AWS Compliance Rules: Management and Monitoring
In the AWS ecosystem, maintaining a compliant infrastructure isn’t just about security—it’s about continuous auditing and automated governance. For the SAA-C03 exam, you must understand how AWS services monitor resource configurations and ensure they align with internal or regulatory standards.
The Real-World Analogy
Think of AWS Compliance Rules like a Building Inspector. While AWS CloudTrail is the security camera recording who entered the building (API calls), AWS Config is the inspector who walks through the building with a clipboard, checking if the fire extinguishers are charged and the exits are clear (Resource State). If a rule is broken, the inspector doesn’t just watch; they can trigger a repair crew (Remediation).
Core Service: AWS Config
AWS Config is the primary service for compliance rules. It provides a detailed inventory of your AWS resources and their configuration history.
Config Rules: Managed vs. Custom
- Managed Rules: Pre-built rules authored by AWS (e.g., “Check if all S3 buckets have encryption enabled” or “Ensure EBS volumes are encrypted”).
- Custom Rules: Rules you create using AWS Lambda functions. If a managed rule doesn’t exist for your specific requirement, Lambda allows you to define custom logic to evaluate resources.
Remediation and Governance
When a resource is flagged as “Non-compliant,” AWS Config can trigger automated actions using AWS Systems Manager (SSM) Automation documents. For example, if a public S3 bucket is detected, Config can automatically trigger a script to make it private.
Comparing Governance Services
| Feature | AWS Config | AWS CloudTrail | AWS Artifact |
|---|---|---|---|
| Primary Function | Resource state & compliance history | API call logging (Who did what?) | On-demand compliance reports (PDFs) |
| Scope | Configuration changes | Operational/Risk auditing | Regulatory evidence (PCI, SOC) |
| Remediation | Yes (via SSM/Lambda) | No (Reactive only) | No |
AWS Artifact and Audit Manager
For the SAA-C03 exam, distinguish between internal monitoring and external compliance:
- AWS Artifact: Your go-to portal for downloading AWS’s own compliance reports (e.g., ISO, PCI, SOC). If a customer asks “Is AWS HIPAA compliant?”, you point them to Artifact.
- AWS Audit Manager: Helps you continuously audit your AWS usage to simplify how you assess risk and compliance with regulations and industry standards. It automates evidence collection.
Decision Matrix / If–Then Guide
| If the requirement is… | Choose this service/feature… |
|---|---|
| Monitor if S3 buckets are public in real-time | AWS Config Rules |
| Audit who deleted an EC2 instance | AWS CloudTrail |
| Download a SOC 2 report for a legal team | AWS Artifact |
| Enforce compliance across 100+ AWS Accounts | AWS Config Conformance Packs |
| Prevent resources from being created (Guardrails) | Service Control Policies (SCPs) via AWS Organizations |
Exam Tips and Gotchas
- Config is Regional: You must enable AWS Config in every region where you want to track compliance, unless using an aggregator.
- Config vs. Inspector: AWS Config checks configurations (e.g., is the port open?). Amazon Inspector checks for vulnerabilities inside the OS (e.g., is there a known CVE patch missing?).
- Golden Nugget: AWS Config does NOT prevent changes. It records them and alerts/remediates after the fact. To prevent non-compliant resources, use SCPs or IAM policies.
- Conformance Packs: This is a collection of Config rules and remediation actions that can be deployed as a single entity across an entire Organization.
Topics covered:
Summary of key subtopics covered in this guide:
- AWS Config Architecture and Configuration Recorder.
- Managed vs. Custom Config Rules (Lambda integration).
- Automated Remediation using Systems Manager.
- Difference between CloudTrail (logging) and Config (state).
- AWS Artifact for regulatory documentation.
- Multi-account compliance via Conformance Packs.
Infographic: AWS Compliance Workflow
Ecosystem
IAM: Controls who can view or modify Config rules.
SNS: Sends real-time alerts when a resource becomes non-compliant.
S3: Stores the configuration history files and snapshots.
Performance
Config is not “instantaneous” but triggers shortly after a configuration change is detected via the API. For immediate prevention, use SCPs.
Cost Optimization
Charged per Configuration Item recorded and per Rule Evaluation. To save costs, restrict the recorder to specific resource types rather than “All Resources.”
Production Use Case: The “No-Public-S3” Policy
A financial firm uses AWS Config Managed Rules (s3-bucket-public-read-prohibited) across 50 accounts. When a developer accidentally makes a bucket public, Config detects the change, sends an alert via Amazon SNS to the Security Team, and triggers an SSM Document to immediately strip the public permissions.