AWSGlossary

AWS Config: What It Is and When to Use It

Definition

AWS Config is a fully managed service that provides a detailed inventory of your AWS resources, tracks their configurations, and records how they have changed over time. It solves the critical governance and compliance need to continuously monitor, assess, and audit resource configurations against desired policies, enabling automated compliance checking, security analysis, and operational troubleshooting.

How It Works

AWS Config operates by discovering resources in your account, recording their configurations, and evaluating them against a set of rules. This process provides a complete picture of your compliance posture and a historical record of all configuration changes.

  1. Resource Discovery and Recording: The process begins when you enable the Configuration Recorder. This component discovers supported AWS resources in your account and generates a Configuration Item (CI) for each one. A CI is a point-in-time JSON file containing the resource's identity, metadata, tags, relationships to other resources, and its complete configuration.

  2. Tracking Changes: Once the initial inventory is complete, the recorder continuously detects configuration changes. When a change occurs (e.g., a security group rule is modified), AWS Config records a new CI. This creates a detailed Configuration History for each resource, which is delivered to a specified Amazon Simple Storage Service (Amazon S3) bucket.

  3. Compliance Evaluation with AWS Config Rules: The core of AWS Config's evaluation capability lies in AWS Config Rules. These rules represent your desired configuration settings. When a resource's configuration changes, AWS Config evaluates it against the relevant rules. The result is a compliance status: COMPLIANT or NON_COMPLIANT. There are two types of rules:

    • Managed Rules: Pre-built, customizable rules provided by AWS for common security and operational best practices, such as checking for unrestricted SSH access or ensuring Amazon S3 buckets have encryption enabled.
    • Custom Rules: Rules you define using AWS Lambda functions or Guard, a policy-as-code language, for organization-specific requirements.

  4. Aggregation and Visibility: For organizations with multiple accounts, Aggregators can be configured to centralize configuration and compliance data into a single dashboard. This provides an enterprise-wide view of your compliance posture.

  5. Automated Remediation: While AWS Config is primarily a detective control, it can initiate automated remediation for non-compliant resources. This is achieved by configuring a remediation action that triggers an AWS Systems Manager (SSM) Automation document or a custom Lambda function to correct the misconfiguration.

  6. Conformance Packs: To simplify deployment at scale, you can bundle a collection of AWS Config rules and remediation actions into a single entity called a Conformance Pack. These packs, defined in a YAML template, can be deployed across an entire AWS Organization to enforce a common compliance baseline, often mapped to frameworks like PCI-DSS or the AWS Well-Architected Framework.

Key Features and Limits

  • Resource Inventory & History: Provides a complete inventory of AWS resources and a detailed history of their configurations.
  • Continuous Compliance Auditing: Automatically evaluates resource configurations against managed or custom rules.
  • Multi-Account, Multi-Region Aggregation: Centralizes configuration and compliance data from multiple accounts and regions into a single view.
  • Conformance Packs: Simplifies the deployment and management of compliance rules and remediation actions at scale across an AWS Organization.
  • Automated Remediation: Can automatically trigger actions to fix non-compliant resources.
  • Change Tracking and Troubleshooting: Helps correlate configuration changes with operational issues.
  • Broad Resource Coverage: As of early 2026, AWS Config supports hundreds of resource types across a wide range of AWS services, with new types added regularly.
  • Service Quotas (Limits): As of 2026, key default quotas include a maximum of 400 AWS Config rules per account per region. These limits can often be increased upon request.

Common Use Cases

  1. Compliance Auditing and Reporting: AWS Config is the foundational service for auditing your environment against internal policies (e.g., all Amazon EBS volumes must be encrypted) or external regulations (e.g., HIPAA, PCI-DSS). It provides the necessary evidence and history for auditors.

  2. Security Analysis and Incident Response: When a security incident occurs, security teams can use AWS Config's history to investigate what changed, when, and how a resource was configured at the time of the event. For example, identifying when a security group was improperly opened to the internet.

  3. Change Management: By tracking every configuration change, AWS Config provides a complete audit trail. This helps architects and developers understand the relationships between resources and assess the potential impact of a change before it is made.

  4. Operational Troubleshooting: When an application fails, operations teams can quickly review recent configuration changes to identify the root cause. For instance, a change to a Virtual Private Cloud (VPC) route table or a network access control list (NACL) could be the source of a connectivity issue.

  5. Cost Optimization: Advanced queries in AWS Config can be used to identify underutilized or unattached resources, such as Amazon EBS volumes that are not connected to any Amazon EC2 instance, helping to reduce waste.

Pricing Model

AWS Config uses a pay-as-you-go model with no upfront fees. Costs are primarily driven by three dimensions, and they can scale quickly in large, dynamic environments.

  • Configuration Items (CIs) Recorded: You are charged for each CI recorded in your account. The price varies based on the recording method: continuous recording (real-time) is priced per CI, while periodic recording (daily snapshots) has a different per-CI price.
  • AWS Config Rule Evaluations: You pay for each evaluation of a resource against a rule. The price is tiered, becoming cheaper per evaluation at higher volumes.
  • Conformance Pack Evaluations: Each rule evaluation within a conformance pack is also charged, following the same tiered pricing model as individual rule evaluations.

