AWS Config Tutorial: Configuration Compliance That Prevents Breaches | AWSight
AWSight
AWS Security Insights

AWS Config Tutorial: Configuration Compliance That Prevents Breaches

How configuration drift cost a healthcare startup their HIPAA certification and $3.2M in damages

📅 Published: January 2025
⏱️ Read time: 12 minutes
🔧 Implementation: 30 minutes
🎯 Difficulty: Intermediate

🚨 The $3.2M Configuration Drift Disaster

In September 2024, a healthcare startup processing 50,000+ patient records lost their HIPAA certification after a routine audit uncovered devastating security misconfigurations. Their AWS environment had gradually drifted from compliance over 8 months:

$3.2M

in total damages including regulatory fines ($1.8M), remediation costs, lost customers, and 14 months to regain certification.

The root cause? S3 buckets containing PHI had public read access enabled by a developer 3 months earlier. No configuration monitoring system detected the change.

68%
of security incidents caused by misconfigurations
206
days average time to detect config drift
$4.88M
average cost of healthcare data breach
91%
of organizations lack config monitoring

🎯 Want Our Complete AWS Security Checklist?

Don't just monitor configurations—get our comprehensive 20-point security checklist covering all critical AWS security controls. Used by 500+ companies to maintain continuous compliance.

📥 Download Free Security Checklist 🔍 Get Free 72-Hour Security Assessment

🎯 Why Configuration Drift Destroys Compliance

Configuration drift occurs when your AWS resources gradually deviate from their intended secure state through manual changes, automated deployments, or human error. This silent killer of compliance creates vulnerabilities that often go undetected for months.

⚠️ Real-World Configuration Drift Scenarios

  • S3 Bucket Exposure: Developer temporarily enables public access for testing, forgets to revert
  • Security Group Drift: Emergency access rules added during incident response never removed
  • IAM Policy Creep: Permissions gradually expanded beyond principle of least privilege
  • Encryption Gaps: New resources deployed without required encryption settings
  • Network Misconfigurations: VPC changes expose internal resources to internet

The Three Critical Problems AWS Config Solves

1
Configuration Change Tracking

AWS Config provides a complete audit trail of all configuration changes across your AWS environment. Every modification is recorded with timestamps, user attribution, and detailed change history—essential for compliance frameworks like SOX and HIPAA.

2
Compliance Rule Enforcement

Automated evaluation of resources against compliance requirements. AWS Config rules continuously monitor your environment and immediately flag non-compliant resources, preventing the gradual drift that caused MedSecure's breach.

3
Automated Remediation

When misconfigurations are detected, AWS Config can automatically trigger remediation actions through Systems Manager, Lambda functions, or Security Hub—closing security gaps within minutes instead of months.

⚠️ Compliance Reality Check: According to the 2024 Cloud Security Report, 68% of security incidents are caused by misconfigurations, and organizations without configuration monitoring take an average of 206 days to detect compliance drift.

🏗️ AWS Config Architecture and Components

Before diving into implementation, understanding AWS Config's architecture ensures you configure it correctly for maximum security benefit.

Core Components

RECORDER

Configuration Recorder

Captures configuration changes for supported AWS resources in your account and region

DELIVERY

Delivery Channel

Delivers configuration snapshots and history files to S3 bucket for audit trails

RULES

Config Rules

Evaluate resource configurations against compliance requirements automatically

REMEDIATION

Remediation Actions

Automated responses to fix non-compliant resources using Systems Manager or Lambda

Essential Config Rules for Security

Here are the most critical AWS Config rules that prevent the types of misconfigurations that caused MedSecure's breach:

S3

s3-bucket-public-access-prohibited

Ensures S3 buckets don't allow public access—prevents PHI exposure

S3

s3-bucket-server-side-encryption-enabled

Verifies all S3 buckets have encryption enabled for data at rest

EC2

ec2-security-group-attached-to-eni

Ensures all network interfaces have security groups attached

IAM

iam-password-policy

Enforces strong password policies for IAM users

RDS

rds-instance-public-access-check

Verifies RDS instances aren't publicly accessible

CLOUDTRAIL

cloudtrail-enabled

Ensures CloudTrail is enabled for audit logging

1
Enable AWS Config with CloudTrail Integration (8 minutes)

Prerequisites:

