Cloud Misconfiguration Auto-Remediation

AWS Config continuously evaluates resources against rules. This project closes the gap between detecting a misconfiguration and fixing it by wiring Config findings to a Lambda function that enforces the desired state, with SNS notifying on every action. The result is a self-contained guardrail that keeps common misconfigurations from lingering.

In most accounts, misconfigurations are found long after they appear — a public S3 bucket, an over-permissive security group, logging switched off. Manual review does not scale, and the window between mistake and fix is exactly when risk is highest.

AWS Config records configuration changes and evaluates them against managed and custom rules. A non-compliant finding emits an event that EventBridge routes to a Lambda function. Lambda inspects the resource, applies the remediation, and publishes a structured message to an SNS topic so the action is auditable. IAM roles are scoped to only the permissions each step needs.

The remediation role follows least privilege — it can act on the specific resource types it manages and nothing more. Every automated change is announced through SNS, so there is a record and a human can review or roll back.

Getting the IAM boundaries right took the most iteration: broad enough for Lambda to remediate, narrow enough to be safe. Idempotency also mattered — the function has to behave correctly if it runs twice on the same finding.

Automated remediation is as much about restraint as capability. Notifying on every action and keeping the rule set small turns an aggressive idea into a dependable guardrail you can actually leave running.