This lab is currently in Beta, content may be updated as we refine the material
LABADVANCED

Config-Driven S3 Compliance Remediation

Detecting non-compliant S3 buckets is one thing. Closing the loop with automatic remediation is what separates an AWS DevOps Engineer from an operator. In this lab you will wire AWS Config, SSM Automation, and IAM together into a self-healing compliance pipeline for S3 bucket versioning.

60 minutes
aws/devops
Config-Driven S3 Compliance Remediation - Platform Engineering Hands-On Lab Icon

Lab Overview

This lab takes you end-to-end through the compliance-as-code pattern that the DOP-C02 exam expects you to know inside and out: detect drift with AWS Config, remediate drift with SSM Automation, and let IAM glue the two together.

You will:

  • Enable AWS Config with a custom delivery bucket and deploy the S3_BUCKET_VERSIONING_ENABLED managed rule
  • Create an intentionally non-compliant S3 bucket (no versioning), trigger a rule evaluation, and confirm the NON_COMPLIANT finding
  • Author an SSM Automation runbook that calls PutBucketVersioning via aws:executeAwsApi
  • Forge the IAM roles and trust policies that let Config hand off remediation to SSM
  • Test the full loop: create a second non-compliant bucket, watch Config detect it, and verify that SSM auto-remediates and flips the bucket to COMPLIANT

Every resource is tagged lab=true, Course=dop-c02 and operates in us-east-1 under the TeKanAid lab IAM guardrails.

What You'll Learn

Enable AWS Config with a custom delivery channel and deploy a managed rule from the AWS CLI

Trigger on-demand Config rule evaluations and interpret NON_COMPLIANT vs COMPLIANT findings

Construct an SSM Automation runbook that wraps a service API call using aws:executeAwsApi

Build the IAM trust and permission chain that allows Config to delegate remediation to SSM Automation

Configure a Config rule remediation action with resource-ID parameter mapping

Validate the full detect-and-remediate loop by creating a non-compliant resource and observing automatic compliance enforcement

Prerequisites

aws-devops-cli-operations-baseline

basic-iam-and-s3-familiarity

completed-aws-devops-cli-operations-baseline-lab

Technologies Covered

awsconfigssmcompliances3remediationdop-c02automationversioning

Part of a Course

This lab is part of the AWS Certified DevOps Engineer - Professional (DOP-C02) course

View All Courses

Choose your plan

Simple, Transparent Pricing

Unlock full access to TeKanAid courses, labs, and bootcamps

MonthlyQuarterly

Pro

Course content without labs

$59/month

Renews automatically. Cancel anytime.

Final price verified at checkout.

  • Full access to all courses
  • Progress tracking
  • Certificate of completion
  • Community access
  • Bootcamp participation
  • New content access
Recommended

Premium

Full access with hands-on labs

$99/month

Renews automatically. Cancel anytime.

Final price verified at checkout.

  • Everything in Pro
  • Unlimited hands-on labs
  • Lab AI Assistant
  • Accelerator bootcamps with live office hours
  • Priority support
Get Access Now

Prefer a single course?

Purchase individual courses for a one-time fee of $79. Full access to course content, quizzes, certificates, and community features, lab access is not included.

Browse Courses

Try it free, no credit card

Three free ways to start. All bridge into the paid Premium catalog when you're ready.

▶ Start with free courses and labs🧩 Solve your first free puzzle📧 Get the free 7-day crash course

Not ready to commit? The crash course is email-only. No academy account required.

Ready to Get Started?

Start this hands-on lab and build real-world Platform Engineering skills

Get Access Now