implementing-aws-config-rules-for-compliance

Implementing AWS Config rules for continuous compliance monitoring of AWS resources, deploying managed and custom rules aligned to CIS and PCI DSS frameworks, configuring automatic remediation with SSM Automation, and aggregating compliance data across accounts.

16 stars

byplurigrid

View on GitHub Installation ↓

Best use case

implementing-aws-config-rules-for-compliance is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Teams using implementing-aws-config-rules-for-compliance should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

You only need a quick one-off answer and do not need a reusable workflow.
You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/implementing-aws-config-rules-for-compliance/SKILL.md --create-dirs "https://raw.githubusercontent.com/plurigrid/asi/main/plugins/asi/skills/implementing-aws-config-rules-for-compliance/SKILL.md"

Manual Installation

Download SKILL.md from GitHub
Place it in .claude/skills/implementing-aws-config-rules-for-compliance/SKILL.md inside your project
Restart your AI agent — it will auto-discover the skill

How implementing-aws-config-rules-for-compliance Compares

Feature / Agent	implementing-aws-config-rules-for-compliance	Standard Approach
Platform Support	Not specified	Limited / Varies
Context Awareness	High	Baseline
Installation Complexity	Unknown	N/A

Frequently Asked Questions

What does this skill do?

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Implementing AWS Config Rules for Compliance

## When to Use

- When establishing continuous compliance monitoring for AWS resources against regulatory standards
- When implementing automated detection and remediation of configuration drift
- When building a compliance dashboard across multiple AWS accounts using AWS Organizations
- When audit teams require evidence of continuous compliance rather than point-in-time assessments
- When deploying guardrails that detect non-compliant resources within minutes of creation

**Do not use** for real-time threat detection (use GuardDuty), for application vulnerability scanning (use Inspector), or for one-time compliance assessments (use Prowler for faster ad-hoc audits).

## Prerequisites

- AWS Config recording enabled in all target accounts and regions
- IAM role with `config:*`, `ssm:*`, and `lambda:*` permissions for rule management
- AWS Organizations with delegated administrator for Config aggregation
- S3 bucket for Config delivery channel and SNS topic for notifications
- CloudFormation StackSets or Terraform for multi-account rule deployment

## Workflow

### Step 1: Enable AWS Config Recording

Set up the Config recorder and delivery channel in each target account.

```bash
# Create S3 bucket for Config data
aws s3api create-bucket \
  --bucket config-compliance-data-ACCOUNT_ID \
  --region us-east-1

# Create Config service role
aws iam create-service-linked-role --aws-service-name config.amazonaws.com

# Start the Config recorder
aws configservice put-configuration-recorder \
  --configuration-recorder name=default,roleARN=arn:aws:iam::ACCOUNT:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig \
  --recording-group allSupported=true,includeGlobalResourceTypes=true

# Set up delivery channel
aws configservice put-delivery-channel \
  --delivery-channel '{
    "name": "default",
    "s3BucketName": "config-compliance-data-ACCOUNT_ID",
    "snsTopicARN": "arn:aws:sns:us-east-1:ACCOUNT:config-notifications",
    "configSnapshotDeliveryProperties": {"deliveryFrequency": "TwentyFour_Hours"}
  }'

# Start recording
aws configservice start-configuration-recorder --configuration-recorder-name default
```

