AWS Config allows for you to record and audit the compliance of your AWS resources and save the configurations so you can roll back if needed in the future. This is configured per-region as well and there is no free-tier so be aware of the cost. The configuration data can be stored in S3 for later analysis. You can have an SNS notification sent if the configuration on any of your AWS services is changed. For example, you could use AWS Config to determine if a bucket is publicly accessible, if your ALB config has changed, etc.
There are over 75 AWS managed config rules, but you are free to create your own by utilizing Lambda functions. For example, you could create a config rule to evaluate if each EC2 instance is of type t2.micro. The frequency at which these rules are evaluated could be anytime there’s a config change, or it could be checked at regular intervals.
You can then take this data, and use it to determine if a resource is compliant, if you have a config rule stating all instances must be t2.micro and one of them is not, it will be noncompliant. You can then look at the history and see when the change occurred and link it with CloudTrail to determine what API call was made at the time of the change. It is simply used for logging purposes and confirming compliance, config rules do not deny users from being able to make certain actions, that is where IAM is used.
You have the ability to utilize SSM Automation Documents that will be triggered when a resource becomes non-compliant that will automatically run a function to return the service to compliance by reverting the config change or performing an action to remediate the misconfiguration. For example, you have a security group that if modified will be detected by AWS Config and invoke an Automation Document to modify the security group config to its original state. You are able to have a set number of retries performed if compliance is not met. You can also utilize AWS-Managed Automation Documents or even create your own that might call a Lambda function that could perform any action that you could need.
In terms of events and notifications in response to these config alerts you can utilize EventBridge and SNS. You can utilize EventBridge to trigger an event based on any number of config changes, or simply utilize SNS to send a notification when a resource becomes non-compliant with the set config rules.