Cargando...
Cargando...
Continuous resource inventory, configuration history, and compliance auditing across your entire AWS estate
AWS Config is a fully managed service that continuously records AWS resource configurations, evaluates them against desired rules, and maintains a complete history of changes over time. It answers the critical questions: 'What did my infrastructure look like at any point in time?' and 'Are my resources compliant with my policies?' Unlike CloudTrail (which records WHO did WHAT API call), Config records WHAT the resource configuration IS and WAS.
Audit, assess, and evaluate the configurations of AWS resources for compliance, security, and operational best practices — with a full timeline of every configuration change
Use When
Avoid When
Configuration Recorder
Records configuration changes for supported resource types. Must be enabled per region — it is NOT global by default.
Configuration History
Complete timeline of every configuration state for each resource, retained up to 7 years.
Configuration Snapshots
Point-in-time snapshot of all recorded resources, delivered to S3 on a configurable schedule.
AWS Config Rules (Managed)
AWS-provided rules like s3-bucket-public-read-prohibited, encrypted-volumes, mfa-enabled-for-iam-console-access.
AWS Config Rules (Custom — Lambda)
Write custom evaluation logic in Lambda using Python or Node.js for business-specific compliance checks.
AWS Config Rules (Custom — Guard)
Use CloudFormation Guard (policy-as-code) to write custom rules without Lambda — lower operational overhead.
Conformance Packs
Bundle of Config rules + remediation actions packaged as a CloudFormation template. AWS provides sample packs for PCI-DSS, CIS, HIPAA, NIST.
Remediation Actions
Automatically remediate non-compliant resources using SSM Automation documents. Can be manual (click to remediate) or automatic.
Multi-Account Multi-Region Aggregation
Aggregate compliance data from multiple accounts and regions into a single Aggregator view — essential for enterprise dashboards.
AWS Organizations Integration
Deploy Config rules and conformance packs org-wide from management or delegated administrator account.
Resource Relationships
Config maps relationships between resources (e.g., EC2 → Security Group → VPC) enabling impact analysis.
Timeline View
Visual console view showing configuration changes alongside CloudTrail events and CloudWatch alarms on a single timeline.
Security Hub Integration
Config findings can be sent to Security Hub for centralized security posture management.
EventBridge Integration
Config rule compliance state changes emit events to EventBridge, enabling automated workflows.
Advanced Query (SQL)
Use SQL-like queries against the current configuration state of all resources using Config's query API.
Delegated Administrator Support
A member account can be designated as the Config delegated administrator for the organization.
Global Resources Recording
IAM users, roles, groups, and policies are global resources — record them in one region only to avoid duplicate charges.
Complete Audit Trail: State + Action
high freqConfig records WHAT the resource configuration IS (state), while CloudTrail records WHO made WHAT API call (action). Together they answer: 'Who changed this security group (CloudTrail) and what did it look like before vs. after (Config)?' The Config console timeline view overlays both. Use this pattern for incident forensics and compliance audits.
Detect and Auto-Remediate
high freqConfig rules detect non-compliant resources; SSM Automation documents perform the remediation. Example: Config detects EC2 instance without SSM agent → SSM Automation installs the agent automatically. Configure remediation actions in Config console pointing to SSM documents. Supports both manual and automatic remediation with retry logic.
Organization-Wide Compliance Governance
high freqDeploy Config rules and conformance packs across all accounts in an AWS Organization from the management account or delegated administrator. New accounts automatically inherit the rules. Use an aggregator to view consolidated compliance posture across all accounts and regions in a single dashboard. Critical for enterprise governance at scale.
Centralized Security Posture
high freqEnable the AWS Config integration in Security Hub. Config rule findings (COMPLIANT/NON_COMPLIANT) are automatically sent to Security Hub as findings in ASFF format. Security Hub aggregates these with GuardDuty, Inspector, and Macie findings for a unified security dashboard. Config must be enabled as a prerequisite for Security Hub to function properly.
Compliance Alerting Pipeline
high freqConfig rule state changes → EventBridge rule → SNS topic → email/PagerDuty/Slack notification. Alternatively, Config can stream to CloudWatch Logs. Use this pattern to alert operations teams immediately when a resource becomes non-compliant. Can also trigger Lambda for custom notification logic.
