Scales across accounts\/Regions using aggregators and organization patterns.<\/li>\n
                                                                                                                                                      • Strong audit evidence story via delivered S3 history\/snapshots.<\/li>\n
                                                                                                                                                      • Expected outcomes:<\/strong><\/li>\n
                                                                                                                                                      • Reduced audit time and faster evidence gathering.<\/li>\n
                                                                                                                                                      • Faster detection of misconfigurations and reduced risk window.<\/li>\n
                                                                                                                                                      • Centralized compliance dashboards for leadership and auditors.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                        Startup\/small-team example (lean operations)<\/h3>\n\n\n\n
                                                                                                                                                          \n
                                                                                                                                                        • Problem:<\/strong> A startup with a small DevOps team has experienced incidents due to manual console changes and inconsistent tagging. They need lightweight governance without slowing development.<\/li>\n
                                                                                                                                                        • Proposed architecture:<\/strong><\/li>\n
                                                                                                                                                        • Enable AWS Config in one primary Region for production.<\/li>\n
                                                                                                                                                        • Record only key resource types (S3, security groups, IAM-related where needed\u2014verify supported types).<\/li>\n
                                                                                                                                                        • Add 5\u201310 high-value managed rules: S3 public access, encryption checks, open security group ports, required tags.<\/li>\n
                                                                                                                                                        • Notify a Slack\/email channel via SNS when critical rules become noncompliant.<\/li>\n
                                                                                                                                                        • Why AWS Config was chosen:<\/strong><\/li>\n
                                                                                                                                                        • Minimal operational overhead compared to self-hosted governance.<\/li>\n
                                                                                                                                                        • Immediate value: visibility into changes and basic compliance.<\/li>\n
                                                                                                                                                        • Expected outcomes:<\/strong><\/li>\n
                                                                                                                                                        • Fewer \u201cmystery changes\u201d during incidents.<\/li>\n
                                                                                                                                                        • Improved cost allocation and ownership through tagging compliance.<\/li>\n
                                                                                                                                                        • A governance foundation that can scale later with conformance packs and aggregation.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                          16. FAQ<\/h2>\n\n\n\n
                                                                                                                                                            \n
                                                                                                                                                          1. \n
                                                                                                                                                            Is AWS Config the same as AWS CloudTrail?<\/strong>\n   No. CloudTrail logs API activity (who called what). AWS Config records resource configuration state and changes over time and evaluates compliance.<\/p>\n<\/li>\n
                                                                                                                                                          2. \n
                                                                                                                                                            Do I need an S3 bucket for AWS Config?<\/strong>\n   Yes. AWS Config uses a delivery channel that delivers configuration history and snapshots to an S3 bucket.<\/p>\n<\/li>\n
                                                                                                                                                          3. \n
                                                                                                                                                            Is AWS Config regional or global?<\/strong>\n   AWS Config is configured per Region. Some global resource types can be recorded, typically in a designated Region\u2014verify the current behavior in official docs for the resource types you care about.<\/p>\n<\/li>\n
                                                                                                                                                          4. \n
                                                                                                                                                            Can AWS Config work across multiple AWS accounts?<\/strong>\n   Yes. Common patterns include using AWS Organizations features and a configuration aggregator in a central account.<\/p>\n<\/li>\n
                                                                                                                                                          5. \n
                                                                                                                                                            What\u2019s the difference between AWS Config rules and conformance packs?<\/strong>\n   Rules are individual compliance checks. Conformance packs bundle multiple rules (and optional remediation settings) into a deployable unit.<\/p>\n<\/li>\n
                                                                                                                                                          6. \n
