What is a AWS Config Conformance Pack and why should I use it?

Benedikt Wieloch
4. January 2021
Reading time: 2 min
What is a AWS Config Conformance Pack and why should I use it?

AWS now offers an incredible variety of over 175 products and services. Nearly all aspects of the AWS infrastructure can be adapted programmatically or via the AWS console. More and more companies and their employees/developers get involved with the platform. Not only to offer the customer the best possible experience, but also to stay one step ahead of the competition. This involves experimenting with AWS services and resources. Every so often the spun up services and resources during the “experiment” are forgotten or neglected due to feature pressure or other more important projects. AWS Cloud Trail and AWS Config help to keep track of this massive amount of settings and adjustments.

“Misconfiguration leads to malfunction, malfunction to safety problems, safety problems to suffering.”


In order to better classify the Conformance Packs, the parent-service AWS Config must be explained briefly at this point.

AWS Config is a service that provides AWS resource inventory, configuration history and configuration change notifications to ensure security and governance. Once activated AWS Config first determines the total inventory of AWS resources that are present in your account and if a resource changes, AWS Config records this.

Example: A user creates an Ingress Rule within a VPC Security Group (e.g. TCP Port 22). This change is called via AWS Config and then passed on to the instances within the security group. The updated configuration of the Security Group and the updated configuration of the instances are recorded and delivered in a configuration stream to an Amazon Simple Storage Service (Amazon S3) bucket.

AWS Config continuously monitors, evaluates and checks your configuration. If an unexpected configuration is found, AWS Config informs you and if necessary intervenes automatically and corrects it.




And what do I need AWS Config Conformance Pack for?

AWS Config Conformance Pack allows you to bundle multiple configuration rules to monitor your AWS assets from a compliance perspective. This can simplify the deployment and reporting of governance policies and reduce the time an asset remains in a non-compliant state.

You can either write your own Conformance Packs in YAML format, or you can, for example, use one of the ready-made sample templates:

  • Operational Best Practices for AWS Well-Architected Framework Security Pillar
  • Operational Best Practices for AI and ML
  • Operational Best Practices for Storage Services
  • Control Tower Detective Guardrails
  • and many more

AWS Conformance pack in conjunction with AWS Control Tower

Many companies use AWS Control Tower as an easy way to set up and control an AWS multi-account environment. This is mainly done via Guardrails. New accounts, which are created via AWS Control Tower, already comply with these Guardrails. But what about accounts that already exist? What happens if they are integrated into AWS Control Tower? This is where the Control Tower Detective Guardrail – Conformance Pack can help. The Conformance Pack evaluates the effects of using AWS Control Tower Guardrails on the resources of the new account.

A brief instruction can be found here. The process requires the creation of an S3 Bucket to save the results. The relevant conformance pack can be downloaded and adjusted if required.






Once applied, AWS Control Tower runs through the account and checks each relevant resource (this can take several minutes). As soon as the Conformance Pack has completed the deployment, the compliance result can be displayed and analyzed by clicking on one of the resources. Now it must be decided how to proceed. You can either correct all non-compliant resources in advance, or directly integrate the account without corrective measures. Please note that non-compliant resources will be displayed in the Control Tower Dashboard.