AWS::Config::ConfigRule Source - AWS CloudFormation

AWS::Config::ConfigRule Source

Provides the CustomPolicyDetails, the rule owner ( AWS for managed rules, CUSTOM_POLICY for Custom Policy rules, and CUSTOM_LAMBDA for Custom Lambda rules), the rule identifier, and the events that cause the evaluation of your AWS resources.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "CustomPolicyDetails" : CustomPolicyDetails, "Owner" : String, "SourceDetails" : [ SourceDetail, ... ], "SourceIdentifier" : String }

Properties

CustomPolicyDetails

Provides the runtime system, policy definition, and whether debug logging is enabled. Required when owner is set to CUSTOM_POLICY.

Required: No

Type: CustomPolicyDetails

Update requires: No interruption

Owner

Indicates whether AWS or the customer owns and manages the AWS Config rule.

AWS Config Managed Rules are predefined rules owned by AWS. For more information, see AWS Config Managed Rules in the AWS Config developer guide.

AWS Config Custom Rules are rules that you can develop either with Guard (CUSTOM_POLICY) or AWS Lambda (CUSTOM_LAMBDA). For more information, see AWS Config Custom Rules in the AWS Config developer guide.

Required: Yes

Type: String

Allowed values: AWS | CUSTOM_LAMBDA | CUSTOM_POLICY

Update requires: No interruption

SourceDetails

Provides the source and the message types that cause AWS Config to evaluate your AWS resources against a rule. It also provides the frequency with which you want AWS Config to run evaluations for the rule if the trigger type is periodic.

If the owner is set to CUSTOM_POLICY, the only acceptable values for the AWS Config rule trigger message type are ConfigurationItemChangeNotification and OversizedConfigurationItemChangeNotification.

Required: No

Type: List of SourceDetail

Maximum: 25

Update requires: No interruption

SourceIdentifier

For AWS Config Managed rules, a predefined identifier from a list. For example, IAM_PASSWORD_POLICY is a managed rule. To reference a managed rule, see List of AWS Config Managed Rules.

For AWS Config Custom Lambda rules, the identifier is the Amazon Resource Name (ARN) of the rule's AWS Lambda function, such as arn:aws:lambda:us-east-2:123456789012:function:custom_rule_name.

For AWS Config Custom Policy rules, this field will be ignored.

Required: No

Type: String

Minimum: 1

Maximum: 256

Update requires: No interruption