1. What is AWS Config?

AWS Config is a service that tracks resource configuration changes over time and evaluates configurations against desired rules. It provides a detailed view of how your AWS resources are configured, how they relate to each other, and how configurations have changed.

Core Concept

AWS Config answers three questions: 1) What resources exist in my account? (inventory) 2) How are they configured RIGHT NOW? (current state) 3) How have they changed OVER TIME? (configuration history). It also evaluates resources against compliance rules and can automatically remediate non-compliant resources.

2. Key Capabilities


Resource Inventory & Configuration Recording

  1. Continuously records the configuration of AWS resources (EC2, SG, S3, IAM, VPC, etc.)
  2. Stores configuration snapshots and configuration history in S3
  3. Tracks relationships between resources (EC2 → SG → VPC → Subnet)
  4. Configuration timeline: see how a resource was configured at any point in time
  5. Supports 300+ AWS resource types
  6. Regional service: must be enabled per Region (can aggregate across Regions/accounts)


Configuration Items (CIs)

  1. A Configuration Item is a point-in-time snapshot of a resource’s configuration
  2. Includes: resource type, ARN, configuration details, relationships, creation time, tags
  3. A new CI is recorded every time a resource’s configuration changes
  4. CIs are stored in a Configuration History (per resource) and delivered to S3

3. AWS Config Rules

Config Rules evaluate whether your resources comply with your desired configurations. When a resource violates a rule, Config flags it as NON_COMPLIANT.


Rule Types

Rule Trigger Types

Common AWS Managed Rules (Exam Favorites)

4. Remediation

AWS Config can automatically fix non-compliant resources using remediation actions.

  1. Auto Remediation: When a resource becomes NON_COMPLIANT, Config triggers an SSM Automation document to fix it automatically.
  2. Manual Remediation: You review the finding and trigger remediation manually.


Remediation Retries: Configure max retry attempts for auto-remediation (up to 5).

Config Auto-Remediation Example:
Rule: s3-bucket-server-side-encryption-enabledStatus: NON_COMPLIANT (bucket has no encryption)
Auto-Remediation: SSM Automation: AWS-EnableS3BucketEncryption Action: Enables AES-256 (SSE-S3) on the bucket Result: Bucket becomes COMPLIANT automatically

5. Config Aggregator

  1. Collect Config data from multiple accounts AND multiple Regions into one aggregator account
  2. View compliance across your entire Organization from a single dashboard
  3. Requires authorization from source accounts (or use AWS Organizations for auto-auth)
  4. Aggregator is read-only: you cannot remediate from the aggregator (must remediate in source account)

6. Config Notifications

  1. Config sends notifications to SNS when: resource configuration changes, compliance status changes, Config rule evaluation starts
  2. EventBridge: react to Config events for custom automation
  3. S3: configuration history and snapshots delivered to an S3 bucket

Important Warning

AWS Config is NOT free. You are charged per Configuration Item recorded (~$0.003 each) and per Config Rule evaluation (~$0.001 each). For large accounts with many resources and rules, costs can add up. Monitor your Config costs.

Exam Tip

Config: "Track resource configuration over time" = Config. "Is my S3 bucket encrypted?" = Config Rule. "Auto-fix non-compliant resources" = Config Remediation (SSM Automation). "Compliance dashboard across Organization" = Config Aggregator. "What changed on this resource?" = Config Configuration Timeline. Required by: Security Hub, Firewall Manager.