Additional costs may be incurred for underlying services, such as Amazon S3 for storing configuration history, Amazon Simple Notification Service (SNS) for notifications, and AWS Lambda for custom rules and remediation actions.

Pros and Cons

Pros:

  • Deep Visibility: Provides unparalleled insight into the configuration state and history of AWS resources.
  • Automated Governance: Enables automated, continuous compliance checking, reducing manual audit effort.
  • Strong Integration: Integrates deeply with AWS Organizations, AWS Security Hub, and AWS Systems Manager for enterprise-wide governance and remediation.
  • Essential for Audits: Creates a comprehensive audit trail that is critical for security investigations and regulatory compliance.

Cons:

  • Cost Management: Costs can become significant in large or highly dynamic environments due to the per-item and per-evaluation pricing model. Careful scoping of recorded resources and rules is necessary.
  • Detective, Not Preventive: By default, AWS Config is a detective control; it reports on non-compliance after it occurs. While it can trigger remediation, it does not inherently prevent misconfigurations. Preventive controls are better handled by AWS IAM policies and Service Control Policies (SCPs).
  • Complexity at Scale: Managing custom rules, remediation logic, and conformance packs across a large organization requires careful planning and expertise.

Comparison with Alternatives

AWS Config vs. AWS CloudTrail This is the most common point of confusion. The two services are complementary and answer different questions:

  • AWS Config: Answers "What does my resource look like?" and "Is it compliant?". It records the state of a resource and its configuration history.
  • AWS CloudTrail: Answers "Who did what, when, and from where?". It is an audit log of all API activity across your account.
  • Example: CloudTrail would log the RunInstances API call made by a specific IAM user. AWS Config would then record the resulting EC2 instance as a new Configuration Item and evaluate it against rules (e.g., checking if its EBS volumes are encrypted).

AWS Config vs. AWS Security Hub

  • AWS Config: Is a foundational data source that performs detailed configuration checks and generates compliance findings.
  • AWS Security Hub: Is a centralized security posture management service. It aggregates findings from multiple AWS services—including AWS Config, Amazon GuardDuty, and Amazon Inspector—and third-party tools into a single pane of glass. Security Hub consumes findings from AWS Config to contribute to its overall security score and compliance checks.

Exam Relevance

AWS Config is a key topic on several AWS certification exams, particularly those focused on architecture, security, and operations.

  • Certifications: AWS Certified Solutions Architect (Associate and Professional), AWS Certified SysOps Administrator - Associate, and especially the AWS Certified Security - Specialty.
  • Key Topics: Examinees must understand the core purpose of AWS Config, be able to clearly differentiate it from AWS CloudTrail, and know its primary use cases for compliance, auditing, and troubleshooting. Key concepts include Configuration Items (CIs), managed vs. custom rules, conformance packs, and the role of automated remediation.

Frequently Asked Questions

Q: Does AWS Config prevent users from making non-compliant changes?

A: No, not by default. AWS Config is a detective control that reports on non-compliant configurations after they happen. However, you can configure automated remediation actions using AWS Systems Manager Automation documents to automatically correct a resource that is flagged as non-compliant. For preventive controls, you should use AWS IAM policies, Service Control Policies (SCPs) in AWS Organizations, or VPC endpoint policies.

Q: What is the difference between AWS Config and AWS CloudTrail?

A: They answer different fundamental questions. AWS CloudTrail is an audit log of API calls that answers, "Who made an API call to change this resource, when, and from where?". AWS Config records the state of the resource itself over time, answering, "What did the resource's configuration look like before and after the change, and is the new state compliant with my rules?". They are best used together for a complete picture of activity and state.

Q: Can I track the configuration of software inside my EC2 instances?

A: Yes. While AWS Config natively tracks the configuration of the EC2 instance resource itself (e.g., instance type, security groups), you can extend its visibility to the guest operating system. By using the AWS Systems Manager agent and integrating with AWS Config, you can record software configurations, network settings, and application versions inside your EC2 instances and on-premises servers.

This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the official AWS documentation before making production decisions.

Published: 5/23/2026 / Updated: 5/23/2026

This article is for informational purposes only. AWS services, pricing, and features change frequently — always verify details against the official AWS documentation before making production decisions.

More in Security

Resource-Based vs Identity-Based Policies: How to Use Them

Understand AWS IAM identity-based vs resource-based policies. Learn what they are, how they differ, and when to use each for effective AWS security. See examples.

IAM Permissions Boundary: Control Max Permissions

An IAM Permissions Boundary sets the maximum permissions an IAM policy can grant. Learn how it prevents privilege escalation and when to use it.

IAM Access Analyzer: How It Works & When to Use It

IAM Access Analyzer formally verifies policies to identify and remediate unintended resource access. Learn how it monitors S3 buckets, IAM roles, and KMS keys for external sharing.

AWS CloudHSM: Secure Key Management in the Cloud

AWS CloudHSM offers dedicated HSMs for secure key generation and storage, meeting FIPS 140-2 Level 3 compliance. Learn how it works and when to use it.

AWS Certificate Manager (ACM): Simplify SSL/TLS Certificates

AWS Certificate Manager (ACM) simplifies SSL/TLS certificate management for your AWS apps. Automate provisioning, renewal, and deployment. Learn how it works.

View all Security terms →