### Step 2: Deploy Managed Config Rules for CIS Compliance

Enable AWS-managed Config rules that map to CIS AWS Foundations Benchmark controls.

```bash
# S3 bucket security rules
aws configservice put-config-rule --config-rule '{
  "ConfigRuleName": "s3-bucket-public-read-prohibited",
  "Source": {"Owner": "AWS", "SourceIdentifier": "S3_BUCKET_PUBLIC_READ_PROHIBITED"}
}'

aws configservice put-config-rule --config-rule '{
  "ConfigRuleName": "s3-bucket-server-side-encryption-enabled",
  "Source": {"Owner": "AWS", "SourceIdentifier": "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED"}
}'

aws configservice put-config-rule --config-rule '{
  "ConfigRuleName": "s3-bucket-ssl-requests-only",
  "Source": {"Owner": "AWS", "SourceIdentifier": "S3_BUCKET_SSL_REQUESTS_ONLY"}
}'

# IAM security rules
aws configservice put-config-rule --config-rule '{
  "ConfigRuleName": "iam-root-access-key-check",
  "Source": {"Owner": "AWS", "SourceIdentifier": "IAM_ROOT_ACCESS_KEY_CHECK"}
}'

aws configservice put-config-rule --config-rule '{
  "ConfigRuleName": "mfa-enabled-for-iam-console-access",
  "Source": {"Owner": "AWS", "SourceIdentifier": "MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS"}
}'

aws configservice put-config-rule --config-rule '{
  "ConfigRuleName": "iam-password-policy",
  "Source": {"Owner": "AWS", "SourceIdentifier": "IAM_PASSWORD_POLICY"},
  "InputParameters": "{\"RequireUppercaseCharacters\":\"true\",\"RequireLowercaseCharacters\":\"true\",\"RequireSymbols\":\"true\",\"RequireNumbers\":\"true\",\"MinimumPasswordLength\":\"14\"}"
}'

# Network security rules
aws configservice put-config-rule --config-rule '{
  "ConfigRuleName": "restricted-ssh",
  "Source": {"Owner": "AWS", "SourceIdentifier": "INCOMING_SSH_DISABLED"}
}'

aws configservice put-config-rule --config-rule '{
  "ConfigRuleName": "vpc-flow-logs-enabled",
  "Source": {"Owner": "AWS", "SourceIdentifier": "VPC_FLOW_LOGS_ENABLED"}
}'

# Encryption rules
aws configservice put-config-rule --config-rule '{
  "ConfigRuleName": "rds-storage-encrypted",
  "Source": {"Owner": "AWS", "SourceIdentifier": "RDS_STORAGE_ENCRYPTED"}
}'

aws configservice put-config-rule --config-rule '{
  "ConfigRuleName": "encrypted-volumes",
  "Source": {"Owner": "AWS", "SourceIdentifier": "ENCRYPTED_VOLUMES"}
}'
```

### Step 3: Create Custom Config Rules with Lambda

Build custom rules for organization-specific compliance requirements.

```python
# custom_config_rule.py - Ensure EC2 instances have required tags
import json
import boto3

config = boto3.client('config')

REQUIRED_TAGS = ['Environment', 'Owner', 'CostCenter', 'Project']

def lambda_handler(event, context):
    invoking_event = json.loads(event['invokingEvent'])
    configuration_item = invoking_event.get('configurationItem', {})

    if configuration_item['resourceType'] != 'AWS::EC2::Instance':
        return

    tags = {t['key']: t['value'] for t in configuration_item.get('tags', [])}
    missing_tags = [tag for tag in REQUIRED_TAGS if tag not in tags]

    if missing_tags:
        compliance = 'NON_COMPLIANT'
        annotation = f"Missing required tags: {', '.join(missing_tags)}"
    else:
        compliance = 'COMPLIANT'
        annotation = 'All required tags present'

    config.put_evaluations(
        Evaluations=[{
            'ComplianceResourceType': configuration_item['resourceType'],
            'ComplianceResourceId': configuration_item['resourceId'],
            'ComplianceType': compliance,
            'Annotation': annotation,
            'OrderingTimestamp': configuration_item['configurationItemCaptureTime']
        }],
        ResultToken=event['resultToken']
    )
```

```bash
# Deploy the custom rule
aws configservice put-config-rule --config-rule '{
  "ConfigRuleName": "ec2-required-tags",
  "Source": {
    "Owner": "CUSTOM_LAMBDA",
    "SourceIdentifier": "arn:aws:lambda:us-east-1:ACCOUNT:function:config-required-tags",
    "SourceDetails": [{
      "EventSource": "aws.config",
      "MessageType": "ConfigurationItemChangeNotification"
    }]
  },
  "Scope": {"ComplianceResourceTypes": ["AWS::EC2::Instance"]}
}'
```

