Think - with -Tech: September 2025

Tuesday, September 30, 2025

AWS Config Rules Notifications 🔔 | Overview.

AWS Config Rules Notifications 🔔 - Overview

Scope:

Intro,
Primary Notification Methods,
Types of Notifications,
Common Use Cases,
Links to official documentation,
The Concept of Config Notifications (deep dive),
Types of Notifications (deep dive),
Notification Delivery Mechanisms,
Architecture,
Notification Lifecycle (flow),
Sample Notification Use Cases,
Best Practices.

Intro:

AWS Config provides several ways to receive notifications when resources change or when they are evaluated against your compliance rules.
These notifications are primarily delivered through Amazon Simple Notification Service (SNS) or Amazon EventBridge.

Primary Notification Methods

Amazon SNS (Native Delivery): twtech can configure a "Delivery Channel" in AWS Config to send all configuration changes and compliance notifications directly to an Amazon SNS topic.
Amazon EventBridge: This is the recommended method for targeted alerting.
twtech can create EventBridge rules to filter for specific events, such as when a resource becomes "NON_COMPLIANT".
AWS User Notifications: A centralized service to view and manage notifications across AWS accounts.
AWS User Notifications allows twtech to set up pattern matching to fine-tune alerts sent to email, Slack, or mobile apps.

Types of Notifications

Compliance Change Notification: Sent whenever a rule evaluation result changes (e.g., from COMPLIANT to NON_COMPLIANT).
Configuration Item (CI) Change: Triggered when the configuration of a tracked resource is created, updated, or deleted.
Evaluation Started Notification: Indicates that a rule evaluation has begun.
Oversized Notification: Sent when a configuration change exceeds the Amazon SNS message size limit.

Common Use Cases

Immediate Security Alerts: Use Amazon EventBridge to trigger an SNS email immediately when a security group rule is added that allows public access.
Automated Remediation: Trigger an AWS Lambda function via EventBridge to automatically fix a non-compliant resource as soon as the notification is received.
Chat Integration: Use AWS Chatbot to send Config rule compliance updates directly to Slack or Microsoft Teams channels.

Links to official documentation

https://docs.aws.amazon.com/config/latest/developerguide/notifications-for-AWS-Config.html

https://docs.aws.amazon.com/config/latest/developerguide/oversized-notification-example.html

https://docs.aws.amazon.com/chatbot/latest/adminguide/custom-notifs.html

1. The Concept of Config Notifications (deep dive)

AWS Config doesn’t only evaluate resources.
AWS Config also notifies stakeholders when:

A resource changes state,
A rule evaluation occurs,
A compliance state changes,
Remediation is triggered.

NB:

Notifications ensure visibility.
Notifications help connect Config with monitoring, alerting, and workflows.

2. Types of Notifications (deep dive)

a) Configuration Item Change Notifications

Generated when Config Recorder captures resource changes.
Example: An S3 bucket policy is updated.
Sent via SNS topics.

b) Compliance Change Notifications

Triggered when compliance state changes:

COMPLIANT → NON_COMPLIANT
NON_COMPLIANT → COMPLIANT

Example: Security group rule added that violates Config Rule.

c) Rule Evaluation Notifications

Sent after a Config Rule runs (periodic or event-based).
Includes compliance results.

d) Remediation Notifications

Sent when remediation execution starts or fails.
Typically integrated with EventBridge for automation.

3. Notification Delivery Mechanisms

Amazon SNS

Push notifications (email, SMS, Lambda, HTTP endpoints).
Classic approach for alerts to humans or ticketing systems.

Amazon EventBridge

Rich event patterns.
Enables automation workflows (e.g., invoke Step Functions, Lambda, SSM Automation).
Allows filtering: “Send only NON_COMPLIANT events for EC2.”

CloudWatch Alarms + Logs

Track repeated NON_COMPLIANT events.
Escalate persistent drift.

Security Hub

Aggregates Config compliance findings.
Standardized format (AWS Security Finding Format).

Architecture

4. Notification Lifecycle (flow):

1. Resource Change

Config Recorder captures config item.
Event logged + evaluated.

2. Rule Evaluation

Config Rule triggered.
Compliance results generated.

3. Notification Trigger

Event type identified (change, compliance, remediation).

4. Routing

Event delivered via SNS or EventBridge.

5. Consumption

Humans (email/SMS via SNS).
Systems (Lambda, Step Functions, ticketing via EventBridge).
Security Hub (centralized compliance).

6. Audit

Events stored in CloudTrail for traceability.

5. Sample Notification Use Cases

Real-time Alerts

Send email when a rule fails (SNS).

Automated Remediation Trigger

EventBridge rule invokes SSM Doc when EBS volume not encrypted.

Compliance Dashboarding

Stream compliance events into Security Hub or a SIEM.

