AWS::Config::ConfigRule
The AWS::Config::ConfigRule resource uses an AWS Lambda (Lambda) function that
evaluates configuration items to assess whether your AWS resources comply with your
specified
configurations. This function can run when AWS Config detects a configuration change
or delivers a
configuration snapshot. The resources this function evaluates must be in the recording
group.
For more information, see Evaluating AWS Resource
Configurations with AWS Config in the AWS Config Developer Guide.
Topics
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::Config::ConfigRule", "Properties" : { "ConfigRuleName" :String, "Description" :String, "InputParameters" : {ParameterName:Value}, "MaximumExecutionFrequency" :String, "Scope" :Scope, "Source" :Source} }
YAML
Type: AWS::Config::ConfigRule Properties:ConfigRuleName:StringDescription:StringInputParameters:ParameterName:ValueMaximumExecutionFrequency:StringScope:ScopeSource:Source
Properties
ConfigRuleName-
A name for the AWS Config rule. If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the rule name. For more information, see Name Type.
Required: No
Type: String
Update requires: Replacement
Description-
A description about this AWS Config rule.
Required: No
Type: String
Update requires: No interruption
InputParameters-
Input parameter values that are passed to the AWS Config rule (Lambda function).
Required: No
Type: JSON object
Update requires: No interruption
MaximumExecutionFrequency-
The maximum frequency at which the AWS Config rule runs evaluations. For valid values, see the ConfigRule data type in the AWS Config API Reference.
If the rule runs an evaluation when AWS Config delivers a configuration snapshot, the rule cannot run more frequently than the snapshot delivery frequency. Set an execution frequency value that is equal to or greater than the value of the snapshot delivery frequency, which is a property the AWS::Config::DeliveryChannel resource.
Required: No
Type: String
Update requires: No interruption
Scope-
Defines which AWS resources will trigger an evaluation when their configurations change. The scope can include one or more resource types, a combination of a tag key and value, or a combination of one resource type and one resource ID. Specify a scope to constrain the resources that are evaluated. If you don't specify a scope, the rule evaluates all resources in the recording group.
Required: No
Type: AWS Config ConfigRule Scope
Update requires: No interruption
Source-
Specifies the rule owner, the rule identifier, and the events that cause the function to evaluate your AWS resources.
Required: Yes
Type: AWS Config ConfigRule Source
Update requires: No interruption
Return Values
Ref
When you pass the logical ID of an AWS::Config::ConfigRule resource to the
intrinsic Ref function, the function returns the rule name, such as
mystack-MyConfigRule-12ABCFPXHV4OV.
For more information about using the Ref function, see Ref.
Fn::GetAtt
Fn::GetAtt returns a value for a specified attribute of this type.
The following are the available attributes and sample return values.
Arn-
The Amazon Resource Name (ARN) of the AWS Config rule, such as
arn:aws:config:us-east-1:123456789012:config-rule/config-rule-a1bzhi. ConfigRuleId-
The ID of the AWS Config rule, such as
config-rule-a1bzhi. Compliance.Type-
The compliance status of an AWS Config rule, such as
COMPLIANTorNON_COMPLIANT.
For more information about using Fn::GetAtt, see Fn::GetAtt.
Examples
The following example uses an AWS managed rule that checks whether EC2 volumes resource
types have a CostCenter tag.
JSON
"ConfigRuleForVolumeTags": { "Type": "AWS::Config::ConfigRule", "Properties": { "InputParameters": {"tag1Key": "CostCenter"}, "Scope": { "ComplianceResourceTypes": ["AWS::EC2::Volume"] }, "Source": { "Owner": "AWS", "SourceIdentifier": "REQUIRED_TAGS" } } }
YAML
ConfigRuleForVolumeTags: Type: AWS::Config::ConfigRule Properties: InputParameters: tag1Key: CostCenter Scope: ComplianceResourceTypes: - "AWS::EC2::Volume" Source: Owner: AWS SourceIdentifier: "REQUIRED_TAGS"
Rule Using Lambda Function
The following example creates a custom configuration rule that uses a Lambda function.
The
function checks whether an EC2 volume has the AutoEnableIO property set to true.
Note that the configuration rule has a dependency on the Lambda policy so that the
rule calls
the function only after it's permitted to do so.