Custom Compliance Rules
high freqWhen AWS managed rules don't cover your business requirement, write a custom Config rule backed by Lambda. Lambda receives a JSON payload with the resource configuration and returns COMPLIANT, NON_COMPLIANT, or NOT_APPLICABLE. Triggered by configuration changes or on a periodic schedule. Use CloudFormation Guard as a Lambda-free alternative for policy-as-code.
Long-Term Compliance Analytics
high freqDeliver Config snapshots and history to S3. Use Athena with AWS Glue Data Catalog to query historical configuration data with SQL. Enables trend analysis, compliance reporting over time, and cost-effective long-term retention beyond Config's 7-year built-in retention. Useful for regulatory requirements mandating multi-year audit trails.
AWS Config is DETECTIVE, not PREVENTIVE. It tells you a resource is non-compliant AFTER the fact. To PREVENT non-compliant configurations, use SCPs (Service Control Policies) in AWS Organizations, IAM policies, or CloudFormation hooks. Exam questions that ask 'how to PREVENT' should NOT answer with Config rules.
Config vs. CloudTrail distinction is the #1 tested concept: CloudTrail = WHO did WHAT API call (audit log of actions). Config = WHAT does the resource configuration look like NOW and HISTORICALLY (state recorder). If the question asks about API activity, answer CloudTrail. If it asks about resource configuration state or compliance, answer Config.
Config must be enabled PER REGION. It is not a global service. If you need compliance coverage across all regions, you must enable Config in each region. Use AWS Organizations and CloudFormation StackSets to automate this across all accounts and regions simultaneously.
Security Hub REQUIRES AWS Config to be enabled. This is a hard prerequisite. If an exam question asks why Security Hub isn't showing resource compliance findings, the answer is likely that Config is not enabled. Remember: Security Hub uses Config rules to generate compliance findings.
Config = WHAT the resource configuration IS/WAS (state). CloudTrail = WHO did WHAT API call (action). They are complementary — never interchangeable. Questions about API audit trails = CloudTrail. Questions about resource compliance state = Config.
Config is DETECTIVE, not PREVENTIVE. It detects and reports non-compliance AFTER the fact. To PREVENT non-compliant resources, use SCPs, IAM policies, or CloudFormation hooks — not Config rules.
Config must be enabled PER REGION and is a PREREQUISITE for AWS Security Hub. If Security Hub isn't showing compliance findings, Config is likely not enabled in that region.
For multi-account compliance visibility, use a Config Aggregator. An aggregator collects compliance data from multiple source accounts/regions. The aggregator account does NOT need to be the Organizations management account — a dedicated security or audit account is a best practice. Delegated administrator accounts can also manage org-level Config.
Conformance Packs are the RIGHT answer when questions ask about deploying a SET of related compliance rules as a unit, especially for regulatory frameworks (PCI-DSS, HIPAA, CIS). They package rules + remediation actions together and can be deployed org-wide. Don't confuse with individual Config rules.
IAM resources (users, roles, groups, policies) are GLOBAL resources in Config. Best practice is to record them in ONE region only (usually us-east-1) to avoid being charged multiple times for the same IAM configuration item. Enable 'Include global resources' in only one region's recorder.
Config remediation uses SSM Automation documents (not Lambda directly). When a Config rule finds a non-compliant resource, the remediation action points to an SSM Automation runbook. You can set automatic remediation with a retry count. This SSM + Config pattern is heavily tested in DOP-C02.
Config Advanced Query lets you run SQL-like queries against the CURRENT state of all resources. Example: 'SELECT resourceId, configuration.instanceType FROM aws_ec2_instance WHERE configuration.instanceType = t2.micro'. This is different from Athena queries on historical S3 snapshots — Advanced Query is for current state only.
Custom Config rules can be written using either Lambda (full programming flexibility) or CloudFormation Guard (policy-as-code, no Lambda needed). Guard rules are evaluated natively by Config without Lambda invocation costs. For exam questions asking about 'lower operational overhead for custom rules', Guard is the answer.
Common Mistake
AWS Config can be used to audit WHO made API calls and WHEN — it's an API audit trail like CloudTrail
Correct
Config records WHAT the resource configuration IS and WAS over time — not who made the API call. CloudTrail is the service for API-level audit trails. Config shows you the configuration state (e.g., 'security group had port 22 open to 0.0.0.0/0 from Jan 1 to Jan 5'), while CloudTrail shows you the API event ('user john@company.com called AuthorizeSecurityGroupIngress at 2:34pm on Jan 1').
