AWS Config is a fully managed service that provides AWS resource inventory, configuration history, and configuration change notifications to enable security, compliance, and governance.
provides a detailed view of the configuration of AWS resources in the AWS account.
is a regional service.
is strictly a detective service and does not prevent changes but it integrates with other AWS services for remediation.
gives point-in-time and historical states thereby allowing users to see changes visually in a timeline.
will only record the latest configuration of that resource only, in cases where several configuration changes are made to a resource in quick succession (i.e., within a span of a few minutes); this represents the cumulative impact of that entire set of changes.
supports over 380 AWS resource types across services including EC2, S3, RDS, Lambda, EKS, Bedrock, SageMaker, IoT, and many more, with continuous expansion.
provides customizable, predefined rules (managed rules) as well as the ability to define custom rules using Lambda functions or AWS CloudFormation Guard DSL.
can help with the following:
Evaluate the AWS resource configurations for desired settings.
Get a snapshot of the current configurations of the supported resources that are associated with your AWS account.
Retrieve configurations of one or more resources that exist in the account.
Retrieve historical configurations of one or more resources.
Receive a notification whenever a resource is created, modified, or deleted.
View relationships between resources e.g., you might want to find all resources that use a particular security group.
Query the current configuration state of resources using SQL-like advanced queries.
AWS Config Use Cases
Security Analysis & Resource Administration
enables continuous monitoring and governance over resource configurations and helps evaluate them for any misconfigurations leading to security gaps or weaknesses.
Auditing & Compliance
helps maintain a complete inventory of all resources and their configurations attributes as well as point in time history
helps retrieve historical configurations that can be very useful to ensure compliance and audits with internal policies and best practices
Change Management
helps understand relationships between resources so that the impact of the change can be proactively assessed.
can be configured to notify whenever resources are created, modified, or deleted without having to monitor these changes by polling the calls made to each resource
Troubleshooting
helps to quickly identify and troubleshoot issues, by being able to use the historical configurations and compare the last working configuration to the one recent change causing issues.
Discovery
helps discover resources that exist within an account leading to better inventory and asset management.
Get a snapshot of the current configurations of the supported resources that are associated with the AWS account
Proactive Compliance
evaluates resource configurations before provisioning using proactive rules, preventing non-compliant resources from being created.
integrates with CloudFormation Hooks to block deployments that would violate compliance requirements.
AWS Config Concepts
AWS Resources
AWS Resources are entities created and managed for e.g. EC2 instances, Security groups
Resource Relationship
AWS Config discovers AWS resources in the account and then creates a map of relationships between AWS resources for e.g. EBS volume linked to an EC2 instance
Configuration Items
A configuration item represents a point-in-time view of the supported AWS resource
Components of a configuration item include metadata, attributes, relationships, current configuration, and related events.
Configuration Snapshot
A configuration snapshot is a collection of the configuration items for the supported resources that exist in the account.
Configuration History
A configuration history is a collection of the configuration items for a given resource over any time period.
Configuration Stream
Configuration stream is an automatically updated list of all configuration items for the resources that AWS Config is recording.
Configuration Recorder
Configuration recorder stores the configurations of the supported resources in your account as configuration items.
A configuration recorder needs to be created and started for recording and by default records, all supported services in the region.
Supports two recording frequencies:
Continuous recording – records configuration changes continuously whenever a change occurs (default).
Daily recording (Periodic) – captures the latest configuration changes once every 24 hours, reducing the number of configuration items recorded and costs.
Recording frequency can be configured at the resource type level, allowing a mix of continuous and daily recording.
AWS Config Rules
AWS Config Rules help define desired configuration settings for specific resources or for the entire account.
AWS Config continuously tracks the resource configuration changes against the rules and if violated marks the resource as non-compliant.
can be triggered either periodically or on configuration changes.
supports organizational rules that can be deployed across all accounts in an AWS Organization.
Conformance Packs
A conformance pack is a collection of AWS Config rules and remediation actions that can be deployed as a single entity.
helps manage compliance using a common framework and packaging model across an organization.
can be deployed across an entire organization using AWS Organizations integration.
supports sample conformance packs for common compliance frameworks like PCI-DSS, HIPAA, NIST, and CIS Benchmarks.
