AWS Config
A continuous configuration-recording and compliance-evaluation service. Where CloudTrail answers "who did what," Config answers "is this resource, right now (or as of any point in its history), configured the way it should be." Mostly detective by design — but its newer proactive mode can act as a genuine pre-deployment gate.
Detective — primary role
Governance / Compliance
Preventive — proactive mode only
200+
Managed Config rules available
2
Evaluation modes: detective + proactive
$0.001
Per rule evaluation (first 100k)
75
New managed rules added March 2026
How Config Actually Works
The Core Mechanism — Configuration Items, Not Just "Rules"
- The Configuration Recorder is the foundation: once enabled, Config continuously captures a point-in-time snapshot — a Configuration Item (CI) — of a resource's attributes and its relationships to other resources, every time that resource changes. This builds a full historical timeline you can browse, not just a current-state snapshot.
- Config rules evaluate CIs against logic — either AWS-managed rules (200+, covering security/durability/operational use cases, with new ones added regularly — 75 more added in March 2026 alone, covering services like Amplify, SageMaker, and Route 53) or custom rules backed by your own Lambda function or AWS Guard rule logic.
- Detective evaluation mode (the default, original behavior) — evaluates resources either periodically or in response to a detected configuration change, AFTER the resource already exists. This means a non-compliant resource CAN be created; Config will simply flag it as non-compliant after the fact.
- Proactive evaluation mode — evaluates a proposed resource configuration BEFORE it's actually created or updated, typically integrated into a CI/CD pipeline via a CloudFormation hook. If the proactive rule fails, CloudFormation can halt the deployment entirely — this is the one scenario where Config behaves as a genuinely preventive control, not just a detective one.
- Conformance packs bundle Config rules (plus their remediation actions) into a single deployable unit mapped to a framework — HIPAA, NIST 800-53, FedRAMP, CMMC, AWS Well-Architected — simplifying multi-account, multi-region governance at scale.
⚠️ The Recurring Exam Theme
Config questions almost always test one of three things: (1) do you know Config rules do not, by themselves, guarantee compliance or block non-compliant actions in detective mode — AWS explicitly states this, (2) can you distinguish detective evaluation (after the fact) from proactive evaluation (before deployment, via CI/CD), and (3) can you separate Config (configuration state, generic rule engine) from CloudTrail (activity record) and Security Hub CSPM (packaged compliance standards built using similar underlying logic).
Exam Domain Mapping
| Domain | Where Config Shows Up |
|---|
| Management & Security Governance | The centerpiece — conformance packs, organization-wide rule deployment, compliance frameworks |
| Infrastructure Security | Detecting misconfigured security groups, public resources, missing encryption |
| Security Logging & Monitoring | Configuration change history, SNS notifications on compliance changes, Security Hub CSPM's underlying evaluation logic |
| Threat Detection & Incident Response | Remediation actions (SSM Automation) restoring resources to a compliant state after a finding |
Decision Tree — Mental Model
Threat
Resources drifting out of compliance with security/operational standards; non-compliant resources being deployed in the first place; lack of a documented compliance posture against named frameworks
↓
Security Goal
Continuously know whether every resource's configuration meets policy, detect drift, and optionally prevent non-compliant resources from ever being created
↓
AWS Service
AWS Config
Configuration Recorder + Configuration Items
Detective rules (after the fact)
Proactive rules (before deployment, via CFN hooks)
Conformance packs (framework bundles)
↓
Implementation
Enable the recorder org-wide via Organizations. Deploy conformance packs aligned to your regulatory frameworks. Add proactive rules into CI/CD pipelines for pre-deployment gating.
↓
Monitoring
Aggregators provide multi-account/region compliance visibility; SNS notifies on every configuration/compliance change; Security Hub CSPM packages Config-like checks into standardized scores.
↓
Remediation
SSM Automation documents attached as remediation actions automatically (or with manual approval) bring a non-compliant resource back into compliance.
