🔒 AWS Secure Configuration Guidance

AWS provides multiple native tools and services to compare current security configurations
against recommended secure baselines. This capability enables continuous compliance monitoring,
drift detection, and gap analysis for FedRAMP requirements.

AWS Config Rules and Conformance Packs

Description:

Continuously evaluates AWS resource configurations against desired settings

How It Works:

AWS Config records configuration changes and evaluates them against rules.
Rules can be AWS-managed or custom. Conformance packs bundle multiple rules together.

Capabilities:

• configuration_recording: Tracks all resource configuration changes over time
• compliance_evaluation: Evaluates resources against rules continuously or on change
• drift_detection: Identifies when resources deviate from baseline
• remediation: Automated or manual remediation actions
• aggregation: Multi-account and multi-region compliance view

Cli Commands:

# Deploy conformance pack
aws configservice put-conformance-pack \
  --conformance-pack-name fedramp-rsc \
  --template-body file://conformance-pack.yaml

# Check compliance status
aws configservice describe-conformance-pack-compliance \
  --conformance-pack-name fedramp-rsc

# Get detailed compliance
aws configservice get-conformance-pack-compliance-details \
  --conformance-pack-name fedramp-rsc

Boto3 Example:

import boto3
config = boto3.client('config')

# Get all non-compliant resources
response = config.describe-compliance-by-config-rule(
    ComplianceTypes=['NON_COMPLIANT']
)

for rule in response['ComplianceByConfigRules']:
    print(f"Rule: {rule['ConfigRuleName']}")
    print(f"Status: {rule['Compliance']['ComplianceType']}")

AWS Security Hub

Description:

Centralized security and compliance dashboard with automated checks

How It Works:

Security Hub aggregates findings from AWS services (Config, GuardDuty, Inspector, Macie)
and evaluates against security standards (CIS, PCI-DSS, AWS Foundational Security Best Practices).

Capabilities:

• standards_compliance: Evaluates against industry frameworks
• finding_aggregation: Consolidates security findings from multiple sources
• automated_checks: Runs 100+ automated security checks
• custom_insights: Create custom compliance views
• integration: Integrates with 50+ partner solutions

Cli Commands:

# Enable Security Hub
aws securityhub enable-security-hub

# Enable standards
aws securityhub batch-enable-standards \
  --standards-subscription-requests \
  StandardsArn=arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0

# Get compliance summary
aws securityhub get-findings \
  --filters '{"ComplianceStatus":[{"Value":"FAILED","Comparison":"EQUALS"}]}'

Boto3 Example:

import boto3
securityhub = boto3.client('securityhub')

# Get failed findings
findings = securityhub.get_findings(
    Filters={
        'ComplianceStatus': [{'Value': 'FAILED', 'Comparison': 'EQUALS'}],
        'RecordState': [{'Value': 'ACTIVE', 'Comparison': 'EQUALS'}]
    }
)

for finding in findings['Findings']:
    print(f"Control: {finding['Title']}")
    print(f"Resource: {finding['Resources'][0]['Id']}")
    print(f"Severity: {finding['Severity']['Label']}")

IAM Access Analyzer

Description:

Identifies resources shared with external entities and validates IAM policies

How It Works:

Uses automated reasoning to analyze resource-based policies and identify
unintended access. Validates policies against AWS best practices.

