AWScloud~5 mins

AWS Config for compliance - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

AWS Config helps you track and check your cloud resources to make sure they follow rules you set. It solves the problem of knowing if your cloud setup is safe and follows company policies.

When you want to check if your cloud servers and storage follow security rules automatically.

When you need to see a history of changes made to your cloud resources for audits.

When you want alerts if someone changes a resource in a way that breaks your rules.

When you want to make sure your cloud setup matches compliance standards like PCI or HIPAA.

When you want to fix resource problems quickly by knowing exactly what changed and when.

Config File - config-rule.json

config-rule.json

{
  "ConfigRuleName": "s3-bucket-public-read-prohibited",
  "Description": "Checks that your S3 buckets do not allow public read access.",
  "Scope": {
    "ComplianceResourceTypes": ["AWS::S3::Bucket"]
  },
  "Source": {
    "Owner": "AWS",
    "SourceIdentifier": "S3_BUCKET_PUBLIC_READ_PROHIBITED"
  }
}

This JSON file defines a compliance rule for AWS Config.

ConfigRuleName: The name of the rule.

Description: What the rule checks.

Scope: Which resources the rule applies to (here, S3 buckets).

Source: The AWS managed rule to use for checking public read access on S3 buckets.

Commands

This command creates or updates the AWS Config rule using the JSON file. It tells AWS Config what rule to check for compliance.

Terminal

aws configservice put-config-rule --config-rule file://config-rule.json

Expected OutputExpected

{"ConfigRuleArn":"arn:aws:config:us-east-1:123456789012:config-rule/config-rule-abcdefg"}

→

--config-rule - Specifies the JSON file that defines the compliance rule.

This command checks the compliance status of the S3 bucket public read rule. It shows if your resources follow the rule or not.

Terminal

aws configservice describe-compliance-by-config-rule --config-rule-names s3-bucket-public-read-prohibited

Expected OutputExpected

{"ComplianceByConfigRules":[{"ConfigRuleName":"s3-bucket-public-read-prohibited","Compliance":{"ComplianceType":"COMPLIANT"}}]}

→

--config-rule-names - Specifies which rule's compliance status to show.

Key Concept

If you remember nothing else from this pattern, remember: AWS Config automatically checks your cloud resources against rules you set to keep your setup safe and compliant.

Common Mistakes

Using an incorrect JSON file path or format when creating the config rule.

The command fails because AWS Config cannot read or understand the rule definition.

Ensure the JSON file is valid, properly formatted, and the path is correct when running the command.

Not specifying the correct resource types in the rule scope.

The rule will not check the intended resources, so compliance results will be wrong or missing.

Include the exact AWS resource types you want the rule to evaluate in the Scope section.

Checking compliance immediately after creating the rule without waiting.

AWS Config needs time to evaluate resources; immediate checks may show no data or outdated status.

Wait a few minutes after creating the rule before checking compliance status.

Summary

Create an AWS Config rule using a JSON file to define compliance checks.

Use AWS CLI to apply the rule and start monitoring your resources.

Check compliance status with AWS CLI to see if your resources follow the rules.