Namespace Amazon.CDK.AWS.Config
AWS Config Construct Library
---AWS CDK v1 has reached End-of-Support on 2023-06-01.
This package is no longer being updated, and users should migrate to AWS CDK v2.
For more information on how to migrate, see the Migrating to AWS CDK v2 guide.
Features | Stability |
---|---|
CFN Resources | |
Higher level constructs for Config Rules | |
Higher level constructs for initial set-up (delivery channel & configuration recorder) |
CFN Resources: All classes with the Cfn
prefix in this module (CFN Resources) are always
stable and safe to use.
Stable: Higher level constructs in this module that are marked stable will not undergo any breaking changes. They will strictly follow the Semantic Versioning model.
AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.
This module is part of the AWS Cloud Development Kit project.
Initial Setup
Before using the constructs provided in this module, you need to set up AWS Config in the region in which it will be used. This setup includes the one-time creation of the following resources per region:
The following guides provide the steps for getting started with AWS Config:
Rules
AWS Config can evaluate the configuration settings of your AWS resources by creating AWS Config rules, which represent your ideal configuration settings.
See Evaluating Resources with AWS Config Rules to learn more about AWS Config rules.
AWS Managed Rules
AWS Config provides AWS managed rules, which are predefined, customizable rules that AWS Config uses to evaluate whether your AWS resources comply with common best practices.
For example, you could create a managed rule that checks whether active access keys are rotated within the number of days specified.
// https://docs.aws.amazon.com/config/latest/developerguide/access-keys-rotated.html
// https://docs.aws.amazon.com/config/latest/developerguide/access-keys-rotated.html
new ManagedRule(this, "AccessKeysRotated", new ManagedRuleProps {
Identifier = ManagedRuleIdentifiers.ACCESS_KEYS_ROTATED,
InputParameters = new Dictionary<string, object> {
{ "maxAccessKeyAge", 60 }
},
// default is 24 hours
MaximumExecutionFrequency = MaximumExecutionFrequency.TWELVE_HOURS
});
Identifiers for AWS managed rules are available through static constants in the ManagedRuleIdentifiers
class.
You can find supported input parameters in the List of AWS Config Managed Rules.
The following higher level constructs for AWS managed rules are available.
Access Key rotation
Checks whether your active access keys are rotated within the number of days specified.
// compliant if access keys have been rotated within the last 90 days
// compliant if access keys have been rotated within the last 90 days
new AccessKeysRotated(this, "AccessKeyRotated");
CloudFormation Stack drift detection
Checks whether your CloudFormation stack's actual configuration differs, or has drifted, from it's expected configuration.
// compliant if stack's status is 'IN_SYNC'
// non-compliant if the stack's drift status is 'DRIFTED'
// compliant if stack's status is 'IN_SYNC'
// non-compliant if the stack's drift status is 'DRIFTED'
new CloudFormationStackDriftDetectionCheck(this, "Drift", new CloudFormationStackDriftDetectionCheckProps {
OwnStackOnly = true
});
CloudFormation Stack notifications
Checks whether your CloudFormation stacks are sending event notifications to a SNS topic.
// topics to which CloudFormation stacks may send event notifications
var topic1 = new Topic(this, "AllowedTopic1");
var topic2 = new Topic(this, "AllowedTopic2");
// non-compliant if CloudFormation stack does not send notifications to 'topic1' or 'topic2'
// non-compliant if CloudFormation stack does not send notifications to 'topic1' or 'topic2'
new CloudFormationStackNotificationCheck(this, "NotificationCheck", new CloudFormationStackNotificationCheckProps {
Topics = new [] { topic1, topic2 }
});
Custom rules
You can develop custom rules and add them to AWS Config. You associate each custom rule with an AWS Lambda function, which contains the logic that evaluates whether your AWS resources comply with the rule.
Triggers
AWS Lambda executes functions in response to events that are published by AWS Services. The function for a custom Config rule receives an event that is published by AWS Config, and is responsible for evaluating the compliance of the rule.
Evaluations can be triggered by configuration changes, periodically, or both.
To create a custom rule, define a CustomRule
and specify the Lambda Function
to run and the trigger types.