JSON
"ConfigPermissionToCallLambda": { "Type": "AWS::Lambda::Permission", "Properties": { "FunctionName": {"Fn::GetAtt": ["VolumeAutoEnableIOComplianceCheck", "Arn"]}, "Action": "lambda:InvokeFunction", "Principal": "config.amazonaws.com" } }, "VolumeAutoEnableIOComplianceCheck": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "ZipFile": {"Fn::Join": ["\n", [ "var aws = require('aws-sdk');", "var config = new aws.ConfigService();", "var ec2 = new aws.EC2();", "exports.handler = function(event, context) {", " compliance = evaluateCompliance(event, function(compliance, event) {", " var configurationItem = JSON.parse(event.invokingEvent).configurationItem;", " var putEvaluationsRequest = {", " Evaluations: [{", " ComplianceResourceType: configurationItem.resourceType,", " ComplianceResourceId: configurationItem.resourceId,", " ComplianceType: compliance,", " OrderingTimestamp: configurationItem.configurationItemCaptureTime", " }],", " ResultToken: event.resultToken", " };", " config.putEvaluations(putEvaluationsRequest, function(err, data) {", " if (err) context.fail(err);", " else context.succeed(data);", " });", " });", "};", "function evaluateCompliance(event, doReturn) {", " var configurationItem = JSON.parse(event.invokingEvent).configurationItem;", " var status = configurationItem.configurationItemStatus;", " if (configurationItem.resourceType !== 'AWS::EC2::Volume' || event.eventLeftScope || (status !== 'OK' && status !== 'ResourceDiscovered'))", " doReturn('NOT_APPLICABLE', event);", " else ec2.describeVolumeAttribute({VolumeId: configurationItem.resourceId, Attribute: 'autoEnableIO'}, function(err, data) {", " if (err) context.fail(err);", " else if (data.AutoEnableIO.Value) doReturn('COMPLIANT', event);", " else doReturn('NON_COMPLIANT', event);", " });", "}" ]]} }, "Handler": "index.handler", "Runtime": "nodejs4.3", "Timeout": "30", "Role": {"Fn::GetAtt": ["LambdaExecutionRole", "Arn"]} } }, "ConfigRuleForVolumeAutoEnableIO": { "Type": "AWS::Config::ConfigRule", "Properties": { "ConfigRuleName": "ConfigRuleForVolumeAutoEnableIO", "Scope": { "ComplianceResourceId": {"Ref": "Ec2Volume"}, "ComplianceResourceTypes": ["AWS::EC2::Volume"] }, "Source": { "Owner": "CUSTOM_LAMBDA", "SourceDetails": [{ "EventSource": "aws.config", "MessageType": "ConfigurationItemChangeNotification" }], "SourceIdentifier": {"Fn::GetAtt": ["VolumeAutoEnableIOComplianceCheck", "Arn"]} } }, "DependsOn": "ConfigPermissionToCallLambda" }
YAML
ConfigPermissionToCallLambda: Type: AWS::Lambda::Permission Properties: FunctionName: Fn::GetAtt: - VolumeAutoEnableIOComplianceCheck - Arn Action: "lambda:InvokeFunction" Principal: "config.amazonaws.com" VolumeAutoEnableIOComplianceCheck: Type: AWS::Lambda::Function Properties: Code: ZipFile: !Sub | var aws = require('aws-sdk'); var config = new aws.ConfigService(); var ec2 = new aws.EC2(); exports.handler = function(event, context) { compliance = evaluateCompliance(event, function(compliance, event) { var configurationItem = JSON.parse(event.invokingEvent).configurationItem; var putEvaluationsRequest = { Evaluations: [{ ComplianceResourceType: configurationItem.resourceType, ComplianceResourceId: configurationItem.resourceId, ComplianceType: compliance, OrderingTimestamp: configurationItem.configurationItemCaptureTime }], ResultToken: event.resultToken }; config.putEvaluations(putEvaluationsRequest, function(err, data) { if (err) context.fail(err); else context.succeed(data); }); }); }; function evaluateCompliance(event, doReturn) { var configurationItem = JSON.parse(event.invokingEvent).configurationItem; var status = configurationItem.configurationItemStatus; if (configurationItem.resourceType !== 'AWS::EC2::Volume' || event.eventLeftScope || (status !== 'OK' && status !== 'ResourceDiscovered')) doReturn('NOT_APPLICABLE', event); else ec2.describeVolumeAttribute({VolumeId: configurationItem.resourceId, Attribute: 'autoEnableIO'}, function(err, data) { if (err) context.fail(err); else if (data.AutoEnableIO.Value) doReturn('COMPLIANT', event); else doReturn('NON_COMPLIANT', event); }); } Handler: "index.handler" Runtime: nodejs4.3 Timeout: 30 Role: Fn::GetAtt: - LambdaExecutionRole - Arn ConfigRuleForVolumeAutoEnableIO: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: ConfigRuleForVolumeAutoEnableIO Scope: ComplianceResourceId: Ref: Ec2Volume ComplianceResourceTypes: - "AWS::EC2::Volume" Source: Owner: "CUSTOM_LAMBDA" SourceDetails: - EventSource: "aws.config" MessageType: "ConfigurationItemChangeNotification" SourceIdentifier: Fn::GetAtt: - VolumeAutoEnableIOComplianceCheck - Arn DependsOn: ConfigPermissionToCallLambda