### Step 4: Configure Automatic Remediation

Set up SSM Automation documents for automatic remediation of non-compliant resources.

```bash
# Auto-remediate public S3 buckets
aws configservice put-remediation-configurations --remediation-configurations '[{
  "ConfigRuleName": "s3-bucket-public-read-prohibited",
  "TargetType": "SSM_DOCUMENT",
  "TargetId": "AWS-DisableS3BucketPublicReadWrite",
  "Parameters": {
    "S3BucketName": {"ResourceValue": {"Value": "RESOURCE_ID"}},
    "AutomationAssumeRole": {"StaticValue": {"Values": ["arn:aws:iam::ACCOUNT:role/ConfigRemediationRole"]}}
  },
  "Automatic": true,
  "MaximumAutomaticAttempts": 3,
  "RetryAttemptSeconds": 60
}]'

# Auto-remediate unencrypted EBS volumes
aws configservice put-remediation-configurations --remediation-configurations '[{
  "ConfigRuleName": "encrypted-volumes",
  "TargetType": "SSM_DOCUMENT",
  "TargetId": "AWS-EnableEBSEncryptionByDefault",
  "Parameters": {
    "AutomationAssumeRole": {"StaticValue": {"Values": ["arn:aws:iam::ACCOUNT:role/ConfigRemediationRole"]}}
  },
  "Automatic": true,
  "MaximumAutomaticAttempts": 1,
  "RetryAttemptSeconds": 300
}]'

# Auto-remediate security groups allowing SSH from 0.0.0.0/0
aws configservice put-remediation-configurations --remediation-configurations '[{
  "ConfigRuleName": "restricted-ssh",
  "TargetType": "SSM_DOCUMENT",
  "TargetId": "AWS-DisablePublicAccessForSecurityGroup",
  "Parameters": {
    "GroupId": {"ResourceValue": {"Value": "RESOURCE_ID"}},
    "AutomationAssumeRole": {"StaticValue": {"Values": ["arn:aws:iam::ACCOUNT:role/ConfigRemediationRole"]}}
  },
  "Automatic": true,
  "MaximumAutomaticAttempts": 3,
  "RetryAttemptSeconds": 60
}]'
```

### Step 5: Set Up Multi-Account Aggregation

Aggregate compliance data from all organization accounts into a central view.

```bash
# Create a Config aggregator for the organization
aws configservice put-configuration-aggregator \
  --configuration-aggregator-name org-compliance-aggregator \
  --organization-aggregation-source '{
    "RoleArn": "arn:aws:iam::ACCOUNT:role/ConfigAggregatorRole",
    "AllAwsRegions": true
  }'

# Query aggregate compliance across all accounts
aws configservice get-aggregate-compliance-details-by-config-rule \
  --configuration-aggregator-name org-compliance-aggregator \
  --config-rule-name s3-bucket-public-read-prohibited \
  --compliance-type NON_COMPLIANT \
  --query 'AggregateEvaluationResults[*].[AccountId,AwsRegion,EvaluationResultIdentifier.EvaluationResultQualifier.ResourceId,ComplianceType]' \
  --output table

# Get compliance summary by account
aws configservice get-aggregate-compliance-summary-by-source \
  --configuration-aggregator-name org-compliance-aggregator \
  --query 'AggregateComplianceCounts[*].[GroupName,ComplianceSummary.CompliantResourceCount.CappedCount,ComplianceSummary.NonCompliantResourceCount.CappedCount]' \
  --output table
```

## Key Concepts

| Term | Definition |
|------|------------|
| AWS Config Rule | A compliance check that evaluates whether AWS resource configurations meet specified requirements, either continuously or on a schedule |
| Managed Rule | AWS-provided pre-built Config rule with standardized logic for common compliance checks like encryption and public access |
| Custom Rule | Organization-specific Config rule backed by a Lambda function that evaluates custom compliance logic |
| Remediation Action | SSM Automation document or Lambda function triggered to automatically fix non-compliant resources |
| Configuration Aggregator | AWS Config feature that collects compliance data from multiple accounts and regions into a centralized view |
| Conformance Pack | Collection of Config rules and remediation actions packaged as a deployable unit for specific compliance frameworks |

## Tools & Systems

- **AWS Config**: Continuous configuration recording and compliance evaluation service for AWS resources
- **SSM Automation**: AWS Systems Manager documents for executing automated remediation actions on non-compliant resources
- **Config Conformance Packs**: Pre-built rule collections for CIS, PCI DSS, NIST 800-53, and HIPAA compliance
- **CloudFormation StackSets**: Multi-account deployment mechanism for Config rules across AWS Organizations
- **Config Aggregator**: Cross-account and cross-region compliance data consolidation

## Common Scenarios

### Scenario: Deploying CIS Compliance Monitoring Across 30 AWS Accounts

**Context**: A financial services company needs to demonstrate continuous CIS AWS Foundations Benchmark compliance across all 30 production accounts for their annual SOC 2 audit.

**Approach**:
1. Enable AWS Config recording in all accounts via CloudFormation StackSets
2. Deploy the CIS conformance pack to all accounts using StackSets
3. Set up a Config aggregator in the security account for organization-wide visibility
4. Configure auto-remediation for safe-to-fix rules (public S3, unencrypted volumes)
5. Create EventBridge rules to alert on new NON_COMPLIANT evaluations
6. Build a weekly compliance report aggregating scores across all accounts
7. Store Config snapshots in S3 with lifecycle policies for audit retention

**Pitfalls**: Config recording incurs costs per configuration item recorded. In accounts with many resources, costs can be significant. Use targeted recording groups to focus on compliance-relevant resource types rather than recording all resources. Auto-remediation of network rules (security groups) can disrupt applications if the rule was intentionally permissive.

