O'Reilly logo
live online training icon Live Online training

Continuous Compliance on AWS

Learn how to define compliance as code and run in a deployment pipeline on AWS

Paul Duvall

What if there was a way to ensure all of your AWS users had multi-factor authentication enabled or that all of your resources were encrypted? What’s more, what if you could define all of this code so that it’s run the same way across all of your AWS accounts?

When many think of IT compliance they think of spreadsheets, documents, audits, and generally, how “compliance” slows down the velocity of delivering value to end users. With AWS, however, everything is accessible via an API, and as a result, compliance can be treated as a code asset just like any other part of the software system. You can version, test, codify, monitor, and run compliance continuously. By doing this, you can ensure that all of your AWS infrastructure is always compliant with the control directives that ensure adherence to compliance regimes and good engineering practices.

In this course, you will learn how to use AWS services that provide the ability to define compliance as code, including AWS Config Rules, AWS Lambda, Amazon CloudWatch Event Rules, and Stelligent’s cfn_nag. You will learn to use a combination of these tools to prevent, detect, and remediate non-compliant resources within your software systems.

Throughout the course, you’ll see working examples of how to automate the provisioning of these services and how they can be included as part of a deployment pipeline using AWS CloudFormation and AWS CodePipeline.

What you'll learn-and how you can apply it

  • Understand key compliance concepts on AWS
  • Learn the different AWS services and tools that can automate compliance, including AWS CloudFormation, AWS Config
  • Rules, AWS CodePipeline, AWS CloudWatch Event Rules, AWS Lambda, and Stelligent cfn_nag
  • Review the typical Continuous Compliance workflows for prevention, detection, and remediation
  • Discover the different ways you can ensure continuous compliance across your AWS infrastructure and code

This training course is for you because...

  • You're a software developer or compliance professional who wants to integrate compliance into every facet of the software development and delivery process
  • You have a working knowledge of AWS and programming experience and want to make compliance ubiquitous across all your systems


  • Working knowledge of AWS (e.g. 1-2+ years working with AWS). Knowledge of AWS CloudFormation is helpful.
  • Practical experience with a high-level programming experience such as Python, Java, Node.js, etc.

Course Set-up

While it's not necessary for the course, it might benefit you to have Administrator access to an existing AWS account: https://aws.amazon.com/premiumsupport/knowledge-center/create-and-activate-aws-account/. Otherwise, you can watch live walkthroughs of the examples during the online training and will have access to these examples afterwards for your own study.

Recommended Preparation

Recommended Follow-up

Live Online Training: Continuous Encryption on AWS by Paul Duvall (dates vary; search to find upcoming date)

About your instructor

  • Paul Duvall is a founder of Stelligent and Chief AWS Evangelist at Mphasis, which is an AWS Premier Consulting Partner with the DevOps, Security, and Financial Services Competencies that has been implementing Continuous Delivery solutions on AWS since 2009. He's been an AWS Community Hero since 2016.

    He is 6x AWS certified including AWS Certified DevOps Engineer Professional and AWS Certified Security - Specialty. He has architected, implemented, and managed software and systems solutions for over 20 years, and is principal author of Continuous Integration: Improving Software Quality and Reducing Risk (Addison-Wesley, 2007), a 2008 Jolt Award Winner.

    He is also the author of many other publications, including DevOps Essentials on AWS LiveLessons (Addison-Wesley, 2017) and over 30 articles on topics around automation, DevOps, and AWS.


The timeframes are only estimates and may vary according to how the class is progressing

Introduction (10 min)

Automating AWS Resources (20 min)

  • About AWS CloudFormation
  • Exercise: Launch a simple CloudFormation stack

Preventative Controls (20 min)

  • About cfn_nag
  • Exercise: Run cfn_nag from the command line

Break and Q&A (10 min)

Detective Controls with AWS Config Rules and CloudWatch Event Rules (90 min)

  • About AWS Config and Config Rules
  • Setting up AWS Config Rules via Console
  • Configuring Managed Rules to run on your AWS account
  • Exercise: Run Managed Config Rules from the console
  • Exercise: Automate Managed Config Rules execution using AWS CloudFormation
  • Exercise: Custom Config Rules using the Rules Development Kit (RDK)
  • About Amazon CloudWatch Event Rules

Break and Q&A (10 min)

Automated Remediation with AWS Lambda (40 mins)

  • Slack & Knowledge Base
  • Built-in Remediations
  • Custom Auto Remediations via Lambda
  • Exercise: Run an AWS Config Rule auto remediation routine

Continuous Compliance (25 min)

  • About AWS CodePipeline (10 min)
  • Exercise: Deployment Pipeline for encryption detection and remediation workflow (15 min)

Summary and Q&A (15 min)