Advanced Queries
provides a SQL-based querying interface to retrieve resource configuration metadata and compliance state.
supports single account/region or multi-account/multi-region queries via configuration aggregators.
useful for inventory management, operational intelligence, security, and compliance reporting.
AWS Config Flow
When AWS Config is turned on, it discovers the supported resources that exist in the account and generates a configuration item for each resource.
By default, AWS Config creates configuration items for every supported resource in the region but can be customized to limited resource types.
AWS Config
generates configuration items when the configuration of a resource changes, and it maintains historical records of the configuration items of the resources from the time the configuration recorder is started.
keeps track of all changes to the resources by invoking the Describe or the List API call for each resource as well as related resources in the account.
also tracks the configuration changes that were not initiated by the API. It examines the resource configurations periodically and generates configuration items for the configurations that have changed.
Configuration items are delivered in a configuration stream to an S3 bucket.
AWS Config rules, if configured,
are evaluated continuously for resource configurations for desired settings.
resources are evaluated either in response to configuration changes or periodically, depending on the rule.
when the resources are evaluated, it invokes the rule’s AWS Lambda function (for custom Lambda rules), or evaluates using Guard DSL (for custom policy rules), which contains the evaluation logic for the rule.
The function returns the compliance status of the evaluated resources.
If a resource violates the conditions of a rule, the resource and the rule are flagged as non-compliant and a notification is sent to the SNS topic.
AWS Config Rules Types
AWS Managed Rules
Predefined, customizable rules provided by AWS to evaluate common compliance scenarios.
AWS has significantly expanded managed rules – adding 42 rules (Nov 2025), 13 rules (Jan 2026), and 75 rules (Feb 2026) for security, cost, durability, and operations use cases.
Cover categories including security, cost optimization, durability, performance, and operations.
Custom Lambda Rules
Rules with evaluation logic defined in an AWS Lambda function.
Provides flexibility for complex evaluation scenarios requiring custom code.
Custom Policy Rules (Guard DSL)
Rules defined using AWS CloudFormation Guard, an open-source, policy-as-code domain-specific language (DSL).
Does not require a Lambda function, reducing operational overhead and cost.
Supports both proactive and detective evaluation modes.
Rules written in the Guard DSL validate JSON/YAML-formatted configuration data.
Evaluation Modes
Detective evaluation – evaluates resources after they have been provisioned (traditional mode).
Proactive evaluation – evaluates resource configurations before provisioning, allowing you to check compliance before deployment.
Proactive rules integrate with CloudFormation Hooks to prevent non-compliant resources from being created.
AWS Config Remediation
AWS Config is strictly a detective service and does not prevent changes but it integrates with other AWS services for remediation.
allows remediation of noncompliant resources that are evaluated by config rules.
Remediation is applied using Systems Manager Automation documents, which define the actions to be performed on noncompliant AWS resources.
provides a set of managed automation documents with remediation actions.
Custom automation documents can also be created and associated with rules.
supports two remediation modes:
Manual remediation – allows you to select noncompliant resources and trigger remediation manually.
Automatic remediation – automatically triggers remediation when a resource is found non-compliant, with configurable retry attempts and wait time.
Service-Linked Recorder
AWS Config introduced the service-linked recorder (Dec 2024), a new type of AWS Config recorder managed by an AWS service.
Service-linked recorders can record configuration data on service-specific resources on behalf of other AWS services.
Operate independently of any existing customer-managed AWS Config recorder.
Are immutable to ensure consistency, prevention of configuration drift, and simplified experience.
Allow you to independently manage your AWS Config recorder while authorized AWS services manage the service-linked recorder for feature-specific requirements.
Example: Amazon CloudWatch uses a service-linked recorder to provide centralized visibility into AWS service telemetry configurations (VPC Flow Logs, EC2 Detailed Metrics, Lambda Traces).
Available at no additional cost from AWS Config to customers.
Internal Service-Linked Rules
AWS Config now supports internal service-linked rules (Jun 2026), enabling AWS services to evaluate resource configurations using Config managed rules.
