By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
(AWS Solutions Architect – Associate)
You’re a cloud engineer at a fintech startup. Your CISO just dropped a bombshell: "We need to prove to auditors that every S3 bucket has encryption enabled, every EC2 instance has a specific tag, and no security group allows unrestricted SSH access. And we need it in writing by Friday."
AWS Config Rules are your compliance autopilot. They continuously evaluate your AWS resources against custom or AWS-managed rules (e.g., "Is S3 bucket versioning enabled?"). Conformance Packs bundle multiple rules into a single deployable unit—like a compliance "playbook" for standards like CIS, PCI-DSS, or your internal policies.
Why this matters in production:- Avoid audit failures: If you can’t prove compliance, you risk fines, lost contracts, or worse—data breaches.- Automate remediation: Instead of manually checking 500 EC2 instances, Config Rules can flag (or even fix) non-compliant resources.- Shift-left security: Catch misconfigurations before they hit production (e.g., a developer accidentally opens port 22 to the world).
Real-world scenario:You inherit a legacy AWS account with 200+ resources. Your boss says, "We need to enforce encryption on all S3 buckets and ensure no RDS instances are publicly accessible." Without Config Rules, you’d spend days writing scripts or manually checking each resource. With them, you deploy a rule in 5 minutes and get a compliance report in 10.
i-123456
s3-bucket-ssl-requests-only
CostCenter
Project
config:*
iam:PassRole
aws configure
us-east-1
Config Rules won’t work without the recorder. Do this first.
# Enable Config in us-east-1 (replace with your region) aws configservice put-configuration-recorder \ --configuration-recorder name=default,roleArn=arn:aws:iam::123456789012:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig \ --recording-group allSupported=true,includeGlobalResourceTypes=true \ --region us-east-1 # Start the recorder aws configservice start-configuration-recorder --configuration-recorder-name default --region us-east-1
Verify:
aws configservice describe-configuration-recorders --region us-east-1
Expected output:
{ "ConfigurationRecorders": [ { "name": "default", "roleArn": "arn:aws:iam::123456789012:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig", "recordingGroup": { "allSupported": true, "includeGlobalResourceTypes": true } } ] }
We’ll use the CIS AWS Foundations Benchmark v1.4.0 pack (a common compliance standard).
# Download the pack template wget https://raw.githubusercontent.com/awslabs/aws-config-rules/master/aws-config-conformance-packs/CIS-AWS-Foundations-Benchmark/v1.4.0/cis-aws-foundations-benchmark.yaml # Deploy the pack (replace ACCOUNT_ID) aws configservice put-conformance-pack \ --conformance-pack-name "CIS-AWS-Foundations-Benchmark" \ --template-body file://cis-aws-foundations-benchmark.yaml \ --delivery-s3-bucket "config-conformance-pack-bucket-$(aws sts get-caller-identity --query Account --output text)" \ --region us-east-1
aws configservice describe-conformance-packs --region us-east-1
{ "ConformancePackDetails": [ { "ConformancePackName": "CIS-AWS-Foundations-Benchmark", "ConformancePackArn": "arn:aws:config:us-east-1:123456789012:conformance-pack/CIS-AWS-Foundations-Benchmark", "DeliveryS3Bucket": "config-conformance-pack-bucket-123456789012", "ConformancePackId": "cp-1234567890abcdef" } ] }
aws configservice get-conformance-pack-compliance-details \ --conformance-pack-name "CIS-AWS-Foundations-Benchmark" \ --region us-east-1
Expected output (truncated):
{ "ConformancePackName": "CIS-AWS-Foundations-Benchmark", "ConformancePackRuleEvaluationResults": [ { "ComplianceType": "NON_COMPLIANT", "EvaluationResultIdentifier": { "EvaluationResultQualifier": { "ConfigRuleName": "cis-aws-foundations-benchmark-1.4-ensure-no-root-account-access-key-exists", "ResourceType": "AWS::IAM::User", "ResourceId": "root" } } }, { "ComplianceType": "COMPLIANT", "EvaluationResultIdentifier": { "EvaluationResultQualifier": { "ConfigRuleName": "cis-aws-foundations-benchmark-1.5-ensure-mfa-is-enabled-for-the-root-account", "ResourceType": "AWS::IAM::User", "ResourceId": "root" } } } ] }
Interpretation:- The root account has an access key (bad!).- The root account has MFA enabled (good!).
Let’s remove the root account access key (a common security risk).
