Implementing Continuous Compliance with AWS Config and AWS Audit Manager: Part 1

Table of Contents

Introduction

As enterprises migrate workloads to the cloud, security and compliance become increasingly complex. Ensuring continuous adherence to internal policies and external regulatory standards like PCI-DSS, HIPAA, or ISO 27001 requires robust visibility, enforcement, and automation.

This blog post walks you through implementing continuous compliance in AWS using AWS Config, AWS Config Rules, Auto Remediation, AWS Audit Manager, and CloudWatch Dashboards. By the end, you’ll have an automated pipeline that detects non-compliant resources, remediates them, tracks trends over time, and simplifies audit readiness.

Use Case

Let’s say your organization has the following requirements:

  • All S3 buckets must block public access
  • EC2 instances must be of approved instance types only
  • Root account must have MFA enabled
  • RDS databases must not be publicly accessible
  • Periodic audit reports are needed for ISO 27001 compliance

We’ll demonstrate how to enforce and automate checks for these using AWS Config and Audit Manager.

Architecture Overview

The continuous compliance workflow is built around an automated pipeline leveraging core AWS services. Here’s how each component fits into the process:

  1. Resource Creation or Modification: Any change in AWS infrastructure (like creating an EC2 instance or modifying an S3 bucket) is automatically tracked.
  2. AWS Config Evaluation: AWS Config continuously records resource configurations and evaluates them against predefined rules. These rules enforce organizational policies such as blocking public S3 buckets or ensuring MFA is enabled for root users.
  3. Config Rules Trigger: When a resource configuration is detected, it is evaluated by AWS Config Rules (both managed and custom). If the configuration is compliant, it’s logged as such. If not, the system flags the resource as NON_COMPLIANT.
  4. Automated Remediation (via AWS Systems Manager or Lambda): For non-compliant resources, automated remediation actions are triggered. These use AWS Systems Manager (SSM) automation documents or Lambda functions to correct the issues without manual intervention.
  5. Compliance Insights in Amazon CloudWatch: All evaluation results and remediation statuses are logged and visualized through Amazon CloudWatch Dashboards. These dashboards provide real-time visibility into compliance posture across services and accounts.
  6. Audit Reporting via AWS Audit Manager: To meet regulatory and internal audit requirements, AWS Audit Manager continuously collects evidence from AWS Config and related services. It compiles audit-ready reports aligned with standards like ISO 27001, HIPAA, and PCI-DSS.

This flow ensures an end-to-end automated compliance and governance mechanism — from detection and remediation to monitoring and audit readiness — with minimal manual oversight.

Please find architecture diagram as below:

How AWS Audit Manager Integrates with AWS Config

Audit Manager Pulls Evidence from AWS Config

Audit Manager has prebuilt and custom frameworks that define which AWS services to collect evidence from.

  • When you enable a framework (e.g., AWS Default Framework or ISO 27001), Audit Manager creates control sets.
  • For controls that depend on AWS Config (such as “S3 buckets should block public access”), Audit Manager uses AWS Config as an evidence source.

Example: If s3-bucket-public-read-prohibited rule is enabled in Config, Audit Manager pulls its compliance evaluations as evidence for relevant controls.

Controls Use Config Rule Compliance Status

When a control in Audit Manager is mapped to a Config rule, it:

  • Automatically tracks whether resources are compliant or not.
  • Pulls the last compliance evaluation (via AWS Config’s API).
  • Generates reports/audit-ready evidence from these evaluations.

No Manual Wiring Needed

The integration is native. Once you:

  • Enable AWS Config
  • Enable Audit Manager
  • Choose a framework (like ISO, NIST, or custom),
    …Audit Manager automatically links to the Config rules it needs.

Process Overview: Enabling Continuous Compliance in AWS

Step 1: Enable AWS Config

  1. Go to the AWS Console → AWS Config
  2. Click “Set up” (first time setup)
  3. Choose to record all resources in all regions
  4. Set up a dedicated S3 bucket for Config logs
  5. Enable AWS Config Recorder and Delivery Channel

Tip: Enable in all regions to avoid compliance gaps across regional resources

Step 2: Add AWS Managed Config Rules

Navigate to AWS Config > Rules > Add Rule and add the following managed rules as well as custom rules:

Rule NameDescriptionType
s3-bucket-public-read-prohibitedEnsures S3 buckets block public readManaged
ec2-instance-type-checkEC2 only uses approved instance typesCustom (see below)
root-account-mfa-enabledRoot user must have MFA enabledManaged
rds-instance-public-access-checkRDS should not be publicly accessibleManaged

Step 3: Add Custom Config Rule

For custom rules (like approved EC2 types), we’ll use AWS Lambda and a custom rule trigger.