                                                                                                                                                            Does AWS Config prevent noncompliant resources from being created?<\/strong>\n   AWS Config primarily detects and evaluates after creation\/change. Preventive controls typically use IAM policies, SCPs (Organizations), or service-native controls. Config can trigger remediation after the fact.<\/p>\n<\/li>\n
                                                                                                                                                          7. \n
                                                                                                                                                            How quickly does AWS Config detect changes?<\/strong>\n   It\u2019s near-real-time for many changes, but not guaranteed instantaneous. Expect some delay (eventual consistency).<\/p>\n<\/li>\n
                                                                                                                                                          8. \n
                                                                                                                                                            Can I write custom compliance logic?<\/strong>\n   Yes. You can create custom rules, typically using AWS Lambda to evaluate resources.<\/p>\n<\/li>\n
                                                                                                                                                          9. \n
                                                                                                                                                            Does AWS Config store configuration history forever?<\/strong>\n   AWS Config retains configuration history according to its service behavior and your S3 retention policies. Retention details and limits can change\u2014verify in official docs, and ensure your S3 lifecycle policies align with audit requirements.<\/p>\n<\/li>\n
                                                                                                                                                          10. \n
                                                                                                                                                            How do I reduce AWS Config costs?<\/strong>\n   Limit recording to necessary resource types, reduce the number of rules, prefer change-triggered evaluations where appropriate, and tune conformance packs. Use the pricing page and calculator to model costs.<\/p>\n<\/li>\n
                                                                                                                                                          11. \n
                                                                                                                                                            Can AWS Config auto-remediate issues?<\/strong>\n   Yes, in many cases via remediation actions (often Systems Manager Automation). Not all rules\/resources support remediation; test carefully.<\/p>\n<\/li>\n
                                                                                                                                                          12. \n
                                                                                                                                                            Does AWS Config support Kubernetes (EKS) resources?<\/strong>\n   AWS Config focuses on AWS resource configurations; it may record certain EKS-related AWS resources (clusters, security groups, IAM, etc.), but not necessarily Kubernetes objects inside the cluster. For in-cluster policy, use Kubernetes-native tooling plus AWS governance.<\/p>\n<\/li>\n
                                                                                                                                                          13. \n
                                                                                                                                                            Can I get notified when a resource becomes noncompliant?<\/strong>\n   Yes. Use SNS or EventBridge to react to compliance change events.<\/p>\n<\/li>\n
                                                                                                                                                          14. \n
                                                                                                                                                            Is AWS Config required for SOC 2 \/ ISO 27001?<\/strong>\n   Not required, but commonly used to provide evidence and continuous monitoring for relevant controls. Your requirements depend on your auditors and control design.<\/p>\n<\/li>\n
                                                                                                                                                          15. \n
                                                                                                                                                            What\u2019s a good minimal starting set of AWS Config rules?<\/strong>\n   Common starting points: required tags, S3 public access controls, encryption checks for key data stores, and security group exposure checks. Choose rules based on your threat model and compliance needs.<\/p>\n<\/li>\n
                                                                                                                                                          16. \n
                                                                                                                                                            Can I export AWS Config data for analytics?<\/strong>\n   Yes. Data is delivered to S3; you can build analytics pipelines (for example, using Athena) if desired. Ensure your delivered data format and partitions match your query approach (verify in docs and test).<\/p>\n<\/li>\n
                                                                                                                                                          17. \n
                                                                                                                                                            How does AWS Config relate to AWS Organizations SCPs?<\/strong>\n   SCPs can prevent actions at the account level; AWS Config detects and reports configuration compliance. Many organizations use SCPs for preventive guardrails and AWS Config for detective controls and evidence.<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                                                                            17. Top Online Resources to Learn AWS Config<\/h2>\n\n\n\n
                                                                                                                                                            \n\n\n\n\n\n\n\n\n\n\n\n\n\n
                                                                                                                                                            Resource Type<\/th>\nName<\/th>\nWhy It Is Useful<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                            Official documentation<\/td>\nAWS Config Developer Guide<\/td>\nPrimary reference for concepts, setup, rules, aggregators, and APIs: https:\/\/docs.aws.amazon.com\/config\/latest\/developerguide\/WhatIsConfig.html<\/td>\n<\/tr>\n
