Introduction

As part of ensuring a secure and compliant cloud environment, this project demonstrates how to monitor, detect, and remediate configuration drift using AWS Config. Acting as a Security Engineer, the goal was to implement a continuous compliance system that enforces the organization’s security policy on EC2 instances and proactively addresses common cloud misconfigurations that often become attack surfaces.

Project Objective

The aim of this project was to:

1. Set up AWS Config to monitor and enforce the following organization-wide EC2 security policies:
   • Root account must have MFA enabled
   • SSH access must be restricted
   • All attached EBS volumes must be encrypted
2. Identify and document top cloud misconfigurations that could weaken the security posture, and provide guidance on avoiding them.
   • Examples include overly permissive SSH access, lack of MFA, unencrypted volumes, excessive IAM permissions, and public S3 buckets.
3. Detect and record policy violations using AWS Config, then remediate non-compliant resources.

Why This Matters for a Security Engineer

Cloud misconfigurations remain one of the top causes of security breaches in AWS. A Security Engineer must:

• Have visibility into every configuration change.
• Recognize common misconfigurations before attackers do.
• Apply AWS Config rules to continuously enforce and track compliance.

Process Overview

Step 1: Set Up AWS Config

1. Navigate to AWS Config service.
2. Click Get started.
3. Under Settings, accept the default options to record all resources.
4. Click Next and complete the setup.

Screenshot: AWS Config setup page