AWS Config rules evaluate the configuration settings of your AWS resources. This page discusses the components of a rule.
How AWS Config Rules WorkWhile AWS Config continuously tracks the configuration changes that occur among your resources, it checks whether these changes do not comply with the conditions in your rules. If a resource does not comply with rule, AWS Config flags the resource and the rule as noncompliant.
There are four possible evaluation results for an AWS Config rule.
Evaluation result DescriptionCOMPLIANT The rule passes the conditions of the compliance check. NON_COMPLIANT The rule fails the conditions of the compliance check. ERROR The one of the required/optional parameters is not valid, not of the correct type, or is formatted incorrectly. NOT_APPLICABLE Used to filter out resources that the logic of the rule cannot be applied to. For example, the alb-desync-mode-check rule only checks Application Load Balancers, and ignores Network Load Balancers and Gateway Load Balancers.
For example, when an EC2 volume is created, AWS Config can evaluate the volume against a rule that requires volumes to be encrypted. If the volume is not encrypted, AWS Config flags the volume and the rule as noncompliant. AWS Config can also check all of your resources for account-wide requirements. For example, AWS Config can check whether the number of EC2 volumes in an account stays within a desired total, or whether an account uses AWS CloudTrail for logging.
Trigger TypesAfter you add a rule to your account, AWS Config compares your resources to the conditions of the rule. After this initial evaluation, AWS Config continues to run evaluations each time one is triggered. The evaluation triggers are defined as part of the rule, and they can include the following types.
Trigger type Description Configuration changes AWS Config runs evaluations for the rule when there is a resource that matches the rule's scope and there is a change in configuration of the resource. The evaluation runs after AWS Config sends a configuration item change notification.You choose which resources initiate the evaluation by defining the rule's scope. The scope can include the following:
One or more resource types
A combination of a resource type and a resource ID
A combination of a tag key and value
When any recorded resource is created, updated, or deleted
AWS Config runs the evaluation when it detects a change to a resource that matches the rule's scope. You can use the scope to define which resources initiate evaluations.
Periodic AWS Config runs evaluations for the rule at a frequency that you choose; for example, every 24 hours. Hybrid Some rules have both configuration change and periodic triggers. For these rules, AWS Config evaluates your resources when it detects a configuration change and also at the frequency that you specify. Evaluation ModesThere are two evaluation modes for AWS Config rules.
Evaluation mode Description ProactiveUse proactive evaluation to evaluate resources before they have been deployed. This allows you to evaluate whether a set of resource properties, if used to define an AWS resource, would be COMPLIANT or NON_COMPLIANT given the set of proactive rules that you have in your account in your Region.
Detective Use detective evaluation to evaluate resources that have already been deployed. This allows you to evaluate the configuration settings of your existing resources. NoteProactive rules do not remediate resources that are flagged as NON_COMPLIANT or prevent them from being deployed.
For more information, see Turning on Proactive Evaluation for AWS Config Rules.
List of managed rules with proactive evaluationFor a list of managed rules that support proactive evaluation, see List of AWS Config Managed Rules by Evaluation Mode.
List of supported resource types for proactive evaluationThe following is a list of resource types that are supported for proactive evaluation:
AWS::ApiGateway::Stage
AWS::AutoScaling::AutoScalingGroup
AWS::EC2::EIP
AWS::EC2::Instance
AWS::EC2::Subnet
AWS::Elasticsearch::Domain
AWS::Lambda::Function
AWS::RDS::DBInstance
AWS::Redshift::Cluster
AWS::S3::Bucket
AWS::SNS::Topic
AWS Config rules can contain the following mutable metadata:
The defaultName is the name that instances of a rule will get by default.
The rule description provides context for what the rule evaluates. The AWS Config Console has a limit of 256 characters. As a best practice, the rule description should begin with âChecks ifâ and include a description of the NON_COMPLIANT scenario. Service Names should be written in full beginning with AWS or Amazon when first mentioned in the rule description. For example, AWS CloudTrail or Amazon CloudWatch instead of CloudTrail or CloudWatch for first use. Services names can be abbreviated after subsequent reference.
The scope determines which resource types the rule targets. For a list of supported resource types, see Supported Resource Types.
The compulsoryInputParameterDetails are used for parameters that are required for a rule to do its evaluation. For example, the access-keys-rotated managed rule includes maxAccessKeyAge as a required parameter. If a parameter is required, it will not be marked as (Optional). For each parameter, a type must be specified. Type can be one of "String", "int", "double", "CSV", "boolean" and "StringMap".
The optionalInputParameterDetails are used for parameters that are optional for a rule to do its evaluation. For example, the elasticsearch-logs-to-cloudwatch managed rule includes logTypes as an optional parameter. For each parameter, a type must be specified. Type can be one of "String", "int", "double", "CSV", "boolean" and "StringMap".
The supportedEvaluationModes determines when resources will be evaluated, either before a resource has been deployed or after a resource has been deployed.
DETECTIVE is used to evaluate resources which have already been deployed. This allows you to evaluate the configuration settings of your existing resources. PROACTIVE is used to evaluate resources before they have been deployed.
This allows you to evaluate whether a set of resource properties, if used to define an AWS resource, would be COMPLIANT or NON_COMPLIANT given the set of proactive rules that you have in your account in your Region.
You can specify the supportedEvaluationModes to DETECTIVE, PROACTIVE, or both DETECTIVE and PROACTIVE. You must specify an evaluation mode and this field cannot remain empty.
Proactive rules do not remediate resources that are flagged as NON_COMPLIANT or prevent them from being deployed.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4