  • Administrative access to your AWS account
  • CloudTrail enabled (required for Config rule evaluation)
  • S3 bucket for Config delivery channel (can be auto-created)
  • IAM service role for Config (can be auto-created)

Console Steps:

1.1 Navigate to AWS Config Service

  • Sign in to the AWS Console
  • Search for "Config" in the services search bar
  • Click on "Config" to open the AWS Config console
  • Select your primary region (us-east-1 recommended for global resources)

1.2 Configure Configuration Recorder

  • Click "Get started" if this is your first time
  • Resource types to record: Select "Record all supported resources"
  • Include global resources: Check "Include global resource types"
  • Data governance: Check "Enable" for resource governance
⚠️ Important: Recording all resource types ensures comprehensive compliance monitoring. Selective recording may miss critical security configurations.

1.3 Set Up Delivery Channel

  • S3 bucket: Choose "Create a bucket" (recommended naming: config-[account-id]-[region])
  • S3 bucket key prefix: config-logs/
  • SNS topic: Create new topic for Config notifications
  • SNS topic name: config-compliance-alerts
# Alternative: Enable Config via AWS CLI aws configservice put-configuration-recorder \ --configuration-recorder name=default \ --recording-group allSupported=true,includeGlobalResourceTypes=true aws configservice put-delivery-channel \ --delivery-channel name=default \ --s3BucketName=config-$(aws sts get-caller-identity --query Account --output text)-$(aws configure get region) \ --snsTopicARN=arn:aws:sns:$(aws configure get region):$(aws sts get-caller-identity --query Account --output text):config-compliance-alerts aws configservice start-configuration-recorder \ --configuration-recorder-name default

1.4 Create IAM Service Role

  • Role name: aws-config-role (auto-suggested)
  • Policy: AWS Config will automatically attach required policies
  • Review the permissions and click "Allow"

1.5 Verify CloudTrail Integration

  • Go to CloudTrail console
  • Verify you have an active trail capturing management events
  • If no trail exists, create one with data events enabled
Configuration Active: AWS Config is now recording configuration changes across your account. You'll see the first configuration items appear within 10-15 minutes.
2
Configure Essential Compliance Rules (10 minutes)

Deploy the most critical Config rules that prevent common security misconfigurations and ensure compliance with major frameworks.

Console Steps:

2.1 Add S3 Security Rules

  • In Config console, click "Rules" in the left navigation
  • Click "Add rule"
  • Search for "s3-bucket-public-access-prohibited"
  • Click "Add rule" → "Save"
# Deploy S3 security rules via CLI aws configservice put-config-rule \ --config-rule '{ "ConfigRuleName": "s3-bucket-public-access-prohibited", "Source": { "Owner": "AWS", "SourceIdentifier": "S3_BUCKET_PUBLIC_ACCESS_PROHIBITED" } }' aws configservice put-config-rule \ --config-rule '{ "ConfigRuleName": "s3-bucket-server-side-encryption-enabled", "Source": { "Owner": "AWS", "SourceIdentifier": "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED" } }'

2.2 Add Network Security Rules

# Deploy network security rules aws configservice put-config-rule \ --config-rule '{ "ConfigRuleName": "ec2-security-group-attached-to-eni", "Source": { "Owner": "AWS", "SourceIdentifier": "EC2_SECURITY_GROUP_ATTACHED_TO_ENI" } }' aws configservice put-config-rule \ --config-rule '{ "ConfigRuleName": "incoming-ssh-disabled", "Source": { "Owner": "AWS", "SourceIdentifier": "INCOMING_SSH_DISABLED" } }'

