Ensuring that cloud workloads remain fully compliant with important industry standards such as CIS, PCI DSS, or HIPAA is one of the most significant and ongoing challenges that organizations encounter in today’s fast-paced digital landscape. AWS environments, in particular, tend to expand rapidly, often spanning numerous accounts while evolving and changing at a continuous and sometimes unpredictable pace. Conventional compliance methods — including periodic audits and reliance on manual checklists — simply cannot keep up with the speed and complexity of these dynamic cloud environments.
That’s exactly where AWS native tools such as AWS Config and AWS Security Hub become incredibly valuable. Working together seamlessly, these tools enable you to continuously and comprehensively monitor your entire AWS environment, helping you identify any resources that are noncompliant with your organization’s policies. Moreover, they offer the capability to automatically remediate detected issues, ensuring your environment remains secure and compliant without requiring constant manual intervention.
In this post, we’ll walk through how to set up compliance automation with Config and Security Hub, share real-world examples, and highlight best practices you can implement today.
Why Automate Compliance in AWS?
Compliance in the cloud environment is not simply a one-time task or event — it is an ongoing, continuous process that requires constant attention and management. Relying on manual processes to maintain compliance introduces various risks such as human error, delays, and inconsistencies that can compromise security and governance. These risks make it difficult to keep up with ever-changing regulations and internal policies.
By contrast, automating compliance offers significant advantages, including improved accuracy, faster detection and resolution of compliance issues, and the ability to consistently enforce policies across your entire AWS infrastructure. Automation helps ensure that your environment remains secure and compliant at all times, reducing the burden on your team and minimizing the chance of costly compliance failures.
Key AWS Services for Compliance
AWS Config records and evaluates the configuration of AWS resources. It provides:
- Managed rules (e.g., check if S3 buckets are encrypted)
- Custom rules (via AWS Lambda for org-specific requirements)
- Remediation actions (e.g., auto-enable encryption if disabled)
AWS Security Hub aggregates findings from AWS Config, GuardDuty, Inspector, and other security services. Key features:
- Compliance dashboards (CIS, PCI DSS, AWS Foundational Best Practices)
- Multi-account aggregation (with AWS Organizations)
- Centralized findings from both AWS and third-party tools
Together, Config checks configurations, and Security Hub visualizes compliance status across your AWS landscape.
Getting Started
Step 1: Enable AWS Config
- Open AWS Config in the Console
- Sign in to the AWS Management Console.
- Navigate to AWS Config.
- Set Up Resource Recording
- Choose Set up AWS Config.
- Select:
- Record all resources supported in this region (best practice).
- Or pick specific resource types if you want to limit scope.
- Choose an S3 Bucket for Config Logs
- Either create a new bucket or use an existing one.
- AWS Config stores configuration history and snapshots here.
- Set Up an IAM Role
- Let AWS Config create the service-linked role (recommended).
- Role name will look like
AWSServiceRoleForConfig.
- (Optional) Configure SNS Notifications
- Add an SNS topic if you want email/SMS notifications when non-compliance is detected.
- Enable AWS Config Rules
- Go to Rules → Add Rule.
- Example managed rules to start with:
CLOUD_TRAIL_ENABLEDS3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLEDEC2_INSTANCE_NO_PUBLIC_IP
- (Optional) Enable Multi-Account Aggregation
- If using multiple AWS accounts, create a Config Aggregator in your management account, or ideally a dedicated Security Admin accounts as per best practices.
- This collects compliance data across accounts and regions.
Step 2: Enable AWS Security Hub
- Open AWS Security Hub in the Console
- Navigate to AWS Security Hub.
- Click Enable Security Hub.
- Enable Compliance Standards
- Once Security Hub is enabled, go to Standards.
- Choose frameworks to apply, e.g.:
- CIS AWS Foundations Benchmark v1.4.0
- PCI DSS
- AWS Foundational Security Best Practices
- Enable them region by region (best practice: enable in all).
- Integrate with AWS Config
- Security Hub automatically ingests findings from AWS Config rules.
- Example: if an S3 bucket is not encrypted, Config flags it → Security Hub marks it non-compliant.
- Enable Multi-Account Setup (Recommended)
- If using AWS Organizations:
- Designate a Security Hub administrator account.
- Invite member accounts.
- Findings from all accounts roll up into the admin account.
- If using AWS Organizations:
- Explore the Dashboard
- Open Compliance standards dashboard.
- See your score and control-by-control breakdown.
- Drill into failed controls to see which resources are non-compliant.
Step 3: Integrate Config + Security Hub
- Findings from Config rules are automatically ingested into Security Hub.
- Example: If an S3 bucket is public, Config flags it → Security Hub surfaces it in your compliance dashboard.
Step 5: Automate Remediation
- Create Remediation Actions in AWS Systems Manager
- Open Systems Manager → Automation Documents (SSM Documents).
- Use AWS-provided ones (e.g.,
AWS-EnableS3BucketEncryption).
- Attach Remediation to Config Rules
- Go to Config → select a rule.
- Under Remediation, choose the appropriate SSM Document.
- Example: If an unencrypted S3 bucket is detected, remediation automatically enables encryption.
Real-World Compliance Use Cases
Real-world use cases include a variety of practical applications and scenarios where compliance requirements must be strictly followed to ensure legal and regulatory adherence across different industries. These examples demonstrate how organizations implement compliance measures in everyday operations to mitigate risks and maintain standards:
- PCI DSS – Protect Stored Cardholder Data
- Config ensures EBS volumes are encrypted.
- Security Hub shows compliance score for PCI DSS controls.
- CIS Benchmark – Ensure CloudTrail is Enabled
- Config detects if CloudTrail is disabled.
- Security Hub dashboard reflects the failure for immediate remediation.
- HIPAA – Ensure Logging & Access Controls
- Config checks IAM password policies.
- Security Hub centralizes results for audit teams.
Best Practices
- Enable organization-wide via AWS Organizations.
- Automate remediation whenever possible (S3 encryption, CloudTrail logging).
- Integrate SIEM/SOAR tools e.g. Splunk or Datadog for extended workflows.
- Review dashboards regularly with compliance teams.
- Document exceptions — not every control applies to every workload.
Closing Thoughts
Keeping compliance in the cloud can be challenging, but AWS offers easy-to-use tools to help. Using AWS Config to check resources constantly and AWS Security Hub for a clear overview, organizations can shift from fixing issues after they happen to preventing them with automation. The real benefit is fixing problems quickly and applying these methods across many accounts, so your AWS setup stays safe and ready for audits. Start small, improve step by step, and compliance will become a natural part of your cloud work.
About
With over 20 years in the technology sector, Keith has spent the last decade providing consultancy, support, and strategic direction to customers across multiple cloud platforms.
Disclaimer: The information shared on this blog is for informational purposes only and should not be considered as professional advice. The opinions presented here are personal and independent of any affiliations with tech companies or organizations.