Final Summary
Must Memorize
- Config rules do NOT guarantee compliance or block non-compliant actions in detective mode — AWS states this explicitly
- Proactive mode is the one path where Config can prevent deployment, via CloudFormation hooks in CI/CD
- Conformance packs bundle rules + remediation actions, deployable account/org-wide
- A Configuration Item captures both resource attributes AND relationships to other resources
Must Understand
- Why detective mode alone can't prevent a misconfigured resource from existing, even briefly
- The remediation-action pattern (SSM Automation) for closing the loop after detection
- The distinction triangle: Config (configuration state, generic engine) vs CloudTrail (activity record) vs Security Hub CSPM (packaged compliance standards)
Can De-prioritize
- Exact dollar pricing tiers
- Full list of all 200+ managed rules
- Console UI navigation specifics
Exam appearance probability: HIGH
Rules & Evaluation Modes
The single biggest conceptual fork in Config: detective (after the fact) vs proactive (before deployment).
2.1 Configuration Recorder & Configuration Items Foundational
WhatContinuously captures point-in-time snapshots of resource attributes and relationships
Scope controlCan be configured to include/exclude specific resource types
- This is the foundation everything else builds on — rules evaluate against Configuration Items, and the resource/compliance timeline view is built from this continuous history.
- Notifies via SNS on every configuration change, independent of whether any rule is attached.
2.2 Managed vs Custom Rules High exam relevance
Managed rulesAWS-provided, 200+ and growing — 75 new ones added in March 2026 alone, covering services like Amplify, SageMaker, Route 53
Custom rulesBacked by your own Lambda function, or AWS Guard (policy-as-code) rule logic, for organization-specific logic not covered by managed rules
- Both types can run in detective or proactive evaluation mode (subject to engine support).
2.3 Detective Evaluation Mode Default behavior
TriggerPeriodically, or upon detecting a configuration change — AFTER the resource exists
- A resource CAN be created in a non-compliant state — Config will only flag it as non-compliant once evaluated, not prevent its creation.
- This is the original, foundational Config behavior and remains the default for most rule deployments.
2.4 Proactive Evaluation Mode High — the "preventive" exception
TriggerBEFORE resource creation/update — typically wired into a CI/CD pipeline via a CloudFormation hook
MechanismA pre-create/pre-update hook invokes the proactive Config rule right before CloudFormation provisions the resource
- Example: a hook checks that a Lambda function's CloudFormation template includes mandated tracing configuration BEFORE deployment. If compliant, CloudFormation proceeds; if not, the stack deployment fails immediately and the pipeline halts, with details recorded and stakeholders notified.
- This is the ONE scenario where Config functions as a genuinely preventive control — "shift-left" governance baked directly into the deployment pipeline, not just after-the-fact detection.
- Standardizes controls in a centrally managed rule repository, applied consistently across accounts via the same CI/CD integration pattern.
2.5 Conformance Packs
WhatA YAML-templated bundle of Config rules + remediation actions, deployable as one unit per account/region or org-wide
FrameworksSample templates exist for HIPAA, NIST 800-53, NIST 800-171, FedRAMP, FFIEC, CMMC Levels 1–2, AWS Well-Architected
- Can also be authored as custom templates, or stored/deployed via SSM documents.
- Org-level conformance pack and individual rule management lets a delegated administrator deploy consistent governance baselines across every member account.
2.6 Remediation Actions
WhatSSM Automation documents attached to a rule, executed automatically (or with manual approval) when a resource is found non-compliant
- This is what actually closes the loop — Config rules alone only flag non-compliance; remediation actions are what bring the resource back into compliance.
2.7 Aggregators & Advanced Query
AggregatorsConsolidate configuration/compliance data across multiple accounts and regions into one view
Advanced QuerySQL-like querying across Configuration Items for ad-hoc investigation, e.g. "show me every unencrypted EBS volume across the org"
AWS Exam Thinking
Requirement → Keywords → Expected Answer → why every distractor fails.
