AWS::Config::ConfigRule
Specifies an AWS Config rule for evaluating whether your AWS resources comply with your desired configurations.
You can use this action for custom AWS Config rules and AWS managed Config rules. A custom AWS Config rule is a rule that you develop and maintain. An AWS managed Config rule is a customizable, predefined rule that AWS Config provides.
If you are adding a new custom AWS Config rule, you must first
create the AWS Lambda function that the rule invokes to evaluate
your resources. When you use the PutConfigRule action
to add the rule to AWS Config, you must specify the Amazon Resource
Name (ARN) that AWS Lambda assigns to the function. Specify the ARN
for the SourceIdentifier key. This key is part of the
Source object, which is part of the
ConfigRule object.
If you are adding an AWS managed Config rule, specify the
rule's identifier for the SourceIdentifier key. To
reference AWS managed Config rule identifiers, see About AWS Managed Config Rules.
For any new rule that you add, specify the
ConfigRuleName in the ConfigRule
object. Do not specify the ConfigRuleArn or the
ConfigRuleId. These values are generated by AWS
Config for new rules.
If you are updating a rule that you added previously, you can
specify the rule by ConfigRuleName,
ConfigRuleId, or ConfigRuleArn in the
ConfigRule data type that you use in this
request.
The maximum number of rules that AWS Config supports is 150.
For information about requesting a rule limit increase, see AWS Config Limits in the AWS General Reference Guide.
For more information about developing and using AWS Config rules, see Evaluating AWS Resource Configurations with AWS Config in the AWS Config Developer Guide.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::Config::ConfigRule", "Properties" : { "ConfigRuleName" :String, "Description" :String, "InputParameters" :Json, "MaximumExecutionFrequency" :String, "Scope" :Scope, "Source" :Source} }
YAML
Type: AWS::Config::ConfigRule Properties: ConfigRuleName:StringDescription:StringInputParameters:JsonMaximumExecutionFrequency:StringScope:ScopeSource:Source
Properties
ConfigRuleName-
A name for the AWS Config rule. If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the rule name. For more information, see Name Type.
Required: No
Type: String
Minimum:
1Maximum:
128Pattern:
.*\S.*Update requires: Replacement
Description-
The description that you provide for the AWS Config rule.
Required: No
Type: String
Minimum:
0Maximum:
256Update requires: No interruption
InputParameters-
A string, in JSON format, that is passed to the AWS Config rule Lambda function.
Required: No
Type: Json
Minimum:
1Maximum:
1024Update requires: No interruption
MaximumExecutionFrequency-
The maximum frequency with which AWS Config runs evaluations for a rule. You can specify a value for
MaximumExecutionFrequencywhen:-
You are using an AWS managed rule that is triggered at a periodic frequency.
-
Your custom rule is triggered when AWS Config delivers the configuration snapshot. For more information, see ConfigSnapshotDeliveryProperties.
Note By default, rules with a periodic trigger are evaluated every 24 hours. To change the frequency, specify a valid value for the
MaximumExecutionFrequencyparameter.Required: No
Type: String
Allowed values:
One_Hour | Six_Hours | Three_Hours | Twelve_Hours | TwentyFour_HoursUpdate requires: No interruption
-
Scope-
Defines which resources can trigger an evaluation for the rule. The scope can include one or more resource types, a combination of one resource type and one resource ID, or a combination of a tag key and value. Specify a scope to constrain the resources that can trigger an evaluation for the rule. If you do not specify a scope, evaluations are triggered when any resource in the recording group changes.
Note The scope can be empty.
Required: No
Type: Scope
Update requires: No interruption
Source-
Provides the rule owner (AWS or customer), the rule identifier, and the notifications that cause the function to evaluate your AWS resources.
Required: Yes
Type: Source
Update requires: No interruption
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the rule name, such as mystack-MyConfigRule-12ABCFPXHV4OV.
For more information about using the Ref function, see Ref.
Fn::GetAtt
The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following
are the available attributes and sample return values.
For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.
Arn-
The Amazon Resource Name (ARN) of the AWS Config rule, such as
arn:aws:config:us-east-1:123456789012:config-rule/config-rule-a1bzhi. Compliance.Type-
The compliance status of an AWS Config rule, such as
COMPLIANTorNON_COMPLIANT. ConfigRuleId-
The ID of the AWS Config rule, such as
config-rule-a1bzhi.
Examples
Config Rule
The following example uses an AWS managed rule that checks whether EC2 volumes resource types have a CostCenter tag.
JSON
"ConfigRuleForVolumeTags": { "Type": "AWS::Config::ConfigRule", "Properties": { "InputParameters": {"tag1Key": "CostCenter"}, "Scope": { "ComplianceResourceTypes": ["AWS::EC2::Volume"] }, "Source": { "Owner": "AWS", "SourceIdentifier": "REQUIRED_TAGS" } } }
YAML
ConfigRuleForVolumeTags: Type: AWS::Config::ConfigRule Properties: InputParameters: tag1Key: CostCenter Scope: ComplianceResourceTypes: - "AWS::EC2::Volume" Source: Owner: AWS SourceIdentifier: "REQUIRED_TAGS"
Rule Using Lambda Function
The following example creates a custom configuration rule that uses a Lambda function. The function checks whether an EC2 volume has the AutoEnableIO property set to true. Note that the configuration rule has a dependency on the Lambda policy so that the rule calls the function only after it's permitted to do so.