2.3 Add Database Security Rules

# Deploy database security rules aws configservice put-config-rule \ --config-rule '{ "ConfigRuleName": "rds-instance-public-access-check", "Source": { "Owner": "AWS", "SourceIdentifier": "RDS_INSTANCE_PUBLIC_ACCESS_CHECK" } }' aws configservice put-config-rule \ --config-rule '{ "ConfigRuleName": "rds-storage-encrypted", "Source": { "Owner": "AWS", "SourceIdentifier": "RDS_STORAGE_ENCRYPTED" } }'

2.4 Add IAM Security Rules

# Deploy IAM security rules aws configservice put-config-rule \ --config-rule '{ "ConfigRuleName": "iam-password-policy", "Source": { "Owner": "AWS", "SourceIdentifier": "IAM_PASSWORD_POLICY" }, "InputParameters": "{\"RequireUppercaseCharacters\":\"true\",\"RequireLowercaseCharacters\":\"true\",\"RequireNumbers\":\"true\",\"MinimumPasswordLength\":\"12\"}" }' aws configservice put-config-rule \ --config-rule '{ "ConfigRuleName": "root-access-key-check", "Source": { "Owner": "AWS", "SourceIdentifier": "ROOT_ACCESS_KEY_CHECK" } }'
⚠️ Rule Evaluation: Config rules evaluate existing resources immediately and new resources as they're created. Initial evaluation may take 10-30 minutes depending on your environment size.

2.5 Deploy Conformance Pack (Optional but Recommended)

For comprehensive compliance, deploy AWS Config Conformance Packs that include multiple related rules:

# Deploy Security Best Practices Conformance Pack aws configservice put-conformance-pack \ --conformance-pack-name "SecurityBestPractices" \ --template-s3-uri "s3://aws-configservice-conformance-packs-$(aws configure get region)/Security-Best-Practices-for-Config.yaml" # Deploy HIPAA Conformance Pack for healthcare compliance aws configservice put-conformance-pack \ --conformance-pack-name "HIPAASecurityConfiguration" \ --template-s3-uri "s3://aws-configservice-conformance-packs-$(aws configure get region)/HIPAA-Security-for-Config.yaml"
Rules Active: Your essential compliance rules are now monitoring your environment. Any non-compliant resources will be flagged within the next evaluation cycle.
AWS Config Tutorial: Configuration Compliance That Prevents Breaches | AWSight
3
Set Up Automated Remediation (8 minutes)

Configure automatic fixes for common misconfigurations to reduce mean time to resolution from hours to minutes.

Console Steps:

3.1 Create Remediation IAM Role

# Create IAM role for Config remediation aws iam create-role \ --role-name ConfigRemediationRole \ --assume-role-policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }' # Attach necessary policies aws iam attach-role-policy \ --role-name ConfigRemediationRole \ --policy-arn arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole aws iam attach-role-policy \ --role-name ConfigRemediationRole \ --policy-arn arn:aws:iam::aws:policy/EC2FullAccess

3.2 Configure S3 Bucket Remediation

  • In Config console, go to "Rules"
  • Click on s3-bucket-public-access-prohibited
  • Click "Actions" → "Manage remediation"
  • Select "Automatic remediation"
  • Choose remediation action: AWSConfigRemediation-RemoveUnrestrictedSourceInSecurityGroup
# Configure automated S3 bucket remediation aws configservice put-remediation-configuration \ --config-rule-name s3-bucket-public-access-prohibited \ --target-type SSM_DOCUMENT \ --target-id AWSConfigRemediation-DisableS3BucketPublicAccess \ --target-version "1" \ --parameters '{ "AutomationAssumeRole": { "StaticValue": { "Values": ["arn:aws:iam::ACCOUNT-ID:role/ConfigRemediationRole"] } }, "S3BucketName": { "ResourceValue": { "Value": "RESOURCE_ID" } } }' \ --automatic