Function evalComplianceFn;
new CustomRule(this, "CustomRule", new CustomRuleProps {
LambdaFunction = evalComplianceFn,
ConfigurationChanges = true,
Periodic = true,
// default is 24 hours
MaximumExecutionFrequency = MaximumExecutionFrequency.SIX_HOURS
});
When the trigger for a rule occurs, the Lambda function is invoked by publishing an event. See example events for AWS Config Rules
The AWS documentation has examples of Lambda functions for evaluations that are triggered by configuration changes and triggered periodically
Scope
By default rules are triggered by changes to all resources.
Use the RuleScope
APIs (fromResource()
, fromResources()
or fromTag()
) to restrict
the scope of both managed and custom rules:
Function evalComplianceFn;
var sshRule = new ManagedRule(this, "SSH", new ManagedRuleProps {
Identifier = ManagedRuleIdentifiers.EC2_SECURITY_GROUPS_INCOMING_SSH_DISABLED,
RuleScope = RuleScope.FromResource(ResourceType.EC2_SECURITY_GROUP, "sg-1234567890abcdefgh")
});
var customRule = new CustomRule(this, "Lambda", new CustomRuleProps {
LambdaFunction = evalComplianceFn,
ConfigurationChanges = true,
RuleScope = RuleScope.FromResources(new [] { ResourceType.CLOUDFORMATION_STACK, ResourceType.S3_BUCKET })
});
var tagRule = new CustomRule(this, "CostCenterTagRule", new CustomRuleProps {
LambdaFunction = evalComplianceFn,
ConfigurationChanges = true,
RuleScope = RuleScope.FromTag("Cost Center", "MyApp")
});
Events
You can define Amazon EventBridge event rules which trigger when a compliance check fails or when a rule is re-evaluated.
Use the onComplianceChange()
APIs to trigger an EventBridge event when a compliance check
of your AWS Config Rule fails:
// Topic to which compliance notification events will be published
var complianceTopic = new Topic(this, "ComplianceTopic");
var rule = new CloudFormationStackDriftDetectionCheck(this, "Drift");
rule.OnComplianceChange("TopicEvent", new OnEventOptions {
Target = new SnsTopic(complianceTopic)
});
Use the onReEvaluationStatus()
status to trigger an EventBridge event when an AWS Config
rule is re-evaluated.
// Topic to which re-evaluation notification events will be published
var reEvaluationTopic = new Topic(this, "ComplianceTopic");
var rule = new CloudFormationStackDriftDetectionCheck(this, "Drift");
rule.OnReEvaluationStatus("ReEvaluationEvent", new OnEventOptions {
Target = new SnsTopic(reEvaluationTopic)
});
Example
The following example creates a custom rule that evaluates whether EC2 instances are compliant. Compliance events are published to an SNS topic.
// Lambda function containing logic that evaluates compliance with the rule.
var evalComplianceFn = new Function(this, "CustomFunction", new FunctionProps {
Code = AssetCode.FromInline("exports.handler = (event) => console.log(event);"),
Handler = "index.handler",
Runtime = Runtime.NODEJS_14_X
});
// A custom rule that runs on configuration changes of EC2 instances
var customRule = new CustomRule(this, "Custom", new CustomRuleProps {
ConfigurationChanges = true,
LambdaFunction = evalComplianceFn,
RuleScope = RuleScope.FromResource(ResourceType.EC2_INSTANCE)
});
// A rule to detect stack drifts
var driftRule = new CloudFormationStackDriftDetectionCheck(this, "Drift");
// Topic to which compliance notification events will be published
var complianceTopic = new Topic(this, "ComplianceTopic");
// Send notification on compliance change events
driftRule.OnComplianceChange("ComplianceChange", new OnEventOptions {
Target = new SnsTopic(complianceTopic)
});
Classes
AccessKeysRotated | Checks whether the active access keys are rotated within the number of days specified in |
AccessKeysRotatedProps | Construction properties for a AccessKeysRotated. |
CfnAggregationAuthorization | A CloudFormation |
CfnAggregationAuthorizationProps | Properties for defining a |
CfnConfigRule | A CloudFormation |
CfnConfigRule.CustomPolicyDetailsProperty | Provides the runtime system, policy definition, and whether debug logging enabled. |
CfnConfigRule.ScopeProperty | Defines which resources trigger an evaluation for an AWS Config rule. |
