Getting Started with AWS Config: Monitor, Detect, and Remediate Non-Compliant Resources

Getting Started with AWS Config

AWS Config is a powerful management service that continuously monitors and records the configuration of your AWS resources. It helps ensure compliance by evaluating these resources and their relationships within a specific AWS Region. Whenever a resource deviates from the defined configuration rules, AWS Config flags it as non-compliant, allowing you to identify and remediate issues proactively.

In this Cloud Lab, you’ll learn how to use AWS Config to enforce compliance on EC2 security groups. You’ll begin by creating an IAM role that grants AWS Config the necessary permissions to perform its operations. Next, you’ll configure AWS Config to monitor security groups in the us-east-1 (N. Virginia) Region. After that, you’ll define and apply Config Rules to evaluate compliance across your resources.

Once AWS Config is set up, you’ll intentionally create non-compliant resources to observe how it detects and reports them. You’ll then configure remediation actions that automatically bring these resources back into compliance.

By the end of this lab, you’ll be able to confidently use AWS Config to:

• Monitor AWS resources in real time
• Detect configuration drift or non-compliance
• Automatically enforce your organization’s security and governance policies

---

Architecture diagram

1. Create an IAM Role

An IAM role is an AWS identity with a set of defined permissions. Unlike a user, a role can be assumed by trusted entities, including AWS services, to gain temporary access for specific actions.

Every role consists of:

• A trust policy — defines who can assume the role.
• A permissions policy — defines what those entities can do.

In this step, you’ll create an IAM role for AWS Config, granting it permissions to monitor and manage AWS resources.

---

Steps to Create the IAM Role

1. Open the IAM Console
   
   Search for “IAM” in the AWS Console and select it to open the dashboard.

2. Create a New Role
   
   Go to Roles → Create role.

3. Select the Trusted Entity
   
   Under Use case, search and select Config.
   
   Click Next.

4. Attach Permissions
   
   The policy AWSConfigServiceRolePolicy will be automatically selected.
   
   Click Next.

5. Review and Create
   
   The default name AWSServiceRoleForConfig will appear automatically.
   
   Click Create role.

⚠️ Note: If the error “A role with this name already exists” appears, use the existing service role instead of creating a new one.

---

2. Start the Configuration Recorder

The Configuration Recorder is the core of AWS Config. It continuously tracks configuration changes for selected AWS resources.

In this step, you’ll enable it to monitor EC2 security groups within your Region.

---

Steps to Start the Configuration Recorder

1. Open AWS Config
   
   Search for “Config” and select the service.
   
   You’ll land on the AWS Config Home page.

2. Set Up AWS Config
   
   Click Set up AWS Config in the sidebar.

3. Select Specific Resources
   
   Under Recording method, choose Specific resource types.
   
   Add:

   • AWS EC2 SecurityGroup → Frequency: Continuous

4. Assign the IAM Role
   
   Under Data governance, choose Select a role from your account and pick the previously created role.

5. Configure Delivery Method
   
   Under Delivery method, select Create a bucket.
   
   This S3 bucket will store all configuration logs.
   
   Click Next.

6. Skip Rule Selection
   
   On the Rules page, click Next without selecting any rules (we’ll add them later).

7. Review and Confirm
   
   Review your setup and click Confirm.
   
   AWS Config will now record configuration changes for all security groups in your region.

💡 If Config Is Already Enabled:

Go to Settings → Edit, select Specific resource types, and configure only AWS EC2 SecurityGroup for Continuous recording.

---

3. Add AWS Config Rules

AWS Config Rules allow AWS Config to evaluate resources against compliance standards. AWS provides managed rules, and you can also create custom rules.

In this lab, you’ll define managed rules to enforce your organization’s policy:

• restricted-ssh → Ensures no public SSH access (port 22)

Steps to Add AWS Config Rules

Add the “restricted-ssh” Rule

1. From the AWS Config dashboard, select Rules → Add rule.
2. Choose Add AWS managed rule.
3. Search for and select restricted-ssh.
4. Click Next, leave defaults, and click Next again.
5. Review and click Save.

This rule marks any EC2 security group that allows public SSH access as non-compliant.

AWS Config will now begin evaluating resources against these rules.

---

4. Provision EC2 Resources

Now, you’ll create EC2 resources that AWS Config can evaluate.

We’ll intentionally make one of them non-compliant to observe AWS Config’s detection capabilities.

Create a Security Group

1. Open the EC2 Dashboard → Search “EC2” in the console.
2. Go to Network & Security → Security Groups.
3. Click Create security group.
4. Set:
   • Name: MySecurityGroup
   • Description: Security group allowing SSH access
5. Under Inbound rules, click Add rule:
   • Type: SSH
   • Source: Anywhere-IPv4 (0.0.0.0/0)
6. Click Create security group.

This configuration allows public SSH access — intentionally non-compliant per your rule.

---

Create an EC2 Instance

1. Go to Instances → Launch instances.
2. Set the following:
   • Name: client
   • AMI: Amazon Linux 2023 AMI
   • Instance type: t2.micro
   • Key pair: Proceed without key pair
   • Network settings: Select existing security group → MySecurityGroup
   • Storage: Default gp3
3. Click Launch instance.
4. Wait for the instance status to show Running.

AWS Config will now start evaluating these resources.

---

5. Check the Resources’ Compliance

Now let’s verify if your security group comply with the defined rules.

Steps to Verify Compliance

1. Open AWS Config → Rules.
2. Under restricted-ssh, look for 1 Noncompliant resource(s). If none appear, wait about a minute and refresh.

1. Click the restricted-ssh rule → view Resources in scope.
2. Click the Resource ID to confirm it’s your MySecurityGroup.
3. To view its details, click View Configuration Item (JSON). You’ll find:

json
"ipPermissions": [
    {
        "fromPort": 22,
        "ipProtocol": "tcp",
        "toPort": 22,
        "ipv4Ranges": [
            {
                "cidrIp": "0.0.0.0/0"
            }
        ]
    }
]

This shows that port 22 (SSH) is open to the public (0.0.0.0/0) — making the security group non-compliant.

---

6. Add and Use a Remediation Action

Once AWS Config identifies non-compliance, you can fix it using remediation actions.

AWS Config integrates with AWS Systems Manager Automations to perform predefined remediation workflows.

Here, you’ll create and execute a remediation action to automatically remove public SSH access from your EC2 security group.

---

Add the Remediation Action

1. Open AWS Config → Rules → restricted-ssh.
2. Click Actions → Manage remediation.
3. Under Select remediation method, choose Manual remediation.
4. In Remediation action details, select AWS-DisablePublicAccessForSecurityGroup.
5. For Resource ID parameter, choose GroupId.
6. In Parameters, set:
   • IpAddressToBlock: 0.0.0.0/0
7. Click Save changes.

---

Use the Remediation Action

1. Open the restricted-ssh rule again.
2. In Resources in scope, select the non-compliant security group.
3. Click Remediate.
4. Once the process completes, you’ll see “Action executed successfully.”
5. Refresh the page — the resource should disappear from the non-compliant list.
6. Finally, verify from the EC2 Dashboard → Security Groups that the inbound SSH rule allowing public access has been removed.

You’ve successfully remediated your non-compliant resource.

---

Conclusion

In this Cloud Lab, you learned how to:

• Configure AWS Config to monitor and record resource changes
• Define compliance rules for security groups
• Detect and review non-compliant resources
• Apply remediation actions to automatically fix violations

With AWS Config, you can continuously track, audit, and enforce configuration compliance — ensuring your AWS environment remains secure and aligned with organizational policies.