Conformance Packs
A conformance pack is a collection of AWS Config rules and remediation actions that can be easily deployed as a single entity in an account and a Region or across an organization in AWS Organizations.
Conformance packs are created by authoring a YAML template that contains the list of AWS Config managed or custom rules and remediation actions. You can also use AWS Systems Manager documents (SSM documents) to store your conformance pack templates on AWS and directly deploy conformance packs using SSM document names. You can deploy the template by using the AWS Config console or the AWS CLI.
To quickly get started and to evaluate your AWS environment, use one of the sample conformance pack templates. You can also create a conformance pack YAML file from scratch based on Custom Conformance Pack.
Topics
- Prerequisites
- Region Support
- AWS Config Process Checks Within a Conformance Pack
- Conformance Pack Sample Templates
- Custom Conformance Packs
- Viewing Compliance Data in the Conformance Packs Dashboard
- Viewing the Compliance History Timeline for Conformance Packs
- Deploying a Conformance Pack Using the AWS Config Console
- Deploying a Conformance Pack Using the AWS Command Line Interface
- Managing Conformance Packs (API)
- Managing Conformance Packs Across all Accounts in Your Organization
- Troubleshooting
Region Support
Conformance packs are supported in the following Regions.
| Region Name | Region | Endpoint | Protocol |
|---|---|---|---|
| US East (Ohio) | us-east-2 | config.us-east-2.amazonaws.com | HTTPS |
| US East (N. Virginia) | us-east-1 | config.us-east-1.amazonaws.com | HTTPS |
| US West (N. California) | us-west-1 | config.us-west-1.amazonaws.com | HTTPS |
| US West (Oregon) | us-west-2 | config.us-west-2.amazonaws.com | HTTPS |
| Asia Pacific (Hong Kong) | ap-east-1 | config.ap-east-1.amazonaws.com | HTTPS |
| Asia Pacific (Jakarta) | ap-southeast-3 | config.ap-southeast-3.amazonaws.com | HTTPS |
| Asia Pacific (Melbourne) | ap-southeast-4 | config.ap-southeast-4.amazonaws.com | HTTPS |
| Asia Pacific (Mumbai) | ap-south-1 | config.ap-south-1.amazonaws.com | HTTPS |
| Asia Pacific (Seoul) | ap-northeast-2 | config.ap-northeast-2.amazonaws.com | HTTPS |
| Asia Pacific (Singapore) | ap-southeast-1 | config.ap-southeast-1.amazonaws.com | HTTPS |
| Asia Pacific (Sydney) | ap-southeast-2 | config.ap-southeast-2.amazonaws.com | HTTPS |
| Asia Pacific (Tokyo) | ap-northeast-1 | config.ap-northeast-1.amazonaws.com | HTTPS |
| Canada (Central) | ca-central-1 | config.ca-central-1.amazonaws.com | HTTPS |
| Europe (Frankfurt) | eu-central-1 | config.eu-central-1.amazonaws.com | HTTPS |
| Europe (Ireland) | eu-west-1 | config.eu-west-1.amazonaws.com | HTTPS |
| Europe (London) | eu-west-2 | config.eu-west-2.amazonaws.com | HTTPS |
| Europe (Paris) | eu-west-3 | config.eu-west-3.amazonaws.com | HTTPS |
| Europe (Stockholm) | eu-north-1 | config.eu-north-1.amazonaws.com | HTTPS |
| Middle East (Bahrain) | me-south-1 | config.me-south-1.amazonaws.com | HTTPS |
| South America (São Paulo) | sa-east-1 | config.sa-east-1.amazonaws.com | HTTPS |
| AWS GovCloud (US-East) | us-gov-east-1 | config.us-gov-east-1.amazonaws.com | HTTPS |
| AWS GovCloud (US-West) | us-gov-west-1 | config.us-gov-west-1.amazonaws.com | HTTPS |
Deploying conformance packs across member accounts in an AWS Organization is supported in the following Regions.
| Region Name | Region | Endpoint | Protocol |
|---|---|---|---|
| US East (Ohio) | us-east-2 | config.us-east-2.amazonaws.com | HTTPS |
| US East (N. Virginia) | us-east-1 | config.us-east-1.amazonaws.com | HTTPS |
| US West (N. California) | us-west-1 | config.us-west-1.amazonaws.com | HTTPS |
| US West (Oregon) | us-west-2 | config.us-west-2.amazonaws.com | HTTPS |
| Asia Pacific (Jakarta) | ap-southeast-3 | config.ap-southeast-3.amazonaws.com | HTTPS |
| Asia Pacific (Melbourne) | ap-southeast-4 | config.ap-southeast-4.amazonaws.com | HTTPS |
| Asia Pacific (Mumbai) | ap-south-1 | config.ap-south-1.amazonaws.com | HTTPS |
| Asia Pacific (Seoul) | ap-northeast-2 | config.ap-northeast-2.amazonaws.com | HTTPS |
| Asia Pacific (Singapore) | ap-southeast-1 | config.ap-southeast-1.amazonaws.com | HTTPS |
| Asia Pacific (Sydney) | ap-southeast-2 | config.ap-southeast-2.amazonaws.com | HTTPS |
| Asia Pacific (Tokyo) | ap-northeast-1 | config.ap-northeast-1.amazonaws.com | HTTPS |
| Canada (Central) | ca-central-1 | config.ca-central-1.amazonaws.com | HTTPS |
| Europe (Frankfurt) | eu-central-1 | config.eu-central-1.amazonaws.com | HTTPS |
| Europe (Ireland) | eu-west-1 | config.eu-west-1.amazonaws.com | HTTPS |
| Europe (London) | eu-west-2 | config.eu-west-2.amazonaws.com | HTTPS |
| Europe (Paris) | eu-west-3 | config.eu-west-3.amazonaws.com | HTTPS |
| Europe (Stockholm) | eu-north-1 | config.eu-north-1.amazonaws.com | HTTPS |
| South America (São Paulo) | sa-east-1 | config.sa-east-1.amazonaws.com | HTTPS |
| AWS GovCloud (US-East) | us-gov-east-1 | config.us-gov-east-1.amazonaws.com | HTTPS |
| AWS GovCloud (US-West) | us-gov-west-1 | config.us-gov-west-1.amazonaws.com | HTTPS |
Troubleshooting
Failed status for a conformance pack
If you get an error indicating that the conformance pack failed while creating, updating, or deleting it, you can check the status of your conformance pack.