Capabilities:

• external_access: Finds resources accessible outside your account/organization
• policy_validation: Checks policies for errors and security warnings
• unused_access: Identifies unused permissions (preview)
• custom_checks: Create custom policy checks

Cli Commands:

# Create analyzer
aws accessanalyzer create-analyzer \
  --analyzer-name org-analyzer \
  --type ORGANIZATION

# List findings
aws accessanalyzer list-findings \
  --analyzer-arn arn:aws:access-analyzer:us-east-1:123456789012:analyzer/org-analyzer

# Validate policy
aws accessanalyzer validate-policy \
  --policy-document file://policy.json \
  --policy-type IDENTITY_POLICY

Boto3 Example:

import boto3
analyzer = boto3.client('accessanalyzer')

# Get external access findings
findings = analyzer.list_findings(
    analyzerArn='arn:aws:access-analyzer:us-east-1:123456789012:analyzer/org-analyzer',
    filter={'status': {'eq': ['ACTIVE']}}
)

for finding in findings['findings']:
    print(f"Resource: {finding['resource']}")
    print(f"External Principal: {finding['principal']}")

AWS Trusted Advisor

Description:

Automated best practice checks across cost, performance, security, and fault tolerance

How It Works:

Scans AWS environment and provides recommendations based on AWS best practices.
Business and Enterprise support plans get full check access.

Capabilities:

• security_checks: Identifies security gaps and misconfigurations
• cost_optimization: Finds opportunities to reduce costs
• performance: Recommends performance improvements
• fault_tolerance: Identifies single points of failure

Cli Commands:

# List all checks
aws support describe-trusted-advisor-checks \
  --language en

# Get check result
aws support describe-trusted-advisor-check-result \
  --check-id zXCkfM1nI3 \
  --language en

# Refresh check
aws support refresh-trusted-advisor-check \
  --check-id zXCkfM1nI3

Note:

Requires Business or Enterprise support plan for full access

CloudFormation Drift Detection

Description:

Identifies differences between deployed resources and CloudFormation template definitions

How It Works:

Compares actual resource configurations with the template that created them.
Detects manual changes made outside CloudFormation.

Capabilities:

• stack_drift: Detect drift for entire stack
• resource_drift: Identify specific resources that drifted
• drift_details: Show exact configuration differences

Cli Commands:

# Detect drift
aws cloudformation detect-stack-drift \
  --stack-name my-security-stack

# Get drift status
aws cloudformation describe-stack-drift-detection-status \
  --stack-drift-detection-id xxxxx

# Get drift details
aws cloudformation describe-stack-resource-drifts \
  --stack-name my-security-stack

Boto3 Example:

import boto3
cfn = boto3.client('cloudformation')

# Detect drift
response = cfn.detect_stack_drift(StackName='my-security-stack')
detection_id = response['StackDriftDetectionId']

# Wait and get results
waiter = cfn.get_waiter('stack_drift_detection_complete')
waiter.wait(StackDriftDetectionId=detection_id)

drifts = cfn.describe_stack_resource_drifts(StackName='my-security-stack')
for drift in drifts['StackResourceDrifts']:
    if drift['StackResourceDriftStatus'] == 'MODIFIED':
        print(f"Resource {drift['LogicalResourceId']} has drifted")

AWS Systems Manager Compliance

Description:

Tracks patch compliance and custom compliance data

How It Works:

Collects compliance data from Systems Manager State Manager, Patch Manager,
and custom compliance sources. Provides unified compliance view.

Capabilities:

• patch_compliance: Track OS and application patching status
• association_compliance: Monitor State Manager association execution
• custom_compliance: Upload custom compliance data

Cli Commands:

# Get compliance summary
aws ssm list-compliance-summaries

# Get resource compliance
aws ssm list-resource-compliance-summaries \
  --filters Key=ComplianceType,Values=Patch

# Put custom compliance
aws ssm put-compliance-items \
  --resource-id i-xxxxx \
  --resource-type ManagedInstance \
  --compliance-type Custom:SecurityBaseline \
  --execution-summary ExecutionTime=2025-11-25T12:00:00Z \
  --items Id=check1,Status=COMPLIANT

Define Baseline

Description:

Document desired secure configuration state

Deploy Monitoring

Description:

Enable comparison tools

Collect Findings

Description:

Gather compliance data from all sources

Analyze Gaps

Description:

Identify deviations from baseline

Remediate

Description:

Fix non-compliant configurations

Report

Description:

Document compliance status