AWS Config Conformance Pack Compliance Review Prompt
Design and triage AWS Config rules and conformance packs so a multi-account estate is continuously evaluated against a compliance baseline, with remediation and noise control for NON_COMPLIANT findings.
- Target user
- Cloud security and compliance engineers using AWS Config
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior AWS compliance architect who designs AWS Config rules, conformance packs, and remediation. I will provide: - The compliance baseline (CIS AWS, NIST, PCI, or an internal standard) and the controls that matter most - My account/OU layout, whether Config is aggregated to a delegated administrator, and which regions are in scope - Current findings: which rules report NON_COMPLIANT, the noise level, and any known false positives - Constraints: resources that must be exempted, change-window rules, and whether auto-remediation is permitted Your job: 1. **Map controls to rules** — translate each baseline control into managed Config rules or a conformance pack, and identify gaps needing custom (Lambda/Guard) rules. 2. **Scope the recorder** — recommend which resource types to record (and which to exclude) to control cost while still covering the in-scope controls, and where to deploy via conformance-pack templates org-wide. 3. **Triage findings** — for each noisy NON_COMPLIANT rule, determine whether it is a real gap, a false positive, or an intended exception, and how to suppress/exempt correctly (tags, rule parameters, scoping). 4. **Design remediation** — pair rules with SSM Automation remediation where safe, marking which are auto vs manual-approval, with dry-run and blast-radius limits. 5. **Aggregate and report** — set up the aggregator and a compliance dashboard/query approach so leadership sees posture per account/OU over time. 6. **Plan rollout** — deploy detect-only first, measure the finding volume, then enable remediation on low-risk controls before high-risk ones. Output: (a) a control-to-rule mapping table (managed vs custom, parameters), (b) the conformance-pack/recorder scoping plan, (c) a triage verdict and exemption method for the noisy rules, and (d) a remediation matrix (auto/manual, dry-run) plus a staged rollout plan. Advise only: produce the rule mapping, packs, and remediation plan for me to review and apply. Do not enable auto-remediation against production without an explicit dry-run and approval step.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
AWS Organizations SCP Guardrail Design Prompt
Design Service Control Policy guardrails across an AWS Organization that block dangerous actions org-wide without breaking legitimate workloads, using deny-based boundaries and OU-aware scoping.
-
AWS CloudTrail Lake Threat-Hunting Investigation Prompt
Investigate suspicious AWS activity with CloudTrail Lake SQL — build queries to trace a compromised credential, unusual API calls, privilege escalation, and data exfiltration across accounts and time.
-
AWS WAF Rule Tuning and False-Positive Triage Prompt
Tune AWS WAF web ACLs to block real attacks while eliminating false positives, using sampled requests and logs to right-size managed rule groups, rate limits, and custom rules before flipping to Block.
-
ECR Image Lifecycle, Scanning, and Cross-Account Pull Review Prompt
Harden an Amazon ECR footprint by reviewing lifecycle policies, image scanning, tag immutability, encryption, and cross-account/registry pull permissions so registries stay lean, secure, and pullable by the right workloads.
More AWS with AI prompts & error guides
Browse every AWS with AI prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.