## Output Format

```
AWS Config Compliance Report
===============================
Organization: Acme Financial (30 accounts)
Framework: CIS AWS Foundations 1.4
Report Date: 2026-02-23
Config Rules Active: 48

COMPLIANCE SUMMARY:
  Overall Compliance: 87%
  Compliant Resources:     4,234
  Non-Compliant Resources:   612
  Not Applicable:            189

TOP NON-COMPLIANT RULES:
  encrypted-volumes:              89 resources (14 accounts)
  vpc-flow-logs-enabled:          67 resources (12 accounts)
  mfa-enabled-for-iam-console:    45 resources (8 accounts)
  s3-bucket-ssl-requests-only:    34 resources (6 accounts)
  restricted-ssh:                 28 resources (5 accounts)

AUTO-REMEDIATION (Last 30 Days):
  Public S3 buckets remediated:    12
  Security groups restricted:       8
  EBS default encryption enabled:   6
  Total auto-remediated:           26
  Failed remediation attempts:      3

ACCOUNT COMPLIANCE RANKING:
  1. prod-core (account-001):     96% compliant
  2. prod-data (account-002):     94% compliant
  ...
  30. dev-sandbox (account-030):  68% compliant
```

Related Skills

Writing Hookify Rules

from plurigrid/asi

This skill should be used when the user asks to "create a hookify rule", "write a hook rule", "configure hookify", "add a hookify rule", or needs guidance on hookify rule syntax and patterns.

tizen-security-compliance

from plurigrid/asi

Maps security requirements to implementation. Coordinates compliance against FIPS 140-3, OCF, CommonCriteria, and Tizen specification.

tizen-compliance-checker

from plurigrid/asi

Validates Tizen app compliance with TCT (Tizen Compliance Tests). Checks conformance to IoT, TV, or mobile profiles.

testing-cors-misconfiguration

from plurigrid/asi

Identifying and exploiting Cross-Origin Resource Sharing misconfigurations that allow unauthorized cross-domain data access and credential theft during security assessments.

spec-to-code-compliance

from plurigrid/asi

Verifies code implements exactly what documentation specifies for blockchain audits. Use when comparing code against whitepapers, finding gaps between specs and implementation, or performing compliance checks for protocol implementations.

remediating-s3-bucket-misconfiguration

from plurigrid/asi

This skill provides step-by-step procedures for identifying and remediating Amazon S3 bucket misconfigurations that expose sensitive data to unauthorized access. It covers enabling S3 Block Public Access at account and bucket levels, auditing bucket policies and ACLs, enforcing encryption, configuring access logging, and deploying automated remediation using AWS Config and Lambda.

performing-threat-hunting-with-yara-rules

from plurigrid/asi

Use YARA pattern-matching rules to hunt for malware, suspicious files, and indicators of compromise across filesystems and memory dumps. Covers rule authoring, yara-python scanning, and integration with threat intel feeds.

performing-ssl-tls-inspection-configuration

from plurigrid/asi

Configure SSL/TLS inspection on network security devices to decrypt, inspect, and re-encrypt HTTPS traffic for threat detection while managing certificates, exemptions, and privacy compliance.

implementing-zero-trust-with-hashicorp-boundary

from plurigrid/asi

Implement HashiCorp Boundary for identity-aware zero trust infrastructure access management with dynamic credential brokering, session recording, and Vault integration.

implementing-zero-trust-with-beyondcorp

from plurigrid/asi

Deploy Google BeyondCorp Enterprise zero trust access controls using Identity-Aware Proxy (IAP), context-aware access policies, device trust validation, and Access Context Manager to enforce identity and posture-based access to GCP resources and internal applications.

implementing-zero-trust-network-access

from plurigrid/asi

Implementing Zero Trust Network Access (ZTNA) in cloud environments by configuring identity-aware proxies, micro-segmentation, continuous verification with conditional access policies, and replacing traditional VPN-based access with BeyondCorp-style architectures across AWS, Azure, and GCP.

implementing-zero-trust-for-saas-applications

from plurigrid/asi

Implementing zero trust access controls for SaaS applications using CASB, SSPM, conditional access policies, OAuth app governance, and session controls to enforce identity verification, device compliance, and data protection for cloud-hosted services.