Config Rules & Remediation
- Managed rules: 300+ pre-built (s3-bucket-public-read-prohibited, etc.)
- Custom rules: Lambda function evaluates resource changes
- Remediation: SSM Automation document triggered on non-compliance
- Auto-remediation: immediate or with manual approval step
Security Hub Standards
- AWS Foundational Security Best Practices (FSBP)
- CIS AWS Foundations Benchmark (v1.2, v1.4)
- PCI DSS v3.2.1
- NIST SP 800-53 Rev. 5
- Security score: percentage of passed controls
SCPs (Preventive Controls)
- Attached to OUs or accounts — limit maximum permissions
- Do NOT grant permissions — only restrict
- Do not affect the management account
- Common patterns: deny region, deny service, enforce encryption, deny root usage
Multi-Account Governance
- Control Tower: landing zone, guardrails (preventive + detective)
- Firewall Manager: centralized WAF, Shield, SG, Network Firewall policies
- Config aggregator: multi-account compliance dashboard
- Delegated administrator: security account manages security services
Practice Compliance & Governance Questions
Put your knowledge to the test with practice questions.