Safeguard
Compliance

How to configure AWS Config for continuous compliance mon...

A step-by-step guide to configure AWS Config compliance monitoring: rules setup, conformance packs, alerting, remediation, and multi-account aggregation.

Marina Petrov
Compliance Analyst
8 min read

Misconfigured cloud resources are the root cause behind a huge share of breaches, and manual spot-checks can't keep pace with infrastructure that changes hundreds of times a day. If you're responsible for demonstrating compliance to auditors, customers, or your own security team, you need evidence that drifts get caught in minutes, not during next quarter's audit. This guide walks you through how to configure AWS Config compliance monitoring from a cold start: enabling the recorder, writing and deploying rules, layering in conformance packs for framework coverage, wiring up alerts, and automating remediation. By the end, you'll have a working pipeline that continuously evaluates your AWS resources against your compliance baseline and surfaces violations before they become findings. We'll use the AWS CLI throughout so every step is scriptable and repeatable across accounts, and we'll flag the common pitfalls that cause Config setups to silently stop reporting.

Step 1: Enable the AWS Config Recorder and Delivery Channel

AWS Config has two foundational components that must both be active before anything else works: the configuration recorder (which watches resource state) and the delivery channel (which ships snapshots and history to S3).

Start by creating an S3 bucket for Config's delivery channel, then create a service-linked IAM role:

aws s3 mb s3://your-org-aws-config-bucket --region us-east-1

aws configservice put-configuration-recorder \
  --configuration-recorder name=default,roleARN=arn:aws:iam::123456789012:role/aws-config-role \
  --recording-group allSupported=true,includeGlobalResourceTypes=true

Then create and start the delivery channel:

aws configservice put-delivery-channel \
  --delivery-channel name=default,s3BucketName=your-org-aws-config-bucket,configSnapshotDeliveryProperties={deliveryFrequency=Six_Hours}

aws configservice start-configuration-recorder \
  --configuration-recorder-name default

Set allSupported=true unless you have a specific reason to scope resource types manually — partial recording is the number one cause of "why didn't Config catch this" tickets later. Confirm the recorder is actually running:

aws configservice describe-configuration-recorder-status

You want to see "recording": true and a recent lastStatus: SUCCESS. If it says FAILURE, the IAM role almost always lacks s3:PutObject on the bucket prefix.

Step 2: Configure AWS Config Compliance Rules Setup for Your Baseline

With recording live, the next step in your AWS Config rules setup is deciding which controls actually matter to your organization. Rather than enabling every managed rule AWS offers, start from the frameworks you're actually accountable to (CIS, SOC 2, PCI-DSS, NIST 800-53) and add rules that map to real control requirements.

Deploy a handful of high-value managed rules first:

aws configservice put-config-rule --config-rule '{
  "ConfigRuleName": "s3-bucket-public-read-prohibited",
  "Source": {
    "Owner": "AWS",
    "SourceIdentifier": "S3_BUCKET_PUBLIC_READ_PROHIBITED"
  }
}'

aws configservice put-config-rule --config-rule '{
  "ConfigRuleName": "iam-user-mfa-enabled",
  "Source": {
    "Owner": "AWS",
    "SourceIdentifier": "IAM_USER_MFA_ENABLED"
  }
}'

aws configservice put-config-rule --config-rule '{
  "ConfigRuleName": "restricted-ssh",
  "Source": {
    "Owner": "AWS",
    "SourceIdentifier": "INCOMING_SSH_DISABLED"
  }
}'

For controls without a matching managed rule, write a custom rule backed by a Lambda function using the Custom_Lambda source type, or use Guard-based custom policy rules if you want to avoid maintaining Lambda code:

aws configservice put-config-rule --config-rule '{
  "ConfigRuleName": "required-tags-check",
  "Source": {
    "Owner": "CUSTOM_POLICY",
    "SourceDetails": [{"EventSource":"aws.config","MessageType":"ConfigurationItemChangeNotification"}],
    "CustomPolicyDetails": {
      "PolicyRuntime": "guard-2.x.x",
      "PolicyText": "let allowed_tags = [\"Environment\", \"Owner\", \"CostCenter\"]\nrule tag_check when resourceType == \"AWS::EC2::Instance\" {\n  tags.*.key in %allowed_tags\n}"
    }
  }
}'

Tag every rule with a naming convention that maps back to your control catalog (e.g., cis-1-3-mfa-enabled) so mapping evidence to auditors later is a lookup, not a research project.

Step 3: Deploy Conformance Packs for Framework-Aligned Compliance

Writing and maintaining individual rules for an entire framework doesn't scale. This is where AWS Config conformance packs earn their keep — they bundle dozens of managed rules and remediation actions into a single deployable unit mapped to a specific standard, like Operational Best Practices for PCI DSS or CIS AWS Foundations Benchmark.

Deploy a prebuilt conformance pack directly from AWS's sample templates:

aws configservice put-conformance-pack \
  --conformance-pack-name pci-dss-baseline \
  --template-s3-uri s3://aws-configservice-sample-conformancepack-templates-us-east-1/Operational-Best-Practices-for-PCI-DSS.yaml

For organizations managing multiple accounts under AWS Organizations, deploy the pack at the org level so every member account inherits it automatically:

aws configservice put-organization-conformance-pack \
  --organization-conformance-pack-name org-cis-baseline \
  --template-s3-uri s3://aws-configservice-sample-conformancepack-templates-us-east-1/Operational-Best-Practices-for-CIS-AWS-v1.4-Level1.yaml \
  --excluded-accounts 123456789099

Check compliance status for a deployed pack:

aws configservice get-conformance-pack-compliance-summary \
  --conformance-pack-names pci-dss-baseline

Conformance packs also let you parameterize rules (e.g., password rotation days, allowed instance types) without forking the template, which keeps you on AWS's maintained baseline while still fitting your internal policy.

