Lab: Evaluating Resource Compliance with AWS Config
Evaluate the compliance of AWS resources
Lab: Evaluating Resource Compliance with AWS Config
This hands-on lab guides you through the process of implementing a detective control strategy using AWS Config. You will learn how to monitor resource configurations, define compliance rules, and evaluate the status of your infrastructure against security best practices.
[!WARNING] AWS Config and S3 may incur small costs. Remember to run the teardown commands at the end of this lab to avoid ongoing charges.
Prerequisites
- An AWS Account with Administrative privileges.
- AWS CLI installed and configured on your local machine.
- Basic understanding of Amazon S3 and IAM Roles.
- Terminal access (Bash or PowerShell).
Learning Objectives
By the end of this lab, you will be able to:
- Initialize the AWS Config Configuration Recorder and Delivery Channel.
- Deploy an AWS Managed Rule to detect non-compliant S3 buckets.
- Navigate the Resource Timeline to audit configuration changes.
- Perform manual and change-triggered compliance evaluations.
Architecture Overview
Step-by-Step Instructions
Step 1: Create a Configuration Delivery Bucket
AWS Config requires an S3 bucket to store configuration history files and snapshots.
# Replace <unique-name> with a globally unique string
aws s3 mb s3://config-bucket-<unique-name> --region <YOUR_REGION>▶Console alternative
- Navigate to
. 2. Enter a unique name:
config-bucket-manual-xxx. 3. Keep all defaults and click
.
Step 2: Set Up the Configuration Recorder
You must tell AWS Config which resources to track. In this lab, we will track all regional resources.
# Start the configuration recorder
aws configservice subscribe --s3-bucket config-bucket-<unique-name> --iam-role arn:aws:iam::<YOUR_ACCOUNT_ID>:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig[!NOTE] If the service-linked role does not exist, AWS will usually create it automatically when you use the Console setup wizard.
Step 3: Create a Non-Compliant Resource
We will create an S3 bucket without versioning enabled to trigger a non-compliance finding in the next step.
aws s3 mb s3://lab-compliance-target-<unique-name>Step 4: Deploy a Managed Config Rule
We will use the managed rule S3_BUCKET_VERSIONING_ENABLED to check if our buckets are protected against accidental deletion.
aws configservice put-config-rule --config-rule '{
"ConfigRuleName": "s3-bucket-versioning-enabled",
"Source": {
"Owner": "AWS",
"SourceIdentifier": "S3_BUCKET_VERSIONING_ENABLED"
},
"Scope": {
"ComplianceResourceTypes": ["AWS::S3::Bucket"]
}
}'▶Console alternative
- Open
. 2. Click
. 3. Search for "s3-bucket-versioning-enabled" and click
. 4. Leave parameters as default and click
.
Step 5: Trigger Evaluation and View Compliance
AWS Config rules trigger on configuration changes, but you can also start a manual evaluation.
aws configservice start-config-rules-evaluation --config-rule-names s3-bucket-versioning-enabledCheckpoints
| Checkpoint | Action | Expected Result |
|---|---|---|
| Recorder Status | aws configservice get-status | recording: true |
| Rule Compliance | View Config Dashboard | s3-bucket-versioning-enabled shows Non-compliant |
| Resource Inventory | Search for the S3 bucket | Resource ID appears in the Config inventory list |
Troubleshooting
| Issue | Possible Cause | Fix |
|---|---|---|
| "AccessDenied" | IAM Role lacks permissions | Ensure the AWSServiceRoleForConfig is present and has AmazonConfigServiceRolePolicy attached. |
| Rule stuck in "Evaluating" | Initial delay | AWS Config can take 2–5 minutes to process the first evaluation after a bucket is created. |
| S3 Bucket creation fails | Name collision | S3 bucket names must be globally unique across all AWS accounts. Add more random digits. |
Clean-Up / Teardown
To avoid unexpected costs, perform these steps in order:
-
Delete the Config Rule:
bashaws configservice delete-config-rule --config-rule-name s3-bucket-versioning-enabled -
Stop the Configuration Recorder:
bashaws configservice stop-configuration-recorder --configuration-recorder-name default -
Delete Lab Resources:
bashaws s3 rb s3://lab-compliance-target-<unique-name> --force aws s3 rb s3://config-bucket-<unique-name> --force
[!IMPORTANT] If you enabled Config via the Console wizard, you may also need to delete the Delivery Channel before you can fully disable the service.