Home > Optimized > Automate deviation correction in configurations

Automate deviation correction in configurations

Automation with AWS Config

You can enforce security standard compliance for AWS configurations using AWS Config and its “Auto Remediate” feature that allows us to run an AWS Systems Manager automation that returns the configuration back to the desired state.

Prevent vs. Detect & Correct

One might wonder… Why not prevent deviations from happening using IAM policies or service control policies? Preventing with policies has as an advantage that the misconfiguration is not present not even for a moment, while detection & correction may take a few minuted.On the other hand, builders often get frustrated by “Authorization denied” messages without clear understanding of why or what is not allowed, and deployments may fail. Using services such as AWS config to detect misconfigurations and triggering a response provides some benefits:

A better builder experience, as you could notify the person introducing the change that it was not allowed and therefore was changed back to the recommended setting (you could use tags to notify the owner)
IAM / SCPs would not correct deviations that existed before the creation of the policy
If an administrator that has permissions to bypass the policy introduces mistakenly changes the configuration to an undesired state, AWS Config will remedy it.
You can take softer approaches such as creating a ticket when a misconfiguration is detected, and auto-closing the ticket when the issue is resolved.

Guidance for assessments

Are you creating tickets when a resource gets misconfigured ?
Are you auto-correcting misconfigurations ?

Pricing

https://aws.amazon.com/config/pricing/