Multi-Account Ops

Aggregate compliance + notifications across accounts via AWS Config Aggregator + Org-level EventBridge.

6. Best Practices

Use EventBridge over SNS for fine-grained routing and automation.
Apply filtering at EventBridge to reduce noise.
Separate human alerts (SNS) from automation (EventBridge).
Enrich notifications with tags, account IDs, and resource IDs.
Integrate into SIEM/SOAR platforms for enterprise visibility.
Test notification → remediation loops before production.

AWS Config Remediations | Overview.

AWS Config Remediations - Overview.

Scope:

Intro,
Types of Remediation,
Common Examples,
Key Components,
Configuration Limits,
The Concept of Remediation in AWS Config (deep dive),
Remediation Lifecycle (from detection → remediation),
Remediation Architecture flow,
Remediation Integrations,
Types of Remediation (deep dive),
Common AWS-Managed Remediation Actions (Samples of built-in remediations),
Best Practices.

Intro:

AWS Config remediation allows twtech to address noncompliant resources detected by its AWS Config rules automatically or manually.
This process uses AWS Systems Manager (SSM) Automation documents to define and execute the corrective actions.

Types of Remediation

Automatic Remediation: AWS Config triggers a specified SSM Automation document as soon as a resource is flagged as noncompliant.
Manual Remediation: twtech must navigate to the AWS Config console and manually initiate the remediation action for a specific noncompliant resource.

Common Examples

S3 Buckets: Automatically enable S3 Bucket Encryption or S3 Bucket Versioning for noncompliant buckets.
Security Groups: Revoke unrestricted ingress rules for sensitive ports like SSH (port 22).
EC2 Instances: Stop instances that are missing required public IP restrictions or tags.
RDS Databases: Encrypt unencrypted Amazon RDS instances or clusters automatically.

Key Components

SSM Automation Document: The runbook that performs the actual fix.
Remediation Action: The link between a Config rule and its corresponding SSM document.
AutomationAssumeRole: An IAM role that provides Systems Manager with the necessary permissions to execute actions on twtech behalf.
Resource ID Parameter: A setting that maps the noncompliant resource's ID (e.g., BucketName or InstanceId) into the SSM document.

Configuration Limits

Retries: twtech can configure the number of retry attempts and the time interval between them if a remediation fails.
Rate Limits: twtech can set concurrent execution rates to avoid hitting API throttling limits during bulk remediations.

1. The Concept of Remediation in AWS Config (deep dive)

AWS Config rules can detect non-compliant resources.
By default AWS Config rules only report non-complance.
Remediation is the automation layer that fixes drift when non-compliance occurs.
Remediation Actions: Defined, automated steps triggered by Config when a resource is non-compliant.
Execution Engine: Uses SSM Automation Documents (SSM Documents).
Scope: Can be scoped (configured) to specific resource types or all resources the rule applies to.

2. Remediation Lifecycle (from detection → remediation):

Rule Trigger

Config Rule runs (event-based or periodic).
Evaluates a resource’s compliance status.

Non-Compliance Detected

Rule returns NON_COMPLIANT for a resource.

Remediation Association

Config looks for an Auto-Remediation or Manual Remediation linked to the rule.

Execution

If auto-remediation enabled → runs immediately.
If manual → operator must trigger via console/CLI/API.
Config invokes SSM Automation Document (SSM Doc) with parameters.

Automation Execution

SSM Automation carries out steps (e.g., stop an EC2 instance, detach a policy, encrypt a volume).
Supports conditional logic, approvals, rollback.

Result Recording

Execution status sent back to Config.
Compliance re-evaluated after remediation.
Logs/audit trail stored in CloudTrail + Config Recorder + optionally in CloudWatch Logs/S3.

3. Remediation Architecture flow

4. Remediation Integrations

AWS Systems Manager (SSM)

SSM Docs (Automation runbooks) are the execution engine.
Can use AWS-provided or custom documents.

CloudTrail

Audits automation execution (who/what/when).

CloudWatch Events / EventBridge

Capture remediation start/stop/failure events.
Trigger alerts, Slack notifications, ticketing workflows.

SNS / ChatOps

Notify security/ops teams about remediation actions.

Service Catalog + Control Tower

Predefined remediation runbooks across accounts.

Security Hub

Config compliance findings feed into Security Hub → remediations can be orchestrated.

5. Types of Remediation (deep dive)

Auto-Remediation

Fully automated.
Example: Encrypt unencrypted S3 buckets automatically.

Manual Remediation

Requires operator trigger.
Example: Approve security group rule removal before execution.

6. Common AWS-Managed Remediation Actions (Samples of built-in remediations):

Attach IAM policy → AWS-AttachIAMPolicy
Stop non-compliant EC2 instance → AWS-StopEC2Instance
Enable encryption on EBS → AWS-EnableEBSVolumeEncryption
Enable CloudTrail → AWS-EnableCloudTrail