AWS Config
Continuous resource-configuration compliance.
❓ What is it?
A service that records the configuration of your resources over time and evaluates them against rules — flagging, for example, an unencrypted SageMaker notebook or a public S3 bucket the moment it appears.
💡 Why does it exist?
Policies on paper drift from reality in the console. Config makes compliance CONTINUOUS: every resource change is recorded, evaluated, and optionally auto-remediated.
⏱️ When should you use it?
Use it to enforce AI-governance baselines: notebooks must be encrypted and VPC-attached, buckets must block public access, endpoints must use approved instance types.
🗺️ Where does it fit?
Account governance layer: the recorder watches resource changes; rules evaluate them; findings aggregate to Security Hub and can trigger SSM remediation documents.
🔌 How do you integrate it?
Enable the recorder, deploy managed rules (dozens are SageMaker/S3-specific) or custom Lambda rules, group them into conformance packs, and attach auto-remediation where safe.
🧩 Commonly integrated with
🎯 Exam angle (AIF-C01)
- Config = WHAT the resource configuration is (and was); CloudTrail = WHO changed it. They answer different audit questions.
- "Continuously check that ML resources meet policy" → Config rules / conformance packs.