Config Drift Prevention With AWS Config

Config rules detect drift. The rules that catch the most common configuration regressions.

High-leverage rules

S3 buckets must have encryption enabled.

EBS volumes must be encrypted.

RDS must have automated backups.

Security groups cannot have 0.0.0.0/0 on SSH or RDP.

Auto-remediation

Some rules support auto-remediation. Others fire alerts only.

Auto-remediate the easy ones; alert for the rest.

Alerting

Non-compliant resources go to a dashboard.

Drift older than 7 days: page the owner.