Table Of Contents

Feedback

User Guide

First time using the AWS CLI? See the User Guide for help getting started.

[ aws . configservice ]

put-config-rule

Description

Adds or updates an AWS Config rule for evaluating whether your AWS resources comply with your desired configurations.

You can use this action for custom Config rules and AWS managed Config rules. A custom Config rule is a rule that you develop and maintain. An AWS managed Config rule is a customizable, predefined rule that AWS Config provides.

If you are adding a new custom Config rule, you must first create the AWS Lambda function that the rule invokes to evaluate your resources. When you use the put-config-rule action to add the rule to AWS Config, you must specify the Amazon Resource Name (ARN) that AWS Lambda assigns to the function. Specify the ARN for the SourceIdentifier key. This key is part of the Source object, which is part of the config-rule object.

If you are adding an AWS managed Config rule, specify the rule's identifier for the SourceIdentifier key. To reference AWS managed Config rule identifiers, see About AWS Managed Config Rules .

For any new rule that you add, specify the ConfigRuleName in the config-rule object. Do not specify the ConfigRuleArn or the ConfigRuleId . These values are generated by AWS Config for new rules.

If you are updating a rule that you added previously, you can specify the rule by ConfigRuleName , ConfigRuleId , or ConfigRuleArn in the config-rule data type that you use in this request.

The maximum number of rules that AWS Config supports is 50.

For more information about requesting a rule limit increase, see AWS Config Limits in the AWS General Reference Guide .

For more information about developing and using AWS Config rules, see Evaluating AWS Resource Configurations with AWS Config in the AWS Config Developer Guide .

See also: AWS API Documentation

Synopsis

  put-config-rule
--config-rule <value>
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]

Options

--config-rule (structure)

The rule that you want to add to your account.

JSON Syntax:

{
  "ConfigRuleName": "string",
  "ConfigRuleArn": "string",
  "ConfigRuleId": "string",
  "Description": "string",
  "Scope": {
    "ComplianceResourceTypes": ["string", ...],
    "TagKey": "string",
    "TagValue": "string",
    "ComplianceResourceId": "string"
  },
  "Source": {
    "Owner": "CUSTOM_LAMBDA"|"AWS",
    "SourceIdentifier": "string",
    "SourceDetails": [
      {
        "EventSource": "aws.config",
        "MessageType": "ConfigurationItemChangeNotification"|"ConfigurationSnapshotDeliveryCompleted"|"ScheduledNotification"|"OversizedConfigurationItemChangeNotification",
        "MaximumExecutionFrequency": "One_Hour"|"Three_Hours"|"Six_Hours"|"Twelve_Hours"|"TwentyFour_Hours"
      }
      ...
    ]
  },
  "InputParameters": "string",
  "MaximumExecutionFrequency": "One_Hour"|"Three_Hours"|"Six_Hours"|"Twelve_Hours"|"TwentyFour_Hours",
  "ConfigRuleState": "ACTIVE"|"DELETING"|"DELETING_RESULTS"|"EVALUATING"
}

--cli-input-json (string) Performs service operation based on the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, the CLI values will override the JSON-provided values.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

Examples

To add an AWS managed Config rule

The following command provides JSON code to add an AWS managed Config rule:

aws configservice put-config-rule --config-rule file://RequiredTagsForEC2Instances.json

RequiredTagsForEC2Instances.json is a JSON file that contains the rule configuration:

{
  "ConfigRuleName": "RequiredTagsForEC2Instances",
  "Description": "Checks whether the CostCenter and Owner tags are applied to EC2 instances.",
  "Scope": {
    "ComplianceResourceTypes": [
      "AWS::EC2::Instance"
    ]
  },
  "Source": {
    "Owner": "AWS",
    "SourceIdentifier": "REQUIRED_TAGS"
  },
  "InputParameters": "{\"tag1Key\":\"CostCenter\",\"tag2Key\":\"Owner\"}"
}

For the ComplianceResourceTypes attribute, this JSON code limits the scope to resources of the AWS::EC2::Instance type, so AWS Config will evaluate only EC2 instances against the rule. Because the rule is a managed rule, the Owner attribute is set to AWS, and the SourceIdentifier attribute is set to the rule identifier, REQUIRED_TAGS. For the InputParameters attribute, the tag keys that the rule requires, CostCenter and Owner, are specified.

If the command succeeds, AWS Config returns no output. To verify the rule configuration, run the describe-config-rules command, and specify the rule name.

To add a customer managed Config rule

The following command provides JSON code to add a customer managed Config rule:

aws configservice put-config-rule --config-rule file://InstanceTypesAreT2micro.json

InstanceTypesAreT2micro.json is a JSON file that contains the rule configuration:

{
  "ConfigRuleName": "InstanceTypesAreT2micro",
  "Description": "Evaluates whether EC2 instances are the t2.micro type.",
  "Scope": {
    "ComplianceResourceTypes": [
      "AWS::EC2::Instance"
    ]
  },
  "Source": {
    "Owner": "CUSTOM_LAMBDA",
    "SourceIdentifier": "arn:aws:lambda:us-east-1:123456789012:function:InstanceTypeCheck",
    "SourceDetails": [
      {
        "EventSource": "aws.config",
        "MessageType": "ConfigurationItemChangeNotification"
      }
    ]
  },
  "InputParameters": "{\"desiredInstanceType\":\"t2.micro\"}"
}

For the ComplianceResourceTypes attribute, this JSON code limits the scope to resources of the AWS::EC2::Instance type, so AWS Config will evaluate only EC2 instances against the rule. Because this rule is a customer managed rule, the Owner attribute is set to CUSTOM_LAMBDA, and the SourceIdentifier attribute is set to the ARN of the AWS Lambda function. The SourceDetails object is required. The parameters that are specified for the InputParameters attribute are passed to the AWS Lambda function when AWS Config invokes it to evaluate resources against the rule.

If the command succeeds, AWS Config returns no output. To verify the rule configuration, run the describe-config-rules command, and specify the rule name.

Output

None