AWS Config Cheatsheet
Top commands.
Overview
The AWS Config CLI cheatsheet captures the patterns operators actually use during compliance investigation. Fluency at Config commands shortens audit response and exposes drift before it triggers a finding.
- Top commands.
describe-compliance-by-config-rule,get-resource-config-history,select-resource-config; the three that cover most investigation paths. - Compliance evaluation. Per-rule, per-resource state; the audit-ready snapshot of which resources are out of policy right now.
- Resource history. Time-travel through resource configuration; answers "when did this security group open to 0.0.0.0/0?"
- SQL-like queries.
select-resource-configtakes SQL; the analytical layer over inventory; bulk drift detection.
The approach
The practical approach: conformance packs by default, SQL queries for ad-hoc audits, history during forensics. The team's discipline produces real compliance, not just the appearance of it.
- describe-compliance-by-config-rule. Per-rule compliance summary; first call when an audit asks "are we compliant?"
- select-resource-config. SQL-style query across inventory; "show me every public S3 bucket with no encryption."
- get-resource-config-history. Time-travel through one resource; pinpoints when drift was introduced and by whom.
- put-conformance-pack. Deploy a bundled rule set (CIS, PCI, HIPAA); the framework-aligned baseline.
- Document queries. Per-investigation the queries committed to the repo; institutional memory for the next audit.
Why this compounds
AWS Config fluency compounds across audits. Each query teaches a compliance pattern; audit expertise accrues; certifications get cheaper to maintain over time.
- Better compliance evidence. Fluent Config produces fast audit response; SOC 2 evidence collection drops from weeks to hours.
- Better forensics. Resource history reconstructs the change timeline; supports security investigation without guesswork.
- Better operational fit. Conformance packs match named frameworks; the team ships compliant by default.
- Institutional knowledge. Each query taught teaches AWS Config internals; the team's audit muscle grows with use.
AWS Config fluency is a compliance discipline that pays off across years. Nova AI Ops integrates with Config telemetry, surfaces patterns, and supports the team's compliance discipline.