Automate deviation correction in configurations

Automation with AWS Config

You can enforce security standard compliance for AWS configurations using AWS Config and its “Auto Remediate” feature that allows us to run an AWS Systems Manager automation that returns the configuration back to the desired state.

In the following example, you can see a check that verifies if there’s any bucket without Server Side Encryption configured by default:

And in the following image, an auto-correction action where it sets default encryption (below you can specify the encryption method, and the role with the permission to do the task)

One might wonder… “Why not prevent deviations from happening using IAM policies?”. That is also valid, only that using this method you can also review pre-existing deviations, and even if an administrator mistakenly changes the configuration to an undesired state, AWS Config will remedy it.