                                                                                                                                                            Official pricing<\/td>\nAWS Config Pricing<\/td>\nAccurate, region-specific pricing model: https:\/\/aws.amazon.com\/config\/pricing\/<\/td>\n<\/tr>\n
                                                                                                                                                            Pricing tool<\/td>\nAWS Pricing Calculator<\/td>\nModel costs for configuration items and rule evaluations: https:\/\/calculator.aws\/#\/<\/td>\n<\/tr>\n
                                                                                                                                                            Official rule reference<\/td>\nAWS Managed Rules List<\/td>\nShows available managed rules and parameters (verify current list): https:\/\/docs.aws.amazon.com\/config\/latest\/developerguide\/managed-rules-by-aws-config.html<\/td>\n<\/tr>\n
                                                                                                                                                            Official getting started<\/td>\nGetting Started with AWS Config<\/td>\nStep-by-step enablement guidance (console and concepts): https:\/\/docs.aws.amazon.com\/config\/latest\/developerguide\/gs-console.html<\/td>\n<\/tr>\n
                                                                                                                                                            Official API reference<\/td>\nAWS Config API Reference<\/td>\nFor automation and tooling: https:\/\/docs.aws.amazon.com\/config\/latest\/APIReference\/<\/td>\n<\/tr>\n
                                                                                                                                                            CLI reference<\/td>\nAWS CLI \u2013 configservice commands<\/td>\nCopy\/paste commands and options: https:\/\/docs.aws.amazon.com\/cli\/latest\/reference\/configservice\/<\/td>\n<\/tr>\n
                                                                                                                                                            Architecture guidance<\/td>\nAWS Architecture Center<\/td>\nPatterns and best practices; search for governance\/compliance: https:\/\/aws.amazon.com\/architecture\/<\/td>\n<\/tr>\n
                                                                                                                                                            Official videos<\/td>\nAWS YouTube Channel<\/td>\nTalks, demos, governance best practices (search \u201cAWS Config\u201d): https:\/\/www.youtube.com\/@AmazonWebServices<\/td>\n<\/tr>\n
                                                                                                                                                            Samples<\/td>\nAWS Samples on GitHub (search)<\/td>\nReference implementations and automation patterns (validate repo trust): https:\/\/github.com\/aws-samples<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                            18. Training and Certification Providers<\/h2>\n\n\n\n
                                                                                                                                                            \n\n\n\n\n\n\n\n\n
                                                                                                                                                            Institute<\/th>\nSuitable Audience<\/th>\nLikely Learning Focus<\/th>\nMode<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                            DevOpsSchool.com<\/td>\nBeginners to experienced DevOps\/Cloud engineers<\/td>\nAWS governance, DevOps practices, hands-on labs<\/td>\nCheck website<\/td>\nhttps:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n
                                                                                                                                                            ScmGalaxy.com<\/td>\nDevOps, build\/release, and tooling learners<\/td>\nSCM\/DevOps foundations plus cloud governance topics<\/td>\nCheck website<\/td>\nhttps:\/\/www.scmgalaxy.com\/<\/td>\n<\/tr>\n
                                                                                                                                                            CLoudOpsNow.in<\/td>\nCloudOps\/operations teams<\/td>\nOperations, monitoring, governance, cost awareness<\/td>\nCheck website<\/td>\nhttps:\/\/www.cloudopsnow.in\/<\/td>\n<\/tr>\n
                                                                                                                                                            SreSchool.com<\/td>\nSREs and reliability-focused engineers<\/td>\nReliability engineering, operations, governance integration<\/td>\nCheck website<\/td>\nhttps:\/\/www.sreschool.com\/<\/td>\n<\/tr>\n
                                                                                                                                                            AiOpsSchool.com<\/td>\nOps teams exploring AIOps<\/td>\nAutomation, operations analytics, governance signals<\/td>\nCheck website<\/td>\nhttps:\/\/www.aiopsschool.com\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                            19. Top Trainers<\/h2>\n\n\n\n
                                                                                                                                                            \n\n\n\n\n\n\n\n
                                                                                                                                                            Platform\/Site<\/th>\nLikely Specialization<\/th>\nSuitable Audience<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                            RajeshKumar.xyz<\/td>\nDevOps\/cloud coaching and workshops (verify offerings)<\/td>\nIndividuals and teams seeking practical mentoring<\/td>\nhttps:\/\/www.rajeshkumar.xyz\/<\/td>\n<\/tr>\n
                                                                                                                                                            devopstrainer.in<\/td>\nDevOps and cloud training programs (verify offerings)<\/td>\nBeginners to intermediate engineers<\/td>\nhttps:\/\/www.devopstrainer.in\/<\/td>\n<\/tr>\n
                                                                                                                                                            devopsfreelancer.com<\/td>\nFreelance DevOps consulting\/training (verify offerings)<\/td>\nTeams needing short-term enablement<\/td>\nhttps:\/\/www.devopsfreelancer.com\/<\/td>\n<\/tr>\n
                                                                                                                                                            devopssupport.in<\/td>\nDevOps support and training resources (verify offerings)<\/td>\nOperations teams and practitioners<\/td>\nhttps:\/\/www.devopssupport.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                            20. Top Consulting Companies<\/h2>\n\n\n\n
                                                                                                                                                            \n\n\n\n\n\n\n
