hands-on lab

Compliance Check Using AWS Config Rules (Managed & Custom)

Up to 2h
Get guided in a real environmentPractice with a step-by-step scenario in a real, provisioned environment.
Learn and validateUse validations to check your solutions every step of the way.
See resultsTrack your knowledge and monitor your progress.


AWS Config is a powerful tool in your security and governance toolkit. AWS Config can record and track changes to the configuration of many types of resources in AWS. Config Rules can be used to monitor compliance with your security and governance policies. You can leverage AWS Config managed rules to quickly get started with compliance checking of common policies. You are also able to write custom rules to cover whatever policy you care to enforce. In this lab, you will get hands-on experience with managed and custom AWS Config rules.

Learning Objectives

Upon completion of this lab you will be able to:

  • Configure the configuration recorder to AWS resources
  • Track and audit security changes using AWS Config
  • Explore the integration between AWS Config and CloudTrail
  • Use managed and custom rules to check compliance
  • Analyze and correct non-compliant resources


You should be familiar with the following:

  • EC2 Security Groups basics
  • CloudTrail and AWS Lambda basics will be helpful but not required

The following courses can be used to fulfill the prerequisites:


June 4th, 2024 - Updated lab to use AWS CloudFormation Guard

February 6th, 2024 - Updated instructions, screenshots, and code to improve the experience

December 18th, 2023 - Updated the instructions and screenshots to reflect the latest UI

October 25th, 2023 - Resolved AWS Config issue

October 23rd, 2023 - Updated the instructions and screenshots to reflect the latest UI

June 23rd, 2023 - Resolved deprecation warning

January 11th, 2023 - Updated screenshots & instructions to reflect latest UI

November 7th, 2022 - Updated PB to create the S3 bucket during lab environment deployment to resolve AWS Config enablement issue

October 13th, 2022 - Resolved deployment issue

August 3rd, 2022 - Resolved deployment issue

June 24th, 2022 - Updated lab configuration to match upcoming change from AWS

February 1st, 2022 - Updated screenshot for the custom rule port parameter

January 10th, 2022 - Updated instructions and screenshots to reflect the latest UI

August 31st, 2021 - Update the instructions to reflect the latest AWS Config experience

March 29th, 2021 - Updated screenshots and instructions to reflect the latest AWS Config user-interface changes

March 11th, 2021 - Updated AWS Lambda instructions to reflect the latest user-interface changes

November 10th, 2020 - Added screenshots to more easily follow along with managing tags of the lab's security group

October 29th, 2020 - Updated the lab to reflect the latest AWS Console experience

July 2nd, 2019 - Refactored part of the provisioning script to improve Lab maintainability

March 13th, 2019 - Updated Lab IAM permissions to work with the new AWS Config integration with AWS Systems Manager Automation for automatic remediation. Updated instructions to explain how Systems Manager Automation can automatically remedy rule violations.

January 10th, 2019 - Added a validation Lab Step to check the work you perform in the Lab

September 6th, 2018 - Updated Lab IAM permissions to work with the new AWS Config requirements. Updated instructions and screenshots.

July 30th, 2018 - Updated all instructions and images to match the new AWS Console experience

Environment before

Environment after

About the author

Logan Rakai, opens in a new tab
Lead Content Developer - Labs
Learning paths

Logan has been involved in software development and research since 2007 and has been in the cloud since 2012. He is an AWS Certified DevOps Engineer - Professional, AWS Certified Solutions Architect - Professional, Microsoft Certified Azure Solutions Architect Expert, MCSE: Cloud Platform and Infrastructure, Google Cloud Certified Associate Cloud Engineer, Certified Kubernetes Security Specialist (CKS), Certified Kubernetes Administrator (CKA), Certified Kubernetes Application Developer (CKAD), and Certified OpenStack Administrator (COA). He earned his Ph.D. studying design automation and enjoys all things tech.

LinkedIn, Twitter, GitHub

Covered topics

Lab steps

Logging In to the Amazon Web Services Console
Setting up the Configuration Recorder
Working with AWS Config Managed Rules
Analyzing and Remedying a Noncompliant Resource
Working with AWS Config Custom Rules