Determine whether a resource's configuration complies with a defined policy
configuration complianceis this resource configured correctly
Expected AnswerAWS Config (rules)
| Distractor | Why it's wrong |
|---|
CloudTrail | Records WHO did WHAT, not whether the resulting configuration is compliant |
Inspector | Finds known software vulnerabilities (CVEs), not generic configuration-rule compliance |
GuardDuty | Detects behavioral anomalies, not static configuration state |
Prevent a non-compliant resource from ever being deployed via CI/CD
before deploymentCI/CD gateblock the pipeline
Expected AnswerConfig proactive rules (via CloudFormation hook)
| Distractor | Why it's wrong |
|---|
| Standard (detective) Config rules | Only evaluate AFTER the resource is created — cannot block the deployment itself |
| SCPs | Control IAM permission boundaries at the account level, not template-level configuration validation pre-deployment |
Bundle a set of controls mapped to HIPAA/NIST/FedRAMP and deploy org-wide
frameworkbundle controlsorg-wide deployment
Expected AnswerConfig conformance pack
| Distractor | Why it's wrong |
|---|
| Deploy each individual rule manually per account | Doesn't scale and loses the simplified, standardized reporting/deployment conformance packs provide |
Automatically fix a resource once it's found non-compliant
auto-remediaterestore compliance
Expected AnswerConfig remediation action (SSM Automation document)
| Distractor | Why it's wrong |
|---|
| Assume the Config rule itself fixes the resource | Rules only evaluate and flag — remediation is a separate, explicitly attached action |
Get a single, multi-account/region view of overall compliance posture
multi-accountcentralized compliance view
Expected AnswerConfig aggregator
| Distractor | Why it's wrong |
|---|
| Manually log into each account's Config console | Doesn't scale and defeats the purpose of an aggregator's consolidated view |
Security Controls Mapping & Integrations
4 — Controls Mapping
Detective (default mode)
Standard Config rule evaluation — flags non-compliant resources after they already exist
Preventive (proactive mode only)
Pre-deployment evaluation via CloudFormation hooks — the only scenario where Config genuinely blocks a non-compliant resource from being created
Remediation
SSM Automation documents attached as remediation actions bring non-compliant resources back into compliance automatically or with approval
Governance / Compliance
Conformance packs map controls to named frameworks (HIPAA, NIST, FedRAMP, CMMC); org-wide rule/pack deployment enforces consistent baselines
⚠️ Config rules do not guarantee compliance, by AWS's own documentation
They evaluate configurations periodically or on change, but they do not prevent users from taking non-compliant actions in detective mode. Only proactive mode, wired into a deployment pipeline, can actually block a non-compliant resource from being created.
5 — Integrations
AWS Systems Manager
WhatSSM Automation documents power remediation actions
AWS Security Hub CSPM
WhatBuilt on configuration-evaluation logic conceptually similar to Config, but packaged into standardized, scored compliance frameworks (CIS, PCI DSS, NIST, FSBP)
RelationshipConfig is the more generic, customizable rule engine; Security Hub CSPM is the standards-packaged consumer-facing layer
AWS CloudFormation
WhatPre-create/pre-update hooks invoke proactive Config rules during stack deployment
WhyThe mechanism that makes proactive mode's CI/CD gating possible
AWS Organizations
WhatOrganization-level conformance packs and individual rule management, deployable across all member accounts from a delegated administrator
Amazon SNS
WhatNotifications on every configuration change and compliance state change
AWS Audit Manager
WhatCan map its audit frameworks to Config conformance packs and export Config compliance evidence for formal audit reporting
NoteAudit Manager itself is transitioning to maintenance mode — closing to new customers April 30, 2026, with Config's own evidence-export tooling offered as continued guidance
Costs, Limits & Quotas
Pricing Model
Configuration itemsBilled per configuration item recorded
Rule evaluationsFirst 100,000 evaluations at $0.001 each (tiered pricing beyond), counted separately for proactive-mode-only evaluations
Conformance pack evaluationsFirst 100,000 conformance pack evaluations at $0.001 each, counted per rule evaluation within the pack
Common Cost Mistakes
- Enabling the configuration recorder for every resource type account-wide when only a subset is actually relevant to governance
- Deploying many overlapping conformance packs covering the same controls redundantly across accounts
- Not accounting for proactive-mode evaluations being billed separately from detective-mode evaluations of the same rule
Cost Optimization
- Scope the configuration recorder to relevant resource types rather than recording everything by default
- Use conformance packs instead of deploying dozens of individual rules separately, for both cost predictability and simplified management
- Centralize via Organizations-level deployment rather than duplicating identical rules/packs per account
Limits & Quotas
ScopeRegional — the configuration recorder is enabled per region
Managed rules200+, growing regularly (e.g. 75 new rules added March 2026)
Conformance pack availabilitySupported in a defined set of regions; organization-level deployment supported in a defined (and recently expanded) set of regions
⚠️ Exam trap
Don't assume every new managed rule or conformance pack template is instantly available in every region — region availability for org-level deployment specifically has been an active expansion area, and a question testing this nuance expects you to know availability isn't universal by default.