aws configservice describe-conformance-pack-status --conformance-pack-name MyConformancePack1
You should see output similar to the following.
"ConformancePackStatusDetails": [ { "ConformancePackName": "ConformancePackName", "ConformancePackId": "ConformancePackId", "ConformancePackArn": "ConformancePackArn", "ConformancePackState": "CREATE_FAILED", "StackArn": "CloudFormation stackArn", "ConformancePackStatusReason": "Failure Reason", "LastUpdateRequestedTime": 1573865201.619, "LastUpdateCompletedTime": 1573864244.653 } ]
Check the ConformancePackStatusReason for information about the failure.
When the stackArn is present in the response
If the error message is not clear or if the failure is due to an internal error, go to the AWS CloudFormation console and do the following:
-
Search for the stackArn from the output.
-
Choose the Events tab of the CloudFormation stack and check for failed events.
The status reason indicates why the conformance pack failed.
When the stackArn is not present in the response
If you receive a failure while you create a conformance pack but the stackArn is not present in the status response, the possible reason is that the stack creation failed and CloudFormation rolled back and deleted the stack. Go to the CloudFormation console and search for stacks that are in a Deleted state. The failed stack might be available there. The CloudFormation stack contains the conformance pack name. If you find the failed stack, choose the Events tab of the CloudFormation stack and check for failed events.
If none of these steps worked and if the failure reason is an internal service error, then
try operation again or contact the AWS Support Center
Dangling rules in a conformance pack
Deploying a conformance pack involves the creation of an underlying AWS CloudFormation stack in the background to deploy the rules in the conformance pack template. These rules are service-linked rules and cannot be updated or deleted outside the conformance pack.
If you make changes to the underlying CloudFormation stack, this results in a situation where the conformance pack and its rules become unmanageable. These unmanageable rules are dangling rules.
Drift between the CloudFormation stack and the conformance pack
You can update the rule names in a conformance pack template directly from the CloudFormation console. If you update the template directly from the CloudFormation console, this does not update the deployed conformance pack.
This drift creates a dangling rule. If you try to delete the rule from the conformance pack, you receive an error similiar to the following:
"An AWS service owns ServiceLinkedConfigRule. You do not have permissions to take action on this rule. (Service: AmazonConfig; Status Code: 400; Error Code: AccessDeniedException; Request ID:my-request-ID; Proxy: null)".
If you try to delete the conformance pack, the dangling rule cannot be deleted and you receive an error similiar to the following:
"User: arn:aws:sts::111122223333:assumed-role/AWSServiceRoleForConfigConforms/AwsConfigConformsWorkflow is not authorized to perform: config:DeleteConfigRule on resource:my-dangling-rule
To fix this issue, do the following steps:
Delete the stack. For more information, see Deleting a stack on the AWS CloudFormation console in the CloudFormation User Guide.
Delete the conformance pack using the AWS Config console or using the DeleteConformancePack API. If it is an organizational conformance pack and you are using the management or delegated administrator account, use the DeleteOrganizationConformancePack API.
Reach out to the AWS Support Center
with the Amazon Resource Name (ARN) of the dangling rules in the conformance pack to help clean up your account.
To avoid this issue, remember these best practices:
Never make any direct updates to the CloudFormation stack of a conformance pack.
Never try and make changes which create drift between the conformance pack and its underlying CloudFormation stack.
The service-linked role (SLR) for conformance packs cannot be modified. Make sure the resources you are updating are part of the permissions policy for the SLR.
Deleted CloudFormation stack for a conformance pack
Unless there is drift between the CloudFormation stack and the conformance pack, it is never recommended to delete rules in a conformance pack or its CloudFormation stack directly from the CloudFormation console.
To fix this issue, reach out to the AWS Support Center
To avoid this issue, remember these best practices:
Never delete the underlying CloudFormation stack for a conformance pack.
Delete conformance packs using the DeleteConformancePack API. If it is an organizational conformance pack and you are using the management or delegated administrator account, use the DeleteOrganizationConformancePack API.