Example: EC2 Type Enforcement

Create the Lambda Function

  1. Go to the AWS Lambda console.
  2. Click Create function → choose Author from scratch.
  3. Set:
    • Function name: checkApprovedEC2InstanceTypes
    • Runtime: Python 3.9
    • Role: Choose or create a role with AWSConfigRulesExecutionRole permissions
  4. Click Create function.
  5. Use the following sample Python code:
import boto3, json
def lambda_handler(event, context):
    config = boto3.client('config')
    invoking_event = json.loads(event['invokingEvent'])
    configuration_item = invoking_event['configurationItem']
    instance_id = configuration_item['resourceId']
    instance_type = configuration_item['configuration']['instanceType']
    
    allowed_types = ['t3.micro', 't3.small']
    compliance_type = 'COMPLIANT' if instance_type in allowed_types else 'NON_COMPLIANT'

    config.put_evaluations(
        Evaluations=[
            {
                'ComplianceResourceType': configuration_item['resourceType'],
                'ComplianceResourceId': instance_id,
                'ComplianceType': compliance_type,
                'OrderingTimestamp': configuration_item['configurationItemCaptureTime']
            },
        ],
        ResultToken=event['resultToken']
    )

Add Permissions

Ensure the Lambda function has the following IAM policy permissions:

  • config:PutEvaluations
  • logs:* (for debugging)
  • ec2:DescribeInstances (if needed)

Attach the AWSConfigRulesExecutionRole managed policy or equivalent.

Create Custom AWS Config Rule

  1. Go to AWS Config → Rules → Click Add rule.
  2. Choose Add custom rule.
  3. Enter:
    • Name: approved-ec2-instance-types
    • Trigger type: Configuration changes
    • Scope of changes: EC2:Instance
  4. Specify the Lambda function ARN created earlier.
  5. Set evaluation frequency if required (optional).
  6. Save.

Step 4: Setup Automatic Remediation with SSM or Lambda

  1. Go to AWS Config > Rules > Remediation
  2. Choose the rule (e.g., s3-bucket-public-read-prohibited)
  3. Select Remediation action:
    • Action: AWSConfigRemediation-ConfigureS3PublicAccessBlock (or create custom)

Below are the screenshots to assist you with the setup:

Step 5: Configure AWS Audit Manager

  1. Go to AWS Audit Manager
  2. Choose Frameworks > Create Assessment
  3. Select a standard (e.g., ISO 27001, HIPAA, or custom)
  4. Add control sets and AWS Config as a data source
  5. Select relevant accounts, services, and define the scope
  6. Launch assessment – Audit Manager now collects evidence automatically (like rule compliance logs, resource snapshots, etc.)

Audit Manager continuously gathers data, reducing manual evidence gathering during audits.

Step 6: Create a Compliance Dashboard (CloudWatch)

Why?

Dashboards make compliance visual, actionable, and easy to monitor. Once AWS Config is enabled, it automatically sends some standard metrics to CloudWatch under the namespace: AWS/Config. These include:

Metric NameDescriptionDimensions
ComplianceChangeCountNumber of compliance state changes (e.g., from COMPLIANT to NON_COMPLIANT)RuleName, ConfigRuleArn, ResourceType
EvaluationResultCountNumber of evaluation results reported by rulesComplianceType, ConfigRuleArn
NonCompliantResourceCountNumber of non-compliant resources per ruleRuleName, ResourceType, ConfigRuleArn
ConfigRuleEvaluationsNumber of times a rule evaluated a resourceConfigRuleArn

Here’s what you can confidently show based on AWS Config’s built-in metrics:

WidgetMetric SourceVisualization
Total compliant vs non-compliantEvaluationResultCountPie chart
Compliance trend over timeComplianceChangeCountLine graph (time series)
Top 5 non-compliant rulesNonCompliantResourceCountHorizontal bar chart
Rule evaluation frequencyConfigRuleEvaluationsBar chart

Below are the screenshot of CloudWatch dashboard for your reference(wait for some datapoints in metrics):

Conclusion

Implementing continuous compliance using AWS Config, Audit Manager, and related services offers a scalable, automated way to maintain security and meet regulatory requirements. With real-time checks, auto-remediation, audit-ready reporting, and visual dashboards, your cloud environment becomes easier to govern and more resilient to misconfigurations.

Next Steps

To extend this setup, consider integrating with other AWS security services such as AWS Security Hub, AWS GuardDuty, and AWS Detective for deeper threat visibility, correlation of findings, and a unified security posture across your AWS accounts.

About the Author

Deepali Sonune is a DevOps engineer with 12+ years of industry experience. She has been developing high-performance DevOps solutions with stringent security and governance requirements in AWS for 9+ years. She also works with developers and IT to oversee code releases, combining an understanding of both engineering and programming.

Leave a Reply

Your email address will not be published. Required fields are marked *