JSON
"ConfigPermissionToCallLambda": { "Type": "AWS::Lambda::Permission", "Properties": { "FunctionName": {"Fn::GetAtt": ["VolumeAutoEnableIOComplianceCheck", "Arn"]}, "Action": "lambda:InvokeFunction", "Principal": "config.amazonaws.com" } }, "VolumeAutoEnableIOComplianceCheck": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "ZipFile": {"Fn::Join": ["\n", [ "var aws = require('aws-sdk');", "var config = new aws.ConfigService();", "var ec2 = new aws.EC2();", "exports.handler = function(event, context) {", " compliance = evaluateCompliance(event, function(compliance, event) {", " var configurationItem = JSON.parse(event.invokingEvent).configurationItem;", " var putEvaluationsRequest = {", " Evaluations: [{", " ComplianceResourceType: configurationItem.resourceType,", " ComplianceResourceId: configurationItem.resourceId,", " ComplianceType: compliance,", " OrderingTimestamp: configurationItem.configurationItemCaptureTime", " }],", " ResultToken: event.resultToken", " };", " config.putEvaluations(putEvaluationsRequest, function(err, data) {", " if (err) context.fail(err);", " else context.succeed(data);", " });", " });", "};", "function evaluateCompliance(event, doReturn) {", " var configurationItem = JSON.parse(event.invokingEvent).configurationItem;", " var status = configurationItem.configurationItemStatus;", " if (configurationItem.resourceType !== 'AWS::EC2::Volume' || event.eventLeftScope || (status !== 'OK' && status !== 'ResourceDiscovered'))", " doReturn('NOT_APPLICABLE', event);", " else ec2.describeVolumeAttribute({VolumeId: configurationItem.resourceId, Attribute: 'autoEnableIO'}, function(err, data) {", " if (err) context.fail(err);", " else if (data.AutoEnableIO.Value) doReturn('COMPLIANT', event);", " else doReturn('NON_COMPLIANT', event);", " });", "}" ]]} }, "Handler": "index.handler", "Runtime": "nodejs12.x", "Timeout": "30", "Role": {"Fn::GetAtt": ["LambdaExecutionRole", "Arn"]} } }, "ConfigRuleForVolumeAutoEnableIO": { "Type": "AWS::Config::ConfigRule", "Properties": { "ConfigRuleName": "ConfigRuleForVolumeAutoEnableIO", "Scope": { "ComplianceResourceId": {"Ref": "Ec2Volume"}, "ComplianceResourceTypes": ["AWS::EC2::Volume"] }, "Source": { "Owner": "CUSTOM_LAMBDA", "SourceDetails": [{ "EventSource": "aws.config", "MessageType": "ConfigurationItemChangeNotification" }], "SourceIdentifier": {"Fn::GetAtt": ["VolumeAutoEnableIOComplianceCheck", "Arn"]} } }, "DependsOn": "ConfigPermissionToCallLambda" }
YAML
ConfigPermissionToCallLambda: Type: AWS::Lambda::Permission Properties: FunctionName: Fn::GetAtt: - VolumeAutoEnableIOComplianceCheck - Arn Action: "lambda:InvokeFunction" Principal: "config.amazonaws.com" VolumeAutoEnableIOComplianceCheck: Type: AWS::Lambda::Function Properties: Code: ZipFile: !Sub | var aws = require('aws-sdk'); var config = new aws.ConfigService(); var ec2 = new aws.EC2(); exports.handler = function(event, context) { compliance = evaluateCompliance(event, function(compliance, event) { var configurationItem = JSON.parse(event.invokingEvent).configurationItem; var putEvaluationsRequest = { Evaluations: [{ ComplianceResourceType: configurationItem.resourceType, ComplianceResourceId: configurationItem.resourceId, ComplianceType: compliance, OrderingTimestamp: configurationItem.configurationItemCaptureTime }], ResultToken: event.resultToken }; config.putEvaluations(putEvaluationsRequest, function(err, data) { if (err) context.fail(err); else context.succeed(data); }); }); }; function evaluateCompliance(event, doReturn) { var configurationItem = JSON.parse(event.invokingEvent).configurationItem; var status = configurationItem.configurationItemStatus; if (configurationItem.resourceType !== 'AWS::EC2::Volume' || event.eventLeftScope || (status !== 'OK' && status !== 'ResourceDiscovered')) doReturn('NOT_APPLICABLE', event); else ec2.describeVolumeAttribute({VolumeId: configurationItem.resourceId, Attribute: 'autoEnableIO'}, function(err, data) { if (err) context.fail(err); else if (data.AutoEnableIO.Value) doReturn('COMPLIANT', event); else doReturn('NON_COMPLIANT', event); }); } Handler: "index.handler" Runtime: nodejs12.x Timeout: 30 Role: Fn::GetAtt: - LambdaExecutionRole - Arn ConfigRuleForVolumeAutoEnableIO: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: ConfigRuleForVolumeAutoEnableIO Scope: ComplianceResourceId: Ref: Ec2Volume ComplianceResourceTypes: - "AWS::EC2::Volume" Source: Owner: "CUSTOM_LAMBDA" SourceDetails: - EventSource: "aws.config" MessageType: "ConfigurationItemChangeNotification" SourceIdentifier: Fn::GetAtt: - VolumeAutoEnableIOComplianceCheck - Arn DependsOn: ConfigPermissionToCallLambda
