AWS Config Custom Rules
AWS Config Custom Rules are rules that you create from scratch. There are two ways to create
AWS Config custom rules: with Lambda functions (AWS Lambda Developer Guide) and with Guard (Guard GitHub
Repository
AWS Config custom rules created with Lambda are called AWS Config Custom Lambda Rules and AWS Config custom rules created with Guard are called AWS Config Custom Policy Rules.
AWS Config Custom Policy Rules
Rules written using Guard can be created from the AWS Config console or by using the
AWS Config rule APIs. AWS Config Custom Policy rules allow you to create AWS Config Custom rules without
needing to use Java or Python to develop Lambda functions to manage your custom rules.
AWS Config Custom Policy rules are initiated by configuration changes. For more information
about Guard, see the Guard GitHub
Repository
AWS Config Custom Lambda Rules
Custom Lambda rules provide you with the option to use Java or Python to create a Lambda function for a AWS Config Custom rule. A Lambda function is custom code that you upload to AWS Lambda, and it is invoked by events that are published to it by an event source. If the Lambda function is associated with an AWS Config rule, AWS Config invokes it when the rule is initiated. The Lambda function then evaluates the configuration information that is sent by AWS Config, and it returns the evaluation results. For more information about Lambda functions, see Function and Event Sources in the AWS Lambda Developer Guide.
Important
Avoid Unnecessary AWS Config Custom Lambda Rule Evaluations
When creating AWS Config custom lambda rules, it is highly recommended that you add logic to handle the evaluation of deleted resources.
When evaluation results are marked as NOT_APPLICABLE
, they will be marked for deletion and cleaned up.
If they're NOT marked as NOT_APPLICABLE
,
the evaluation results will remain unchanged until the rule is deleted, which can cause an unexpected spike in the creation of configuration items (CIs) for ResourceCompliance
upon rule deletion.
For information on how to set AWS Config custom lambda rules to return NOT_APPLICABLE
for deleted resources,
see Managing deleted resources with AWS Config custom lambda rules.
Note: AWS Config custom policy rules handle this behavior by default.
Note
High Number of Lambda Function Invocations
AWS Config Custom Lambda Rules can cause a high number of Lambda function invocations if the rule is not scoped to one or more resource types. To avoid increased activity associated with your account, provide resources in scope for your Custom Lambda rules. If no resource types are selected, the rule will invoke the Lambda function for all resources in the account.
Trigger types
After you add a rule to your account, AWS Config compares your resources to the conditions of the rule. After this initial evaluation, AWS Config continues to run evaluations each time one is triggered. The evaluation triggers are defined as part of the rule, and they can include the following types:
- Configuration changes
-
AWS Config runs evaluations for the rule when there is a resource that matches the rule's scope and there is a change in configuration of the resource. The evaluation runs after AWS Config sends a configuration item change notification.
You choose which resources initiate the evaluation by defining the rule's scope. The scope can include the following:
-
One or more resource types
-
A combination of a resource type and a resource ID
-
A combination of a tag key and value
-
When any recorded resource is created, updated, or deleted
AWS Config runs the evaluation when it detects a change to a resource that matches the rule's scope. You can use the scope to define which resources initiate evaluations.
-
- Periodic
-
AWS Config runs evaluations for the rule at a frequency that you choose; for example, every 24 hours.
- Hybrid
-
Some rules have both configuration change and periodic triggers. For these rules, AWS Config evaluates your resources when it detects a configuration change and also at the frequency that you specify.
Evaluation modes
There are two evaluation modes for AWS Config rules:
- Proactive
-
Use proactive evaluation to evaluate resources before they have been deployed. This allows you to evaluate whether a set of resource properties, if used to define an AWS resource, would be COMPLIANT or NON_COMPLIANT given the set of proactive rules that you have in your account in your Region.
For more information, see and Evaluation modes. For a list of managed rules that support proactive evaluation, see List of AWS Config Managed Rules by Evaluation Mode.
Note
Proactive rules do not remediate resources that are flagged as NON_COMPLIANT or prevent them from being deployed.
- Detective
-
Use detective evaluation to evaluate resources that have already been deployed. This allows you to evaluate the configuration settings of your existing resources.
Managing deleted resources with AWS Config custom lambda rules
Rules reporting on deleted resources should return the evaluation result of NOT_APPLICABLE
in order to avoid unnecessary rule evaluations.
When you delete a resource, AWS Config creates a configurationItem
with ResourceDeleted
for the configurationItemStatus
.
You can use this metadata to check if a rule reports on a deleted resource.
For more information on configuration
items, see Concepts | Configuration
Items.
Include the following code snippets to check for deleted resources and set the evaluation result of an AWS Config custom lambda rule to NOT_APPLICABLE
if it reports on a deleted resource:
Note
AWS Config managed rules and AWS Config custom policy rules handle this behavior by default.
If you create an AWS Config custom lambd rule
with Python using the AWS Config Development Kit (RDK) and AWS Config Development Kit Library (RDKlib),
the imported Evaluator