Skip to main content

Auditing Resource Compliance with AWS Config

Hands-On Lab


Photo of Mark Richman

Mark Richman

AWS Training Architect II in Content





In this hands-on lab, we'll implement AWS Config rules and use Config for compliance auditing and remediation. We will configure compliance rules for evaluating EC2 instance type, if S3 versioning is enabled, EC2 instances in a VPC, and if CloudTrail is enabled. These rules will give you firsthand knowledge about how the AWS Config service works. We will then explore the configuration management aspect of Config.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Auditing Resource Compliance with AWS Config

In this hands-on lab, we'll implement AWS Config rules and use Config for compliance auditing and remediation.

Log in to the Environment

Log in to the live AWS environment with the cloud_user credentials provided.

Make sure you are using the N. Virginia (or us-east-1) AWS region throughout the lab.

Auditing Resource Compliance with AWS Config

Enable Config in the Account

  1. Navigate to the Config service.
  2. Click Get started.
  3. On the Settings page, check Record all resources supported in this region.
  4. Choose Create a bucket, and leave the default name.
  5. Do not check to create an SNS topic at this time.
  6. Check Create AWS Config service-linked role, and leave the default name.
  7. Click Next.
  8. On the AWS Config rules page, click Skip.
  9. On the Review page, click Confirm.

Configure Rules for Resources

  1. In the left-hand menu, click Rules.
  2. Click Add rule.
  3. Search for "cloudtrail".
  4. Select the cloudtrail-enabled card.
  5. Leave the default parameters, and click Save.
  6. Click Add rule.
  7. Search for "desired".
  8. Select the desired-instance-type card.
  9. In the Rule parameters section, enter a value of "t2.micro".
  10. Click Save.
  11. Click Add rule.
  12. Search for "ec2-instances".
  13. Select the ec2-instances-in-vpc card.
  14. Open the VPC console in a new browser tab to copy the VPC ID.
  15. Back in the Config browser tab, enter the VPC ID as the value under Rule parameters.
  16. Click Save.
  17. Click Add rule.
  18. Search for "s3-bucket".
  19. Select the s3-bucket-versioning-enabled card.
  20. Click Save.

Configure the Non-Compliant Resources to Comply

  1. Open S3 in another browser tab.
  2. Select the bucket listed to open it.
  3. Go to the Properties tab.
  4. Select the Versioning card.
  5. Click to Enable versioning.
  6. Click Save.
  7. Navigate to CloudTrail.
  8. Click Create trail.
  9. Name the trail (e.g., "MyTrail").
  10. Under Storage location, choose Create a new S3 bucket, and give it a unique name (e.g., "cloudtrail-" with a series of random numbers at the end).
  11. Click Create.

Re-Evaluate the Non-Compliant Rules in Config

  1. Navigate back to the Config tab.
  2. On the Rules page, select the S3 bucket rule.
  3. Choose Re-evaluate.
  4. Back on the Rules page, wait for the S3 rule to become compliant. (It could take about 10 minutes.)
  5. Now, select the CloudTrail rule.
  6. Choose Re-evaluate.
  7. Back on the Rules page, wait for the CloudTrail rule to become compliant.


Congratulations on completing this hands-on lab!