Skip to content

Contact sales

By filling out this form and clicking submit, you acknowledge our privacy policy.

12 AWS Config rules that every account should have

The out-of-the-box tools that come with AWS are a great start to securing your environment. See 12 AWS Config rules that are a bare minimum for any account.

Jun 08, 2023 • 3 Minute Read

Please set an alt value for this image...

Using the out-of-the-box tools that come with AWS is a great start when it comes to securing your environment and reducing your blast radius. In this post, we'll cover 12 AWS Config rules that should be considered a bare minimum requirement for any account.

Because most of security is doing the basic things. (Don't "hide" your laptop under a hoodie on the passenger seat, and it's a little less likely to wind up missing.) But, when it comes to securing your AWS environment, the basic things can be kind of hard.

Are you looking to begin your AWS career or take your skills to the next level? Our AWS learning paths offers customized paths to excel your cloud journey!

What is AWS Config?

One key step for securing your AWS environment is to create an asset inventory.

There are various ways you can build an asset inventory. You can use third-party tools or CLI scripts, but there’s a quick and easy way and that’s using AWS Config.

AWS Config lets you record and assess the configurations of your AWS resources. It has two basic functions. 

  1. It can record all of the configuration data that runs through the system.
  2. It can build rules to help us ensure compliance.

WFH Security

Securing Your AWS Environment

In this free, on-demand webinar, get a breakdown of taking complex AWS environments from zero to secure.

Enabling AWS Config

To get started, you'll need to enable AWS Config. You can get details on the full process here. During this process you'll do the following:

  • Create an S3 bucket to hold configuration data
  • Create a Config configuration recorder
  • Create a Delivery channel
  • Verify with the AWS CLI:
    • aws configservice describe-delivery-channels
    • aws configservice describe-configuration-recorders
    • aws configservice describe-configuration-recorder-status

Once we’re done, the system is going to start collecting assets and storing them. We can see them in AWS Config and see changes from that point forward.

With the inventory configured, you can now:

  • See counts on resources across the account
  • Search the inventory with SQL
  • View details on the assets
  • Enable or create AWS Config rules to ensure compliance

If doing this in many accounts, it’s important to note that Config can be centrally collected for all accounts under your control.

12 recommended AWS Config rules

AWS Config has managed rules for many resources. As a bare minimum, here are 12 recommended Config rules courtesy of cloud architect and security engineer Don Magee, Cloud Security Lead at Stedi.

AWS Config ruleAction
cloudformation-stack-drift-detection-checkAll stacks should have no drift
s3-bucket-level-public-acess-prohibitedS3 buckets should not be public
ec2-instance-no-public-ipEC2 instances should not have public IPs
ebs-snapshot-public-restorable-checkYour server snapshots should not be public
iam-root-access-key-checkThe root user should not have access keys
cloudtrail-enabledCloudTrail should always be enabled
ec2-ebs-encryption-by-defaultAll EBS volumes should be encrypted by default
s3-bucket-server-side-encryption-enabledS3 should be encrypted by default
vpc-default-security-group-closedThe default security group should not be in use
acm-certificate-expiration-checkEnsure your certificates are not about to expire
access-keys-rotatedEnsures IAM user access keys are rotated
iam-user-unused-credentials-checkFind inactive accounts to disable

How does cost work with AWS Config?

From a cost perspective, the recorder (storing in S3) and each rule does have a charge. But these shouldn't be too costly for most organizations.

Don said his organization eventually moved off of Config as it grew in search of a better dashboard than AWS could provide, but they were at 30 accounts and 26 Config rules and the cost was not prohibitive at that point.

Lock down your AWS security skills.

Want to learn more about security in the cloud? Check out our Mastering the AWS Well-Architected Framework course, or dig into our massive library of hands-on cloud learning.