                                                                                                                                                            Company<\/th>\nLikely Service Area<\/th>\nWhere They May Help<\/th>\nConsulting Use Case Examples<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                            cotocus.com<\/td>\nCloud\/DevOps consulting (verify exact services)<\/td>\nGovernance design, AWS foundations, automation<\/td>\nMulti-account landing zone improvements; governance rollout planning; compliance reporting setup<\/td>\nhttps:\/\/www.cotocus.com\/<\/td>\n<\/tr>\n
                                                                                                                                                            DevOpsSchool.com<\/td>\nDevOps and cloud consulting\/training<\/td>\nGovernance implementation, DevOps operating model<\/td>\nAWS Config rollout with conformance packs; rule tuning; remediation pipelines<\/td>\nhttps:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n
                                                                                                                                                            DEVOPSCONSULTING.IN<\/td>\nDevOps consulting services (verify exact services)<\/td>\nCloud operations and governance<\/td>\nCI\/CD + compliance guardrails; tagging standards enforcement; audit evidence workflows<\/td>\nhttps:\/\/www.devopsconsulting.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                            21. Career and Learning Roadmap<\/h2>\n\n\n\n
                                                                                                                                                            What to learn before AWS Config<\/h3>\n\n\n\n
                                                                                                                                                              \n
                                                                                                                                                            • AWS fundamentals: accounts, Regions, IAM, VPC, EC2, S3<\/li>\n
                                                                                                                                                            • IAM policy basics (allow\/deny, least privilege, roles)<\/li>\n
                                                                                                                                                            • Logging basics: CloudTrail and CloudWatch<\/li>\n
                                                                                                                                                            • Infrastructure as Code basics (CloudFormation\/Terraform) to manage governance as code<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                              What to learn after AWS Config<\/h3>\n\n\n\n
                                                                                                                                                                \n
                                                                                                                                                              • AWS Organizations advanced governance (SCPs, delegated admin patterns)<\/li>\n
                                                                                                                                                              • AWS Security Hub and detective controls strategy<\/li>\n
                                                                                                                                                              • Event-driven automation: EventBridge + Lambda + Systems Manager Automation<\/li>\n
                                                                                                                                                              • Policy as code in CI\/CD (OPA, tfsec\/checkov, cfn-lint, etc.)<\/li>\n
                                                                                                                                                              • Data analytics on S3-delivered governance evidence (Athena\/Glue) if needed<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                Job roles that use AWS Config<\/h3>\n\n\n\n
                                                                                                                                                                  \n
                                                                                                                                                                • Cloud Platform Engineer<\/li>\n
                                                                                                                                                                • Cloud Security Engineer \/ Security Architect<\/li>\n
                                                                                                                                                                • DevOps Engineer \/ SRE<\/li>\n
                                                                                                                                                                • Governance, Risk, and Compliance (GRC) technical roles<\/li>\n
                                                                                                                                                                • Solutions Architect (especially in regulated environments)<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                  Certification path (AWS)<\/h3>\n\n\n\n
                                                                                                                                                                  There is no certification dedicated only to AWS Config, but it\u2019s relevant to:\n– AWS Certified Solutions Architect (Associate\/Professional)\n– AWS Certified SysOps Administrator \u2013 Associate\n– AWS Certified DevOps Engineer \u2013 Professional\n– AWS Certified Security \u2013 Specialty\nVerify current AWS certification names and availability: https:\/\/aws.amazon.com\/certification\/<\/p>\n\n\n\n
                                                                                                                                                                  Project ideas for practice<\/h3>\n\n\n\n
                                                                                                                                                                    \n
                                                                                                                                                                  1. Baseline conformance pack rollout<\/strong> in a multi-account org (dev \u2192 staging \u2192 prod).<\/li>\n
                                                                                                                                                                  2. Automated remediation<\/strong> for a safe control (e.g., enforce S3 public access block) with approval gates.<\/li>\n
                                                                                                                                                                  3. Drift detection pipeline<\/strong>: AWS Config events \u2192 EventBridge \u2192 ticket\/Slack \u2192 IaC PR to revert.<\/li>\n
                                                                                                                                                                  4. Tag governance program<\/strong>: required tags + exception tagging + compliance reporting dashboard.<\/li>\n
