Config
AWS Config
Overview
AWS Config integration - regscale aws sync_config_compliance - syncs configuration compliance assessments from AWS Config rules and remediation actions into RegScale. This integration provides automated compliance monitoring for resource configurations.
Command Syntax
regscale aws sync_config_compliance [OPTIONS]
Basic Usage
# Sync all Config compliance assessments
regscale aws sync_config_compliance --regscale-id 123
# With tag filtering
regscale aws sync_config_compliance \
--regscale-id 123 \
--tags Environment=production
What Gets Created in RegScale
- Control Assessments: Pass/fail status based on Config rules
- Issues: Created for non-compliant resources
- Compliance Timeline: Historical compliance data
- Remediation History: Automatic and manual remediation tracking
Common Use Cases
Daily Compliance Monitoring
regscale aws sync_config_compliance \
--regscale-id 123 \
--tags Environment=production \
--create-issues
Multi-Account Compliance
regscale aws sync_config_compliance \
--regscale-id 123 \
--account-id 123456789012 \
--tags Compliance=Required
Evidence Collection
Collect evidence for AWS Config compliance assessments:
regscale aws sync_config_compliance --regscale-id 123 \
--collect-evidence \
--evidence-control-ids AC-2,AC-3,CM-2
Options:
--collect-evidence- Enable evidence collection--evidence-as-attachments- Store evidence as SSP attachments (default: True)--evidence-as-records- Store evidence as individual Evidence records--evidence-control-ids- Comma-separated list of control IDs--evidence-frequency- Evidence update frequency in days (default: 30)
Filtering Options
Filter by Account ID
regscale aws sync_config_compliance --regscale-id 123 --account-id 123456789012
Filter by Tags
regscale aws sync_config_compliance --regscale-id 123 \
--tags Environment=production,Compliance=required
Sync Conformance Pack Compliance
Sync compliance for a specific conformance pack:
regscale aws sync_config_compliance --regscale-id 123 \
--conformance-pack-name MyConformancePack
Use Security Hub for Compliance Data
Use Security Hub as the source for compliance data:
regscale aws sync_config_compliance --regscale-id 123 --use-security-hub
Command Options
| Option | Description | Example |
|---|---|---|
--regscale-id | Security Plan ID (required) | --regscale-id 123 |
--tags | Filter by tags | --tags Env=prod |
--account-id | Filter by account | --account-id 123456789012 |
--create-issues | Create issues for non-compliance | --create-issues |
--region | AWS region | --region us-east-1 |
--conformance-pack-name | Name of Conformance Pack | --conformance-pack-name MyConformancePack |
Best Practices
- Enable AWS Config in all regions where resources exist
- Tag Config rules for compliance boundary identification
- Schedule daily syncs for continuous monitoring
- Use with Audit Manager for comprehensive compliance
Updated 3 days ago