AWS Config & governance
Config history, rules, auto-remediation.
AWS Config is the service that gives you continuous visibility into resource configuration and compliance over time — the backbone of governance, drift detection, and automated remediation in a DevOps practice.
Configuration history and rules
AWS Config records the configuration of your resources and how it changes over time, so you can answer "what did this security group look like last Tuesday, and who changed it?" — invaluable for troubleshooting and audit. On top of that history, Config rules continuously evaluate resources against desired configurations (managed rules for common checks, or custom rules), marking each resource compliant or non-compliant. This turns "is our infrastructure configured correctly?" into a continuously-answered question rather than a periodic manual review, and it detects drift from your intended state the moment it happens.
# Continuously evaluate: are all EBS volumes encrypted?aws configservice put-config-rule --config-rule '{"ConfigRuleName": "encrypted-volumes","Source": { "Owner": "AWS", "SourceIdentifier": "ENCRYPTED_VOLUMES" }}'# Attach automatic remediation for the clear-cut fixes:aws configservice put-remediation-configurations --remediation-configurations '[{"ConfigRuleName": "encrypted-volumes","TargetType": "SSM_DOCUMENT", "TargetId": "AWS-...", "Automatic": true }]'# Non-compliant → runbook fixes it. History records the whole timeline.
Compliance and remediation at scale
Config becomes a governance engine when you group rules into conformance packs (a compliance framework’s checks deployed together) and attach automatic remediation so non-compliant resources are fixed by an SSM runbook without manual intervention. Aggregate Config across accounts for an org-wide compliance view. The pattern that ties this section together: Config detects drift and non-compliance, EventBridge routes the finding, and an Automation runbook remediates — continuous, closed-loop governance. For a DevOps engineer this is how you keep a growing estate consistent and compliant automatically, catching the console change that weakened a control and fixing it before it becomes an incident, all while the configuration history provides the audit trail.