The Config rules are an essential component when looking to enforce specific compliance needs within your organization. These rules can be custom created or you can use a number of predefined rules that AWS has configured against some of the most common requirements:

The rules themselves are just a Lambda function that performs evaluation logic to determine the result and whether the resource in question is compliant or noncompliant. An important point to make is that any resource identified as non-compliant will still remain operational and in service, as they are simply highlighted as non-compliant, allowing you to determine the best course of action to rectify the issue. If the compliance status of a resource changes, a message is sent to the configuration stream.

The rules are evaluated every time there is a change against a resource, or they can be configured to run on a scheduled basis.