                                                                                                                                                                  5. Central aggregator + reporting<\/strong>: aggregate compliance into a security account and build periodic reports.<\/li>\n<\/ol>\n\n\n\n
                                                                                                                                                                    22. Glossary<\/h2>\n\n\n\n
                                                                                                                                                                      \n
                                                                                                                                                                    • AWS Config<\/strong>: AWS service for recording resource configurations, tracking changes, and evaluating compliance.<\/li>\n
                                                                                                                                                                    • Configuration recorder<\/strong>: AWS Config component that records configuration changes for selected resource types.<\/li>\n
                                                                                                                                                                    • Delivery channel<\/strong>: AWS Config component that delivers configuration history and snapshots to S3 (and optionally sends notifications to SNS).<\/li>\n
                                                                                                                                                                    • Configuration item (CI)<\/strong>: A point-in-time representation of a resource\u2019s configuration recorded by AWS Config.<\/li>\n
                                                                                                                                                                    • AWS Config Rule<\/strong>: A compliance check that evaluates whether resources meet desired configuration requirements.<\/li>\n
                                                                                                                                                                    • Managed rule<\/strong>: A predefined rule provided by AWS.<\/li>\n
                                                                                                                                                                    • Custom rule<\/strong>: A rule with custom evaluation logic (commonly backed by AWS Lambda).<\/li>\n
                                                                                                                                                                    • Conformance Pack<\/strong>: A deployable collection of rules (and optional remediation settings) representing a compliance standard or baseline.<\/li>\n
                                                                                                                                                                    • Configuration aggregator<\/strong>: A component that collects configuration and compliance data across accounts and Regions.<\/li>\n
                                                                                                                                                                    • Compliance status<\/strong>: Result of evaluating a resource against a rule (e.g., COMPLIANT \/ NON_COMPLIANT \/ INSUFFICIENT_DATA).<\/li>\n
                                                                                                                                                                    • Remediation action<\/strong>: An automated action that attempts to fix noncompliance (often through Systems Manager Automation).<\/li>\n
                                                                                                                                                                    • AWS Organizations<\/strong>: Service for managing multiple AWS accounts with centralized governance.<\/li>\n
                                                                                                                                                                    • SCP (Service Control Policy)<\/strong>: Organization-level policy that limits what actions accounts can perform.<\/li>\n
                                                                                                                                                                    • EventBridge<\/strong>: Event bus service used to route AWS service events to targets for automation.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                      23. Summary<\/h2>\n\n\n\n
                                                                                                                                                                      AWS Config is an AWS Management and governance service that records supported AWS resource configurations, tracks changes over time, and evaluates compliance with rules and conformance packs. It matters because it provides continuous visibility into configuration drift, supports audit evidence collection, and enables automated governance workflows across accounts and Regions.<\/p>\n\n\n\n
                                                                                                                                                                      Cost is driven mainly by configuration items recorded<\/strong> and rule evaluations<\/strong>, plus indirect costs like S3 storage, KMS, and automation components. Security success depends on locking down the S3 delivery bucket, controlling who can modify AWS Config settings, and designing safe remediation paths.<\/p>\n\n\n\n
                                                                                                                                                                      Use AWS Config when you need configuration history and continuous compliance in AWS\u2014especially in multi-account environments. Start small (limited resource types, a few high-value managed rules), validate value and noise, then scale with conformance packs, aggregation, and remediation automation.<\/p>\n\n\n\n
                                                                                                                                                                      Next step: review the official AWS Config Developer Guide and implement a production-ready multi-account pattern with an aggregator and a baseline conformance pack, managed as code.<\/p>\n","protected":false},"excerpt":{"rendered":"
                                                                                                                                                                      Management and governance<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,33],"tags":[],"class_list":["post-259","post","type-post","status-publish","format-standard","hentry","category-aws","category-management-and-governance"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/259","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=259"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/259\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=259"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=259"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=259"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}