Step 4: Wire Up Continuous Compliance Monitoring AWS Notifications

A rule that evaluates compliance but never tells anyone about a failure isn't monitoring — it's a log nobody reads. Route Config's compliance change events through EventBridge to SNS (or directly into your SIEM/ticketing system) so drift produces an actionable alert.

Create an EventBridge rule that matches Config compliance state changes:

aws events put-rule \
  --name config-noncompliance-alert \
  --event-pattern '{
    "source": ["aws.config"],
    "detail-type": ["Config Rules Compliance Change"],
    "detail": {"newEvaluationResult": {"complianceType": ["NON_COMPLIANT"]}}
  }'

aws events put-targets \
  --rule config-noncompliance-alert \
  --targets '[{"Id":"1","Arn":"arn:aws:sns:us-east-1:123456789012:config-alerts"}]'

Subscribe your team's Slack channel or ticketing webhook to the config-alerts SNS topic. This is what turns AWS Config compliance monitoring from a dashboard you have to remember to check into a workflow that pushes findings to the people who need to act on them, with the timestamped audit trail auditors expect.

Step 5: Automate Remediation for Common Violations

Where the fix is well understood and low-risk, don't wait for a human to click a button. Config supports automatic remediation using SSM Automation documents, tied directly to a rule.

aws configservice put-remediation-configurations \
  --remediation-configurations '[{
    "ConfigRuleName": "s3-bucket-public-read-prohibited",
    "TargetType": "SSM_DOCUMENT",
    "TargetId": "AWS-DisableS3BucketPublicReadWrite",
    "TargetVersion": "1",
    "Automatic": true,
    "MaximumAutomaticAttempts": 3,
    "RetryAttemptSeconds": 60,
    "Parameters": {
      "AutomationAssumeRole": {"StaticValue": {"Values": ["arn:aws:iam::123456789012:role/config-remediation-role"]}},
      "S3BucketName": {"ResourceValue": {"Value": "RESOURCE_ID"}}
    }
  }]'

Start with Automatic: false for anything touching production network or IAM configuration until you've validated the remediation document's behavior in a non-critical account — auto-remediation that fires against the wrong assumption can cause as much damage as the misconfiguration it was meant to fix.

Step 6: Aggregate Compliance Across Accounts and Regions

If you run more than one AWS account, set up a Config aggregator so you have a single pane of glass instead of logging into each account separately.

aws configservice put-configuration-aggregator \
  --configuration-aggregator-name org-aggregator \
  --organization-aggregation-source '{"RoleArn":"arn:aws:iam::123456789012:role/config-aggregator-role","AllAwsRegions":true}'

Query aggregated compliance across the whole org with one call:

aws configservice get-aggregate-compliance-details-by-config-rule \
  --configuration-aggregator-name org-aggregator \
  --config-rule-name iam-user-mfa-enabled \
  --account-id 123456789012 \
  --aws-region us-east-1

Troubleshooting and Verification

Before you trust the pipeline, verify each layer independently:

  • Recorder not capturing changes: Re-run describe-configuration-recorder-status. A lastStatus of FAILURE almost always traces to an IAM permissions gap on the S3 bucket or KMS key used for delivery.
  • Rules stuck in INSUFFICIENT_DATA: This means Config hasn't evaluated any matching resources yet, either because none exist in scope or the recorder was enabled after the rule. Trigger an on-demand evaluation: aws configservice start-config-rules-evaluation --config-rule-names your-rule-name.
  • Conformance pack stuck in CREATE_IN_PROGRESS: Check CloudFormation directly — conformance packs deploy as stacks under the hood, and a failed nested stack (usually a Lambda permissions issue for custom rules bundled in the pack) will block the whole pack.
  • Notifications not firing: Confirm the EventBridge rule's event pattern matches the actual event shape by checking CloudTrail or the EventBridge rule's monitoring tab for invocation counts — a common mistake is filtering on complianceType at the wrong nesting level.
  • Aggregator shows stale data: Aggregators pull on a schedule, not in real time. If numbers look wrong, check ConfigurationAggregatorSourcesStatus for individual account collection failures rather than assuming the underlying rule evaluation is broken.

Periodically audit the rule list itself — deprecated managed rules and orphaned custom Lambda rules accumulate over time and quietly stop providing value while still appearing "healthy" in the console.

How Safeguard Helps

AWS Config gives you the primitives for continuous compliance monitoring, but stitching recorders, rules, conformance packs, remediation, and cross-account aggregation into something auditors trust — and your team can actually operate — takes real engineering effort. Safeguard sits on top of this foundation and closes the gaps that raw Config output leaves behind: it correlates compliance findings with software supply chain risk (dependency, build, and artifact provenance data) so you can see whether a non-compliant resource is also running vulnerable or unverified components, not just whether a rule passed or failed in isolation.

Safeguard also maintains curated, continuously updated rule and conformance pack mappings against frameworks like SOC 2, PCI-DSS, and NIST, so your control catalog doesn't quietly drift out of date as AWS deprecates or updates managed rules. Instead of building custom EventBridge routing and ticketing integrations from scratch, teams get compliance evidence, remediation workflows, and audit-ready reporting out of the box — turning the AWS Config setup in this guide into a monitoring program your security and compliance teams can actually run day to day, not just a one-time configuration exercise.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.