This is the #1 most tested misconception. Exam questions frequently present scenarios where you need BOTH services and ask you to identify the role of each. Memory trick: CloudTrail = Trail of actions (verbs). Config = Configuration state (nouns/adjectives). They are COMPLEMENTARY, not interchangeable.
Common Mistake
Enabling a Config rule will PREVENT non-compliant resources from being created or modified
Correct
Config rules are purely DETECTIVE controls. They evaluate existing and new resources and report compliance status — they do NOT block API calls. A Config rule flagging 'no public S3 buckets' will alert you AFTER a bucket is made public, not prevent it. To PREVENT actions, use SCPs, IAM permission boundaries, or AWS CloudFormation hooks.
This misconception causes candidates to choose Config when a question asks for a PREVENTIVE solution. The key word in the question is 'prevent' vs. 'detect' or 'audit'. Config = detect. SCP/IAM = prevent. Remediation actions can fix the issue after detection, but there's still a window of non-compliance.
Common Mistake
AWS Config is a global service — enabling it in one region covers all regions
Correct
Config is a REGIONAL service. You must enable it in each AWS region where you want to record resource configurations. IAM resources are the exception (they are global and can be optionally recorded in one region). Use AWS Organizations + CloudFormation StackSets or the AWS Config console's organization-level deployment to enable Config across all regions and accounts efficiently.
Candidates often assume services like Config are global because they deal with account-wide compliance. This leads to gaps in compliance coverage. Exam questions may describe a scenario where Config is enabled in us-east-1 but a non-compliant resource exists in eu-west-1 — the correct answer involves enabling Config in all relevant regions.
Common Mistake
AWS Config provides compliance DOCUMENTATION and certifications (like SOC reports or PCI attestations)
Correct
Config helps you MONITOR and PROVE your own compliance posture by tracking resource configurations. It does NOT provide AWS's own compliance documentation (SOC reports, PCI DSS attestations, ISO certifications). For AWS compliance documentation, use AWS Artifact. Config = your resource compliance. Artifact = AWS's own certifications.
Exam questions may ask 'how do you access AWS compliance reports?' — the answer is AWS Artifact, not Config. Config is for YOUR compliance, not AWS's. This misconception is reinforced by the fact that Config is used IN compliance programs, making candidates think it IS the compliance documentation service.
Common Mistake
AWS Config Aggregator requires the aggregator account to be the AWS Organizations management account
Correct
The Config Aggregator can be in ANY account — it does NOT need to be the management account. Best practice is to use a dedicated audit or security account as the aggregator. You can also designate a member account as the Config delegated administrator, allowing it to manage org-level Config rules and aggregators without being the management account.
This misconception leads to poor architecture designs where the management account is overloaded with operational tools. The management account should be used minimally per AWS best practices. Separate audit/security accounts should own compliance tooling like Config aggregators.
Common Mistake
Trusted Advisor and AWS Config serve the same purpose and are interchangeable for compliance monitoring
Correct
Trusted Advisor provides periodic, category-based best practice RECOMMENDATIONS (cost, security, fault tolerance, performance, service limits) — it's advisory and does not continuously track configuration history. Config provides CONTINUOUS, RULE-BASED compliance evaluation with a complete historical record of every configuration change. Config is far more granular, customizable, and audit-ready than Trusted Advisor.
Both services surface 'issues' with your AWS environment, making them appear similar. Key differentiators: Config has history/timeline, custom rules, remediation, and is audit-grade. Trusted Advisor is a high-level health check. For compliance auditing, Config is the correct answer. For general best-practice guidance, Trusted Advisor is appropriate.
CCCR Framework — Config's four pillars: Capture (record configurations), Compare (evaluate against rules), Correct (remediate via SSM), Chronicle (maintain history)
CloudTrail = 'Who dunnit?' (detective story). Config = 'What does it look like?' (crime scene photo). You need BOTH for the full picture.
Config is a CAMERA, not a LOCK. It takes photos of your resources over time and flags when something looks wrong — but it can't stop someone from rearranging the furniture. SCPs and IAM are the locks.
Remember 'DARN' for Config rule types: D=Detective (what Config does), A=Automated remediation (SSM), R=Rules (managed + custom), N=Notifications (EventBridge/SNS)
500 rules per region — think '5 football fields wide' — that's a LOT of compliance coverage per region
CertAI Tutor · DOP-C02, SAA-C03, SAP-C02, DEA-C01, SCS-C02, AIF-C01, CLF-C02 · 2026-02-21
In the Same Category
Comparisons
Guides & Patterns