SCS-C03 Cram Sheet: Evaluating AWS Resource Compliance

This cram sheet focuses on Domain 6: Management and Security Governance, specifically Task 6.3: Evaluate the compliance of AWS resources. It covers the tools and strategies required to monitor, audit, and remediate resource configurations in an AWS environment.

Topic Weighting

[!IMPORTANT] Expect approximately 5-8 questions directly related to AWS Config rules, Conformance Packs, and multi-account compliance aggregation.

Key Concepts Summary

• AWS Config: A service that enables you to assess, audit, and evaluate the configurations of your AWS resources. It provides a Configuration History and a Configuration Timeline.
• AWS Config Rules: Logic used to evaluate whether resources are compliant.
  • Managed Rules: Predefined by AWS (e.g., s3-bucket-public-read-prohibited).
  • Custom Rules: Created using AWS Lambda or Guard policy language.
• Evaluation Modes:
  • Detective: Evaluates existing resources after they are deployed.
  • Proactive: Evaluates resource properties before they are created (e.g., via CloudFormation hooks).
• Conformance Packs: A collection of AWS Config rules and remediation actions that can be deployed as a single entity across an entire organization.
• Multi-Account/Multi-Region Aggregation: Uses an Aggregator to collect compliance data from multiple accounts and regions into a single central "Security" account.
• AWS Audit Manager: Automates evidence collection for auditing against frameworks like SOC2, HIPAA, or PCI DSS.
• AWS Artifact: A self-service portal to download AWS's own compliance reports (e.g., ISO, SOC).

Common Pitfalls

• DON'T confuse AWS Config with AWS CloudTrail. CloudTrail records "Who did what" (API calls); Config records "What the resource looks like" (Configuration state).
• DON'T assume AWS Config is global. It is a Regional service. You must enable the configuration recorder in every region you wish to monitor.
• DON'T forget that Custom Config Rules require an IAM permission for the service to invoke the Lambda function.
• DON'T confuse Security Hub with AWS Config. Security Hub provides a central dashboard for security findings from multiple services, while Config focuses on specific resource compliance against rules.

Mnemonics / Memory Triggers

• C.A.R.E. for Compliance:
  • Config (The Base)
  • Aggregator (Multi-account view)
  • Rules (The Test)
  • Evidence (Audit Manager)
• P.A.T. (Triggers): Config rules trigger on Periodic schedule, API change (Configuration change), or Triggered on-demand.

Formula / Equation Sheet

Evaluation Trigger Logic

Remediation Flow

Practice Set

1. A security engineer needs to ensure that all S3 buckets in an organization have versioning enabled. If a bucket is created without versioning, it should be fixed automatically. What is the most efficient solution?
   • Answer: Create an AWS Config rule (s3-bucket-versioning-enabled) and associate an AWS Systems Manager (SSM) Automation document as a remediation action.
2. How can you view the compliance status of 50 member accounts in a central security account?
   • Answer: Set up an AWS Config Aggregator in the central account and authorize the member accounts (or integrate with AWS Organizations).
3. Which service should be used to provide a third-party auditor with the AWS SOC 2 Type 2 report?
   • Answer: AWS Artifact.
4. A developer wants to check if a CloudFormation template complies with company security policies before deployment. Which AWS Config mode is used?
   • Answer: Proactive mode.
5. Which service automates the collection of AWS CloudTrail logs and VPC Flow Logs as evidence for a HIPAA audit?
   • Answer: AWS Audit Manager.

Worked Examples

Example 1: Remediating Unencrypted EBS Volumes

Goal: Detect and automatically encrypt any EBS volume created without encryption.

1. Rule: Enable the AWS Managed Rule ec2-ebs-encryption-by-default.
2. Trigger: Set to "Configuration Change".
3. Remediation: Choose the SSM Document AWS-EnableEbsEncryptionByDefault.
4. Result: If an EC2 volume is created unencrypted, Config detects the state change, marks it non-compliant, and triggers the SSM document to enable the setting globally in the region for future volumes.

Example 2: Multi-Account Compliance Architecture

\begin{tikzpicture}[node distance=2cm, every node/.style={rectangle, draw, rounded corners, minimum width=3cm, minimum height=1cm, align=center}]

% Nodes \node (member1) {Member Account A \ (Config Recorder)}; \node (member2) [below of=member1] {Member Account B \ (Config Recorder)}; \node (sec_account) [right=3cm of member1, yshift=-1cm, fill=blue!10] {Central Security Account \ \textbf{Config Aggregator}}; \node (sns) [right=2cm of sec_account] {SNS Topic \ (Alerting)};

% Arrows \draw[->, thick] (member1) -- (sec_account) node[midway, above] {Data Push}; \draw[->, thick] (member2) -- (sec_account) node[midway, below] {Data Push}; \draw[->, thick] (sec_account) -- (sns);

\end{tikzpicture}

Recall Blanks

1. AWS Config uses __________ __________ (CIs) to represent the state of a resource at a specific point in time.
2. To evaluate a resource before it is provisioned, you use __________ mode.
3. An __________ __________ is a collection of AWS Config rules and remediation actions typically used for regulatory frameworks.
4. The __________ is the component of AWS Config that records and stores configuration changes in an S3 bucket.
5. __________ __________ allows you to map your AWS usage to control requirements for automated evidence gathering.

▶Click for Recall Answers

1. Configuration Items
2. Proactive
3. Conformance Pack
4. Configuration Recorder
5. Audit Manager