AWS Security Blog

Category: AWS Config

Duplicate Detection

Discover duplicate AWS Config rules for streamlined compliance

Amazon Web Services (AWS) customers use various AWS services to migrate, build, and innovate in the AWS Cloud. To align with compliance requirements, customers need to monitor, evaluate, and detect changes made to AWS resources. AWS Config continuously audits, assesses, and evaluates the configurations of your AWS resources. AWS Config rules continuously evaluate your AWS […]

Resources deployed in the customer environment by the solution

Governing and securing AWS PrivateLink service access at scale in multi-account environments

Amazon Web Services (AWS) customers have been adopting the approach of using AWS PrivateLink to have secure communication to AWS services, their own internal services, and third-party services in the AWS Cloud. As these environments scale, the number of PrivateLink connections outbound to external services and inbound to internal services increase and are spread out […]

Strengthen the security of sensitive data stored in Amazon S3 by using additional AWS services

October 13, 2021: We’ve added a section on redacting and transforming personally identifiable information with Amazon S3 Object Lambda. In this post, we describe the AWS services that you can use to both detect and protect your data stored in Amazon Simple Storage Service (Amazon S3). When you analyze security in depth for your Amazon […]

How to auto-remediate internet accessible ports with AWS Config and AWS Systems Manager

With the AWS Config service, you can assess, audit, and evaluate the configuration of your Amazon Web Services (AWS) resources. AWS Config continuously monitors and records your AWS resource configurations changes, and enables you to automate the evaluation of those recordings against desired configurations. Not only can AWS Config monitor and detect deviations from desired […]

How to use AWS Config to determine compliance of AWS KMS key policies to your specifications

August 31, 2021: AWS KMS is replacing the term customer master key (CMK) with AWS KMS key and KMS key. The concept has not changed. To prevent breaking changes, AWS KMS is keeping some variations of this term. More info. One of the top security methodologies is the principle of least privilege, which is the […]

How to perform automated incident response in a multi-account environment

How quickly you respond to security incidents is key to minimizing their impacts. Automating incident response helps you scale your capabilities, rapidly reduce the scope of compromised resources, and reduce repetitive work by security teams. But when you use automation, you also must manage exceptions to standard response procedures. In this post, I provide a […]

How to track changes to secrets stored in AWS Secrets Manager using AWS Config and AWS Config Rules

On April 20th, AWS Config announced support for AWS Secrets Manager, making it easier to track configuration changes to the secrets you manage in AWS Secrets Manager. You can now use AWS Config to track changes to secrets’ metadata — such as secret description and rotation configuration, relationship to other AWS sources such as the […]

Enable automatic logging of web ACLs by using AWS Config

In this blog post, I will show you how to use AWS Config, with its auto-remediation functionality, to ensure that all web ACLs have logging enabled. The AWS CloudFormation template included in this blog post will facilitate this solution, and will get you started being able to manage web ACL logging at scale. AWS Firewall […]

How to import AWS Config rules evaluations as findings in Security Hub

August 10, 2022: The content in this blog post is no longer up-to-date. AWS Security Hub now automatically receives AWS Config managed and custom rule evaluation results as security findings. Please see the feature announcement and the documentation for more details. You no longer need the custom solution described in this blog post to import […]

Continuously monitor unused IAM roles with AWS Config

February 19, 2024: You can now use IAM Access Analyzer to easily identify unused roles. Read this blog post to learn more. January 6, 2021: We updated this post to fix a bug related to allow listing noncompliant roles. January 6, 2020: We updated this post to reflect a valid STS session duration if configured […]