CfnConfigRule.SourceDetailProperty | Provides the source and the message types that trigger AWS Config to evaluate your AWS resources against a rule. |
CfnConfigRule.SourceProperty | Provides the CustomPolicyDetails, the rule owner ( |
CfnConfigRuleProps | Properties for defining a |
CfnConfigurationAggregator | A CloudFormation |
CfnConfigurationAggregator.AccountAggregationSourceProperty | A collection of accounts and regions. |
CfnConfigurationAggregator.OrganizationAggregationSourceProperty | This object contains regions to set up the aggregator and an IAM role to retrieve organization details. |
CfnConfigurationAggregatorProps | Properties for defining a |
CfnConfigurationRecorder | A CloudFormation |
CfnConfigurationRecorder.RecordingGroupProperty | Specifies which resource types AWS Config records for configuration changes. |
CfnConfigurationRecorderProps | Properties for defining a |
CfnConformancePack | A CloudFormation |
CfnConformancePack.ConformancePackInputParameterProperty | Input parameters in the form of key-value pairs for the conformance pack, both of which you define. |
CfnConformancePack.TemplateSSMDocumentDetailsProperty | This API allows you to create a conformance pack template with an AWS Systems Manager document (SSM document). |
CfnConformancePackProps | Properties for defining a |
CfnDeliveryChannel | A CloudFormation |
CfnDeliveryChannel.ConfigSnapshotDeliveryPropertiesProperty | Provides options for how often AWS Config delivers configuration snapshots to the Amazon S3 bucket in your delivery channel. |
CfnDeliveryChannelProps | Properties for defining a |
CfnOrganizationConfigRule | A CloudFormation |
CfnOrganizationConfigRule.OrganizationCustomPolicyRuleMetadataProperty | |
CfnOrganizationConfigRule.OrganizationCustomRuleMetadataProperty | organization custom rule metadata such as resource type, resource ID of AWS resource, Lambda function ARN, and organization trigger types that trigger AWS Config to evaluate your AWS resources against a rule. |
CfnOrganizationConfigRule.OrganizationManagedRuleMetadataProperty | organization managed rule metadata such as resource type and ID of AWS resource along with the rule identifier. |
CfnOrganizationConfigRuleProps | Properties for defining a |
CfnOrganizationConformancePack | A CloudFormation |
CfnOrganizationConformancePack.ConformancePackInputParameterProperty | Input parameters in the form of key-value pairs for the conformance pack, both of which you define. |
CfnOrganizationConformancePackProps | Properties for defining a |
CfnRemediationConfiguration | A CloudFormation |
CfnRemediationConfiguration.ExecutionControlsProperty | An ExecutionControls object. |
CfnRemediationConfiguration.RemediationParameterValueProperty | The value is either a dynamic (resource) value or a static value. |
CfnRemediationConfiguration.ResourceValueProperty | The dynamic value of the resource. |
CfnRemediationConfiguration.SsmControlsProperty | AWS Systems Manager (SSM) specific remediation controls. |
CfnRemediationConfiguration.StaticValueProperty | The static value of the resource. |
CfnRemediationConfigurationProps | Properties for defining a |
CfnStoredQuery | A CloudFormation |
CfnStoredQueryProps | Properties for defining a |
CloudFormationStackDriftDetectionCheck | Checks whether your CloudFormation stacks' actual configuration differs, or has drifted, from its expected configuration. |
CloudFormationStackDriftDetectionCheckProps | Construction properties for a CloudFormationStackDriftDetectionCheck. |
CloudFormationStackNotificationCheck | Checks whether your CloudFormation stacks are sending event notifications to a SNS topic. |
CloudFormationStackNotificationCheckProps | Construction properties for a CloudFormationStackNotificationCheck. |
CustomRule | A new custom rule. |
CustomRuleProps | Construction properties for a CustomRule. |
ManagedRule | A new managed rule. |
ManagedRuleIdentifiers | Managed rules that are supported by AWS Config. |
ManagedRuleProps | Construction properties for a ManagedRule. |