Extends the service-linked recorder capability by allowing AWS services like AWS Security Hub CSPM to deploy and manage rule evaluations.
Evaluation results are delivered directly to the AWS service that deployed the rule at no charge from AWS Config to customers.
Operate independently of existing customer-managed AWS Config recorders and rules.
Allows customers to continue using AWS Config for inventory, governance, compliance, and auditing while AWS services independently manage service-specific evaluations.
Multi-Account Multi-Region Data Aggregation
An aggregator helps collect AWS Config configuration and compliance data from the following:
Multiple accounts and multiple regions.
Single account and multiple regions.
An organization in AWS Organizations and all the accounts in that organization that has AWS Config enabled.
Aggregators support advanced queries across multiple accounts and regions for centralized compliance reporting.
A delegated administrator account can be designated to manage AWS Config rules and conformance packs across the organization.
AWS Config Pricing
Charged based on:
Configuration items recorded – $0.003 per item for continuous recording, $0.012 per item for periodic (daily) recording.
Config rule evaluations – charged per rule evaluation in the account.
Conformance pack evaluations – charged per rule evaluation within a conformance pack.
Additional costs for S3 storage (for configuration snapshots/history) and SNS notifications.
Service-linked recorders and internal service-linked rules are available at no additional AWS Config cost.
Periodic (daily) recording can significantly reduce costs for resources that change frequently but don’t require real-time visibility.
AWS Config reports on WHAT has changed, whereas CloudTrail reports on WHO made the change, WHEN, and from WHICH location.
AWS Config focuses on the configuration of the AWS resources and reports with detailed snapshots on HOW the resources have changed, whereas CloudTrail focuses on the events or API calls, that drive those changes. It focuses on the user, application, and activity performed on the system.
AWS Config is resource-centric (tracks configuration state), CloudTrail is event-centric (tracks API activity).
Both services complement each other – Config shows the desired vs. actual state; CloudTrail shows who/when the change was made.
AWS Certification Exam Practice Questions
Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
Open to further feedback, discussion and correction.
One of the challenges in managing AWS resources is to keep track of changes in the resource configuration over time. Which one of the following statements provide the best solution?
Use strict syntax tagging on the resources
Create a custom application to automate the configuration management process
Use AWS Config for supported services and use an automated process via APIs for unsupported services
Use resource groups and tagging along with CloudTrail so that you can audit changes using the logs
Fill the blanks: ____ helps us track AWS API calls and transitions, ____ helps to understand what resources we have now, and ____ allows auditing credentials and logins.
AWS Config, CloudTrail, IAM Credential Reports
CloudTrail, IAM Credential Reports, AWS Config
CloudTrail, AWS Config, IAM Credential Reports
AWS Config, IAM Credential Reports, CloudTrail
A company needs to evaluate resource configurations BEFORE deploying them to production to prevent non-compliant resources from being created. Which AWS Config feature should they use?
Detective evaluation with managed rules
Proactive evaluation with proactive rules
Conformance packs with auto-remediation
Advanced queries with SQL syntax
A company wants to reduce AWS Config costs for resources that change frequently but don’t require real-time monitoring. Which approach should they use?
Disable the configuration recorder for those resources
Use advanced queries instead of rules
Configure daily (periodic) recording for those resource types
Use conformance packs instead of individual rules
An organization wants to define compliance rules without using Lambda functions to reduce operational overhead. Which AWS Config rule type should they use?
AWS Managed Rules
Custom Lambda Rules
Custom Policy Rules using AWS CloudFormation Guard DSL
Organizational Rules with Systems Manager
A company needs to deploy a collection of compliance rules and remediation actions across all accounts in their AWS Organization as a single entity. Which AWS Config feature should they use?
Multi-account aggregator
Organizational managed rules
Conformance packs deployed via AWS Organizations
Service-linked rules
An AWS service needs to independently evaluate resource configurations without impacting a customer’s existing AWS Config setup. Which feature enables this?
Conformance packs
Organizational rules
Multi-account aggregator
Internal service-linked rules with service-linked recorder