3.3 Configure Security Group Remediation

# Auto-remediate overly permissive security groups aws configservice put-remediation-configuration \ --config-rule-name incoming-ssh-disabled \ --target-type SSM_DOCUMENT \ --target-id AWSConfigRemediation-RemoveUnrestrictedSourceInSecurityGroup \ --target-version "1" \ --parameters '{ "AutomationAssumeRole": { "StaticValue": { "Values": ["arn:aws:iam::ACCOUNT-ID:role/ConfigRemediationRole"] } }, "GroupId": { "ResourceValue": { "Value": "RESOURCE_ID" } }, "IpPermissions": { "StaticValue": { "Values": ["[{\"IpProtocol\": \"tcp\", \"FromPort\": 22, \"ToPort\": 22, \"IpRanges\": [{\"CidrIp\": \"0.0.0.0/0\"}]}]"] } } }' \ --automatic

3.4 Set Up Custom Lambda Remediation

For more complex remediation scenarios, create custom Lambda functions:

import json import boto3 def lambda_handler(event, context): """ Custom remediation function for S3 bucket encryption """ s3 = boto3.client('s3') config_client = boto3.client('config') # Extract bucket name from Config event bucket_name = event['configurationItem']['resourceName'] try: # Apply default encryption s3.put_bucket_encryption( Bucket=bucket_name, ServerSideEncryptionConfiguration={ 'Rules': [ { 'ApplyServerSideEncryptionByDefault': { 'SSEAlgorithm': 'AES256' } } ] } ) return { 'statusCode': 200, 'body': json.dumps(f'Successfully applied encryption to {bucket_name}') } except Exception as e: print(f'Error: {str(e)}') return { 'statusCode': 500, 'body': json.dumps(f'Failed to remediate {bucket_name}: {str(e)}') }
Remediation Active: Your automated remediation is now configured. Non-compliant resources will be automatically fixed within 5-10 minutes of detection.
4
Create Compliance Dashboards and Alerts (4 minutes)

Set up real-time monitoring and alerting for compliance violations to ensure immediate visibility into your security posture.

Console Steps:

4.1 Create CloudWatch Dashboard

  • Navigate to CloudWatch console
  • Click "Dashboards" → "Create dashboard"
  • Dashboard name: AWS-Config-Compliance
  • Add widget: "Number" → Choose "Config" namespace
  • Select metrics: ComplianceByConfigRule, NonCompliantResources
# Create Config compliance dashboard via CLI aws cloudwatch put-dashboard \ --dashboard-name "AWS-Config-Compliance" \ --dashboard-body '{ "widgets": [ { "type": "metric", "properties": { "metrics": [ ["AWS/Config", "ComplianceByConfigRule", "RuleName", "s3-bucket-public-access-prohibited"], [".", "NonCompliantResources", ".", "."] ], "period": 300, "stat": "Average", "region": "us-east-1", "title": "S3 Compliance Status" } } ] }'

4.2 Set Up CloudWatch Alarms

# Create alarm for non-compliant resources aws cloudwatch put-metric-alarm \ --alarm-name "Config-NonCompliant-Resources" \ --alarm-description "Alert when non-compliant resources detected" \ --metric-name NonCompliantResources \ --namespace AWS/Config \ --statistic Sum \ --period 300 \ --threshold 1 \ --comparison-operator GreaterThanOrEqualToThreshold \ --evaluation-periods 1 \ --alarm-actions arn:aws:sns:$(aws configure get region):$(aws sts get-caller-identity --query Account --output text):config-compliance-alerts

4.3 Configure EventBridge Rules for Real-time Alerts

# Create EventBridge rule for Config compliance changes aws events put-rule \ --name "ConfigComplianceChanges" \ --description "Alert on Config compliance state changes" \ --event-pattern '{ "source": ["aws.config"], "detail-type": ["Config Rules Compliance Change"], "detail": { "newEvaluationResult": { "complianceType": ["NON_COMPLIANT"] } } }' # Add SNS target to the rule aws events put-targets \ --rule ConfigComplianceChanges \ --targets "Id"="1","Arn"="arn:aws:sns:$(aws configure get region):$(aws sts get-caller-identity --query Account --output text):config-compliance-alerts"

4.4 Create Custom Compliance Report

# Generate compliance summary report aws configservice get-compliance-summary-by-config-rule \ --query 'ComplianceSummary.{Compliant:ComplianceCompliant.CappedCount,NonCompliant:ComplianceNonCompliant.CappedCount}' \ --output table # Get detailed non-compliant resources aws configservice get-compliance-details-by-config-rule \ --config-rule-name s3-bucket-public-access-prohibited \ --compliance-types NON_COMPLIANT \ --query 'EvaluationResults[*].EvaluationResultIdentifier.EvaluationResultQualifier.ResourceId' \ --output table
Monitoring Complete: You now have comprehensive compliance monitoring with real-time alerts and visual dashboards for your security team.

