Menu
AWS Config
Developer Guide

Manually Evaluate your Resources

You can use AWS Config to manually evaluate your resources against your AWS Config rules or to delete evaluation results.

Evaluating your Resources

When you create custom rules or use managed rules, AWS Config evaluates your resources against those rules. You can run on-demand evaluations for resources against your rules. For example, this is helpful when you create a custom rule and want to verify that AWS Config is correctly evaluating your resources or to identify if there is an issue with the evaluation logic of your AWS Lambda function.

Example

  1. You create a custom rule that evaluates whether your IAM users have active access keys.

  2. AWS Config evaluates the resources against your custom rule.

  3. An IAM user who doesn't have an active access key exists in your account. Your rule doesn't correctly flag this resource as noncompliant.

  4. You fix the rule and start the evaluation again.

  5. Because you fixed your rule, the rule correctly evaluates your resources, and flags the IAM user resource as noncompliant.

To manually evaluate your resources (console)

  1. Sign in to the AWS Management Console and open the AWS Config console at https://console.aws.amazon.com/config/.

  2. In the AWS Management Console menu, verify that the region selector is set to a region that supports AWS Config rules. For the list of supported regions, see AWS Config Regions and Endpoints in the Amazon Web Services General Reference.

  3. In the navigation pane, choose Rules. The Rules page shows your rules and the compliance status for each.

  4. Choose a rule from the list.

  5. In the Re-evaluate rule section, choose Re-evaluate.

  6. AWS Config starts evaluating the resources against your rule.

Note

You can re-evaluate a rule once per minute. You must wait for AWS Config to complete the evaluation for your rule before you start another evaluation. You can't run an evaluation if at the same time the rule is being updated or if the rule is being deleted.

To manually evaluate your resources (AWS CLI)

  • Use the start-config-rules-evaluation command.

    Copy
    $ aws configservice start-config-rules-evaluation --config-rule-names ConfigRuleName

    AWS Config starts evaluating the recorded resource configurations against your rule.

    You can also specify multiple rules in your request.

    Copy
    aws configservice start-config-rules-evaluation --config-rule-names ConfigRuleName1 ConfigRuleName2 ConfigRuleName3

To manually evaluate your resources (AWS Config API)

Deleting Evaluation Results

After AWS Config evaluates your rule, you can see the evaluation results on the Rules page or the Rules details page for the rule. If the evaluation results are incorrect or if you want to evaluate again, you can delete the current evaluation results for the rule. For example, if your rule was incorrectly evaluating your resources or you recently deleted resources from your account, you can delete the evaluation results and then run a new evaluation.

To manually delete evaluation results (console)

  1. Sign in to the AWS Management Console and open the AWS Config console at https://console.aws.amazon.com/config/.

  2. In the AWS Management Console menu, verify that the region selector is set to a region that supports AWS Config rules. For the list of supported regions, see AWS Config Regions and Endpoints in the Amazon Web Services General Reference.

  3. In the navigation pane, choose Rules. The Rules page shows your rules and the compliance status.

  4. Choose a rule from the list.

  5. In the Delete evaluation results section, choose Delete results. AWS Config deletes the evaluation results for this rule.

  6. When prompted, choose Delete. Deleted evaluations can't be retrieved.

  7. After the evaluation results are deleted, you can manually start a new evaluation.

To manually delete evaluation results (AWS CLI)

  • Use the delete-evaluation-results command:

    Copy
    $ aws configservice delete-evaluation-results --config-rule-name ConfigRuleName

    AWS Config deletes the evaluation results for the rule.

To manually delete evaluation results (AWS Config API)