# List root account access keys aws iam list-access-keys --user-name root # Delete the access key (replace ACCESS_KEY_ID) aws iam delete-access-key --access-key-id AKIAEXAMPLE123456 --user-name root
Re-evaluate the rule:
aws configservice start-config-rules-evaluation --config-rule-names "cis-aws-foundations-benchmark-1.4-ensure-no-root-account-access-key-exists" --region us-east-1
Wait 1-2 minutes, then check compliance again. The rule should now show COMPLIANT.
COMPLIANT
json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "config:Put*", "config:Get*", "config:List*", "config:Describe*" ], "Resource": "*" }, { "Effect": "Allow", "Action": ["s3:PutObject"], "Resource": ["arn:aws:s3:::config-conformance-pack-bucket-*/AWSLogs/*"] } ] }
NON_COMPLIANT
excludedAccounts
aws:cloudformation:stack-name
infra/compliance/cis-aws-foundations.yaml
ConfigRulesComplianceChange
aws configservice describe-configuration-recorders
s3:PutEncryptionConfiguration
includeGlobalResourceTypes=true
❌ AWS GuardDuty (threat detection)
"How do you enforce compliance across multiple accounts?"
❌ Deploy Config Rules in each account manually (too slow).
"What’s the difference between a Config Rule and a Conformance Pack?"
alice
PutBucketPolicy
s3-bucket-public-read-prohibited
"You need to ensure all S3 buckets have versioning enabled. What’s the most cost-effective way?"- ✅ AWS Config managed rule (s3-bucket-versioning-enabled). Free (only pay for Config recording).- ❌ Custom Lambda rule (costs money for invocations).- ❌ AWS Inspector (wrong tool—scans for vulnerabilities, not configurations).
s3-bucket-versioning-enabled
Challenge:Deploy a custom Config Rule that checks if all EC2 instances have a CostCenter tag. If an instance lacks the tag, the rule should mark it as NON_COMPLIANT.
Solution:1. Create a Lambda function (Python) to evaluate the rule: ```python import boto3
def lambda_handler(event, context): config = boto3.client('config') invoking_event = json.loads(event['invokingEvent']) result_token = event['resultToken']
# Get the EC2 instance ID from the event instance_id = invoking_event['configurationItem']['resourceId'] # Check for CostCenter tag ec2 = boto3.client('ec2') response = ec2.describe_tags( Filters=[{ 'Name': 'resource-id', 'Values': [instance_id] }] ) tags = {tag['Key']: tag['Value'] for tag in response['Tags']} if 'CostCenter' not in tags: compliance_type = 'NON_COMPLIANT' annotation = 'EC2 instance is missing CostCenter tag' else: compliance_type = 'COMPLIANT' annotation = 'EC2 instance has CostCenter tag' # Put evaluation result config.put_evaluations( Evaluations=[{ 'ComplianceResourceType': 'AWS::EC2::Instance', 'ComplianceResourceId': instance_id, 'ComplianceType': compliance_type, 'Annotation': annotation, 'OrderingTimestamp': invoking_event['configurationItem']['configurationItemCaptureTime'] }], ResultToken=result_token )
2. Deploy the Lambda and create a custom Config Rule:bash aws configservice put-config-rule \ --config-rule file://config-rule.json Where `config-rule.json` is:json { "ConfigRuleName": "ec2-costcenter-tag-check", "Description": "Checks if EC2 instances have a CostCenter tag", "Source": { "Owner": "CUSTOM_LAMBDA", "SourceIdentifier": "arn:aws:lambda:us-east-1:123456789012:function:ec2-costcenter-tag-check", "SourceDetails": [ { "EventSource": "aws.config", "MessageType": "ConfigurationItemChangeNotification" } ] }, "Scope": { "ComplianceResourceTypes": ["AWS::EC2::Instance"] } } `` 3. Why it works: The Lambda runs whenever an EC2 instance is created/updated, checks for theCostCenter` tag, and reports compliance to Config.
2. Deploy the Lambda and create a custom Config Rule:
Where `config-rule.json` is:
`` 3. Why it works: The Lambda runs whenever an EC2 instance is created/updated, checks for the
aws configservice put-configuration-recorder
aws configservice put-conformance-pack
aws configservice get-conformance-pack-compliance-details
aws configservice start-config-rules-evaluation
s3-
ec2-
iam-
rds-
s3:PutBucketEncryption
aws configservice put-configuration-aggregator
MaximumExecutionFrequency
One_Hour
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.