Validation: Test Your Config Compliance Monitoring

Verify your AWS Config setup is working correctly by testing detection and remediation capabilities:

  • Config Recording Test: Create a test S3 bucket and verify it appears in Config within 10 minutes.
  • Compliance Rule Test: Temporarily enable public access on a test S3 bucket and confirm the rule flags it as non-compliant.
  • Remediation Test: Verify automated remediation fixes the public access within 5-10 minutes.
  • Alert Test: Confirm you receive SNS notifications when compliance violations occur.
  • Dashboard Test: Check that your CloudWatch dashboard shows current compliance status.
  • Change History Test: Verify Config timeline shows complete change history for test resources.

Compliance Validation Script

#!/bin/bash # AWS Config Compliance Validation Script echo "Validating AWS Config compliance monitoring..." # Check Config recorder status echo "Checking Config recorder status..." RECORDER_STATUS=$(aws configservice describe-configuration-recorders \ --query 'ConfigurationRecorders[0].name' --output text) if [ "$RECORDER_STATUS" != "None" ]; then echo "Config recorder active: $RECORDER_STATUS" else echo "No Config recorder found!" fi # Check active rules echo "Checking active Config rules..." RULES_COUNT=$(aws configservice describe-config-rules \ --query 'length(ConfigRules)' --output text) echo "Active Config rules: $RULES_COUNT" # Check compliance summary echo "Getting compliance summary..." aws configservice get-compliance-summary-by-config-rule \ --query 'ComplianceSummary' --output table # Check for non-compliant resources echo "Checking for non-compliant resources..." NON_COMPLIANT=$(aws configservice get-compliance-summary-by-resource-type \ --query 'ComplianceSummaryByResourceType[*].ComplianceSummary.ComplianceNonCompliant.CappedCount' \ --output text | awk '{sum+=$1} END {print sum}') if [ "$NON_COMPLIANT" -gt 0 ]; then echo "Found $NON_COMPLIANT non-compliant resources" echo "Run detailed compliance check for investigation" else echo "All resources compliant" fi echo "Config validation complete!"

Compliance Framework Configurations

HIPAA Compliance Configuration

Essential Config rules for healthcare organizations handling PHI:

  • s3-bucket-public-access-prohibited: Prevents PHI exposure
  • s3-bucket-server-side-encryption-enabled: Ensures PHI encryption at rest
  • cloudtrail-encryption-enabled: Protects audit logs
  • rds-storage-encrypted: Database encryption requirement
  • iam-password-policy: Strong authentication controls
# Deploy HIPAA conformance pack aws configservice put-conformance-pack \ --conformance-pack-name "HIPAA-Security" \ --template-s3-uri "s3://aws-configservice-conformance-packs-$(aws configure get region)/HIPAA-Security-for-Config.yaml"

SOX Compliance Configuration

Financial controls for SOX Section 404 IT compliance:

  • cloudtrail-enabled: Audit trail requirements
  • iam-user-no-policies-check: Principle of least privilege
  • s3-bucket-versioning-enabled: Data integrity controls
  • rds-snapshot-encrypted: Financial data protection

PCI DSS Compliance Configuration

Payment card industry security requirements:

  • ec2-security-group-attached-to-eni: Network segmentation
  • incoming-ssh-disabled: Secure access controls
  • s3-bucket-ssl-requests-only: Encrypted data transmission
  • cloudwatch-log-group-encrypted: Log protection

Advanced AWS Config Features

Multi-Account Config Aggregation

For organizations with multiple AWS accounts, set up Config aggregation for centralized compliance monitoring:

