AWS Config
Learn how AWS Config tracks resource configuration history and compliance with managed or custom rules and remediation actions.
AWS Config records how AWS resource configurations change over time and evaluates them against rules that define acceptable state. For DevOps teams, it matters because it helps teams answer whether infrastructure matches policy and what changed when compliance drift appears. Instead of relying on one fragile manual configuration, you can design a repeatable service boundary that stays stable while the workload behind it changes.
Core ideas
The main ideas to understand are Config can record supported resource types and maintain a timeline of configuration changes for each item; managed rules cover common controls quickly, while custom rules let teams encode organisation-specific policy logic; remediation actions can automate corrective steps after a noncompliant finding; and the configuration timeline for a resource such as an EC2 instance is especially useful during change review and incident analysis. These details shape architecture decisions, but they also shape day-to-day operations. When a team chooses defaults without understanding how the service behaves under failure, scale, or security review, the platform often becomes harder to debug than the application itself.
| Config capability | Benefit | Example |
|---|---|---|
| Configuration timeline | Shows change history | Track security group edits |
| Managed rule | Fast baseline policy | S3 buckets must be encrypted |
| Remediation | Automated fix | Attach missing baseline tags |
From an operations perspective, the goal is to treat compliance as a continuous signal instead of a point-in-time spreadsheet exercise performed only before audits. The comparison below highlights the choices that usually matter first. It is often better to start with a simpler design and add sophistication only after metrics, incidents, or delivery requirements prove the change is necessary.
Practical commands
aws configservice describe-configuration-recorders
aws configservice describe-config-rules
aws configservice get-resource-config-history --resource-type AWS::EC2::Instance --resource-id i-0123456789abcdef0
Practical CLI checks make the service easier to support in real environments. Use the commands below to inspect the current state and confirm that automation matches intent. Before you promote a change, verify which resources are recorded, how findings are remediated, and whether the team is prepared for automated fixes. A safe default is start with a small set of high-value rules and expand once ownership and response paths are clear. That discipline makes later troubleshooting, scaling, and security reviews far less painful.
Config purpose
What is AWS Config used for?
Rule types
Which statement about AWS Config rules is correct?