MaximumExecutionFrequency | The maximum frequency at which the AWS Config rule runs evaluations. |
ResourceType | Resources types that are supported by AWS Config. |
RuleProps | Construction properties for a new rule. |
RuleScope | Determines which resources trigger an evaluation of an AWS Config rule. |
Interfaces
CfnConfigRule.ICustomPolicyDetailsProperty | Provides the runtime system, policy definition, and whether debug logging enabled. |
CfnConfigRule.IScopeProperty | Defines which resources trigger an evaluation for an AWS Config rule. |
CfnConfigRule.ISourceDetailProperty | Provides the source and the message types that trigger AWS Config to evaluate your AWS resources against a rule. |
CfnConfigRule.ISourceProperty | Provides the CustomPolicyDetails, the rule owner ( |
CfnConfigurationAggregator.IAccountAggregationSourceProperty | A collection of accounts and regions. |
CfnConfigurationAggregator.IOrganizationAggregationSourceProperty | This object contains regions to set up the aggregator and an IAM role to retrieve organization details. |
CfnConfigurationRecorder.IRecordingGroupProperty | Specifies which resource types AWS Config records for configuration changes. |
CfnConformancePack.IConformancePackInputParameterProperty | Input parameters in the form of key-value pairs for the conformance pack, both of which you define. |
CfnConformancePack.ITemplateSSMDocumentDetailsProperty | This API allows you to create a conformance pack template with an AWS Systems Manager document (SSM document). |
CfnDeliveryChannel.IConfigSnapshotDeliveryPropertiesProperty | Provides options for how often AWS Config delivers configuration snapshots to the Amazon S3 bucket in your delivery channel. |
CfnOrganizationConfigRule.IOrganizationCustomPolicyRuleMetadataProperty | |
CfnOrganizationConfigRule.IOrganizationCustomRuleMetadataProperty | organization custom rule metadata such as resource type, resource ID of AWS resource, Lambda function ARN, and organization trigger types that trigger AWS Config to evaluate your AWS resources against a rule. |
CfnOrganizationConfigRule.IOrganizationManagedRuleMetadataProperty | organization managed rule metadata such as resource type and ID of AWS resource along with the rule identifier. |
CfnOrganizationConformancePack.IConformancePackInputParameterProperty | Input parameters in the form of key-value pairs for the conformance pack, both of which you define. |
CfnRemediationConfiguration.IExecutionControlsProperty | An ExecutionControls object. |
CfnRemediationConfiguration.IRemediationParameterValueProperty | The value is either a dynamic (resource) value or a static value. |
CfnRemediationConfiguration.IResourceValueProperty | The dynamic value of the resource. |
CfnRemediationConfiguration.ISsmControlsProperty | AWS Systems Manager (SSM) specific remediation controls. |
CfnRemediationConfiguration.IStaticValueProperty | The static value of the resource. |
IAccessKeysRotatedProps | Construction properties for a AccessKeysRotated. |
ICfnAggregationAuthorizationProps | Properties for defining a |
ICfnConfigRuleProps | Properties for defining a |
ICfnConfigurationAggregatorProps | Properties for defining a |
ICfnConfigurationRecorderProps | Properties for defining a |
ICfnConformancePackProps | Properties for defining a |
ICfnDeliveryChannelProps | Properties for defining a |
ICfnOrganizationConfigRuleProps | Properties for defining a |
ICfnOrganizationConformancePackProps | Properties for defining a |
ICfnRemediationConfigurationProps | Properties for defining a |
ICfnStoredQueryProps | Properties for defining a |
ICloudFormationStackDriftDetectionCheckProps | Construction properties for a CloudFormationStackDriftDetectionCheck. |
ICloudFormationStackNotificationCheckProps | Construction properties for a CloudFormationStackNotificationCheck. |
ICustomRuleProps | Construction properties for a CustomRule. |
IManagedRuleProps | Construction properties for a ManagedRule. |
IRule | Interface representing an AWS Config rule. |
IRuleProps | Construction properties for a new rule. |