L18. AWS Config, Well-Architected & Compliance Automation
Video generating
Check back soon for the video lesson on AWS Config, Well-Architected & Compliance Automation
From point-in-time manual audits to continuous compliance: Config rules, cross-account aggregators, conformance packs, and auto-remediation via SSM Automation.
From Manual Audits to Continuous Evaluation
AWS Config continuously records configuration changes to supported resources over time, building a timeline of exactly what changed and when. Every recorded configuration is evaluated against Config Rules, either AWS managed rules that ship ready to use or custom rules backed by a Lambda function for logic AWS does not provide out of the box. A rule flags a resource as non-compliant the moment it drifts out of the desired state: an EBS volume created without encryption or a security group open to 0.0.0.0/0 on port 22 are both classic examples the exam likes to use. This replaces the old model of a quarterly manual audit with continuous, automatic evaluation of every resource, every time it changes.
Seeing Compliance Across Every Account and Region
A single account's Config data only tells part of the story once an organization runs dozens of accounts across multiple regions. Config aggregators solve this by pulling configuration and compliance data from many source accounts and regions into one aggregator account, giving security and compliance teams a single place to see the org-wide picture instead of logging into each account individually.
Deploying a Whole Compliance Framework at Once
Conformance packs bundle a collection of Config rules, and optionally their remediation actions, into a single deployable template. Instead of enabling dozens of individual rules by hand in every account, a team deploys one conformance pack and gets an entire framework, such as a CIS benchmark or an internal operational best-practice set, rolled out all at once. Combined with a Config aggregator, this is the standard pattern for rolling out and monitoring a compliance standard across a large multi-account environment.
Closing the Loop with Auto-Remediation
Detecting a non-compliant resource is only half the job. Config supports auto-remediation by linking a rule to an SSM Automation document, so the moment a resource is flagged, the linked automation runs and applies the fix directly (enabling encryption on that EBS volume or closing the offending port) without a human waiting for the next audit cycle to notice and act.
| Stage | Component |
|---|---|
| Detect drift | AWS Config rule (managed or Lambda-backed) |
| Roll out at scale | Conformance pack |
| See org-wide status | Config aggregator |
| Fix automatically | SSM Automation document |
Where the Well-Architected Tool Fits
The Well-Architected Tool, and specifically its Security Pillar, gives teams a structured framework of best-practice questions to walk through when reviewing a workload's design. It is valuable for catching architectural and process gaps that a point-in-time rule check would never surface, but it is a periodic review exercise, not a continuously running control. It complements tools like Config and Security Hub; it does not replace them, and a workload that scores well on a Well-Architected review can still drift out of compliance the next day if nothing is continuously monitoring it. Exam tip: If a question describes ongoing, automatic detection and correction of misconfigurations, that is Config plus SSM Automation. If it describes a structured, human-led review against best-practice questions, that is the Well-Architected Tool, and the two are complementary, not interchangeable.
- ✓AWS Config records configuration changes to resources over time and evaluates them against managed or custom (Lambda-backed) Config Rules
- ✓Config aggregators combine configuration and compliance data across multiple accounts and regions into one account for org-wide visibility
- ✓Conformance packs bundle a set of Config rules and optional remediation actions into a single deployable template, useful for rolling out an entire compliance framework at once
- ✓Config supports auto-remediation by linking a non-compliant rule to an SSM Automation document, fixing issues automatically instead of waiting for a manual audit cycle
- ✓The Well-Architected Tool's Security Pillar provides a structured review framework that complements, but does not replace, continuous automated tools like Config and Security Hub
1. A team wants to be notified whenever a new EBS volume is created without encryption enabled, and ideally have it fixed automatically. What is the best approach?
2. A company operating 50 AWS accounts wants a single place to see compliance status against a CIS benchmark across all of them. What combination of features supports this?
3. What is the relationship between the AWS Well-Architected Tool's Security Pillar and continuous compliance tools like AWS Config or Security Hub?
Recommended: Pluralsight
This free course covers the theory. Pluralsight adds structured SCS-C02 learning paths, hands-on AWS security labs, and timed practice exams to make it stick before exam day.