AWS Config

Continuous resource-configuration compliance.

📖 Official AWS documentation ↗📰 Official AWS blog ↗

What is it?

A service that records the configuration of your resources over time and evaluates them against rules — flagging, for example, an unencrypted SageMaker notebook or a public S3 bucket the moment it appears.

💡 Why does it exist?

Policies on paper drift from reality in the console. Config makes compliance CONTINUOUS: every resource change is recorded, evaluated, and optionally auto-remediated.

⏱️ When should you use it?

Use it to enforce AI-governance baselines: notebooks must be encrypted and VPC-attached, buckets must block public access, endpoints must use approved instance types.

🗺️ Where does it fit?

Account governance layer: the recorder watches resource changes; rules evaluate them; findings aggregate to Security Hub and can trigger SSM remediation documents.

🔌 How do you integrate it?

Enable the recorder, deploy managed rules (dozens are SageMaker/S3-specific) or custom Lambda rules, group them into conformance packs, and attach auto-remediation where safe.

🧩 Commonly integrated with

AWS Security HubAWS Systems ManagerAmazon SNSAWS CloudTrail

🎯 Exam angle (AIF-C01)

📚 Study it in a learning path

SCS-C03Security Engineering on AWSFlashcards, notes & quizzes covering this service →AIF-C01AWS AI PractitionerFlashcards, notes & quizzes covering this service →

More in Security & Governance

AWS IAMAWS KMSAmazon MacieAWS CloudTrail