# Create configuration aggregator for multi-account compliance aws configservice put-configuration-aggregator \ --configuration-aggregator-name "OrganizationConfigAggregator" \ --organization-aggregation-source '{ "RoleArn": "arn:aws:iam::MASTER-ACCOUNT:role/aws-config-organization-role", "AwsRegions": ["us-east-1", "us-west-2"], "AllAwsRegions": false }'

Custom Config Rules

Create organization-specific compliance rules using Lambda functions:

import json import boto3 def lambda_handler(event, context): """ Custom Config rule: Ensure all EC2 instances have specific tags """ config_client = boto3.client('config') # Get the configuration item configuration_item = event['configurationItem'] # Check if resource has required tags required_tags = ['Environment', 'Owner', 'CostCenter'] resource_tags = configuration_item.get('tags', {}) compliance_type = 'COMPLIANT' annotation = 'All required tags present' for tag in required_tags: if tag not in resource_tags: compliance_type = 'NON_COMPLIANT' annotation = f'Missing required tag: {tag}' break # Return compliance result config_client.put_evaluations( Evaluations=[ { 'ComplianceResourceType': configuration_item['resourceType'], 'ComplianceResourceId': configuration_item['resourceId'], 'ComplianceType': compliance_type, 'Annotation': annotation, 'OrderingTimestamp': configuration_item['configurationItemCaptureTime'] } ], ResultToken=event['resultToken'] )

Config Rules Remediation with Systems Manager

Leverage AWS Systems Manager for automated remediation at scale:

# Create custom remediation document aws ssm create-document \ --name "CustomS3BucketRemediation" \ --document-type "Automation" \ --document-format "YAML" \ --content '{ "schemaVersion": "0.3", "assumeRole": "{{ AutomationAssumeRole }}", "parameters": { "S3BucketName": { "type": "String" } }, "mainSteps": [ { "name": "DisablePublicAccess", "action": "aws:executeAwsApi", "inputs": { "Service": "s3", "Api": "PutPublicAccessBlock", "BucketName": "{{ S3BucketName }}", "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "IgnorePublicAcls": true, "BlockPublicPolicy": true, "RestrictPublicBuckets": true } } } ] }'

Common AWS Config Implementation Mistakes

⚠️ Mistake #1: Not enabling Config in all regions. Security threats can exploit resources in any region, so enable Config globally.
⚠️ Mistake #2: Selecting only certain resource types for recording. This creates blind spots where misconfigurations can hide.
⚠️ Mistake #3: Not setting up automated remediation. Manual remediation leads to extended exposure windows.
⚠️ Mistake #4: Ignoring Config costs. Monitor S3 storage costs for Config data and implement lifecycle policies.
⚠️ Mistake #5: Not testing remediation actions. Always test automated remediation in non-production environments first.

Next Steps: Advanced AWS Security

AWS Config provides the foundation for compliance monitoring. Here's what to implement next:

1
Enable AWS Security Hub

Centralize security findings from Config, GuardDuty, Inspector, and other security services for unified management.

2
Implement AWS Systems Manager Compliance

Extend compliance monitoring to operating system and application-level configurations on EC2 instances.

3
Set Up AWS Control Tower

Implement organization-wide governance with automated compliance enforcement across multiple AWS accounts.

4
Enable AWS CloudFormation Drift Detection

Monitor infrastructure-as-code deployments for configuration drift at the stack level.

Ready for Complete AWS Compliance Automation?

Config monitoring is essential, but managing compliance across your entire AWS environment requires a comprehensive approach. Get our complete security assessment to identify all compliance gaps.

Get Free 72-Hour Security Assessment Calculate Your Security ROI Download Complete Security Checklist

References and Further Reading

Stop Playing Compliance Roulette with Your AWS Environment

Manual compliance checking is time-consuming, error-prone, and leaves dangerous gaps. AWSight automatically monitors your entire AWS environment against 300+ security controls and compliance requirements, providing continuous assurance and automated remediation.

Start Free Security Assessment View Pricing Plans