Conformance Packs
A conformance pack is a collection of AWS Config rules and remediation actions that can be easily deployed as a single entity in an account and a Region or across an organization in AWS Organizations.
Conformance packs are created by authoring a YAML template that contains the list of AWS Config managed or custom rules and remediation actions. You can deploy the template by using the AWS Config console or the AWS CLI. To quickly get started and to evaluate your AWS environment, use one of the sample conformance pack templates.
Conformance packs are only available in the redesigned AWS Config console.
Topics
- Prerequisites
- Region Support
- AWS Config Process Checks Within a Conformance Pack
- Conformance Pack Sample Templates
- Viewing Compliance Data in the Conformance Packs Dashboard
- Deploying a Conformance Pack Using the AWS Config Console
- Deploying a Conformance Pack Using the AWS Command Line Interface
- Managing Conformance Packs (API)
- Managing Conformance Packs Across all Accounts in Your Organization
- Viewing the Compliance History Timeline for Conformance Packs
- Troubleshooting
Region Support
Conformance packs are supported in the following Regions.
| Region name | Region | Endpoint | Protocol |
|---|---|---|---|
| Asia Pacific (Hong Kong) | ap-east-1 | config.ap-east-1.amazonaws.com | HTTPS |
| Asia Pacific (Mumbai) | ap-south-1 | config.ap-south-1.amazonaws.com | HTTPS |
| Asia Pacific (Seoul) | ap-northeast-2 | config.ap-northeast-2.amazonaws.com | HTTPS |
| Asia Pacific (Singapore) | ap-southeast-1 | config.ap-southeast-1.amazonaws.com | HTTPS |
| Asia Pacific (Sydney) | ap-southeast-2 | config.ap-southeast-2.amazonaws.com | HTTPS |
| Asia Pacific (Tokyo) | ap-northeast-1 | config.ap-northeast-1.amazonaws.com | HTTPS |
| Canada (Central) | ca-central-1 | config.ca-central-1.amazonaws.com | HTTPS |
| Europe (Frankfurt) | eu-central-1 | config.eu-central-1.amazonaws.com | HTTPS |
| Europe (Ireland) | eu-west-1 | config.eu-west-1.amazonaws.com | HTTPS |
| Europe (London) | eu-west-2 | config.eu-west-2.amazonaws.com | HTTPS |
| Europe (Paris) | eu-west-3 | config.eu-west-3.amazonaws.com | HTTPS |
| Europe (Stockholm) | eu-north-1 | config.eu-north-1.amazonaws.com | HTTPS |
| Middle East (Bahrain) | me-south-1 | config.me-south-1.amazonaws.com | HTTPS |
| South America (São Paulo) | sa-east-1 | config.sa-east-1.amazonaws.com | HTTPS |
| US East (N. Virginia) | us-east-1 | config.us-east-1.amazonaws.com | HTTPS |
| US East (Ohio) | us-east-2 | config.us-east-2.amazonaws.com | HTTPS |
| US West (N. California) | us-west-1 | config.us-west-1.amazonaws.com | HTTPS |
| US West (Oregon) | us-west-2 | config.us-west-2.amazonaws.com | HTTPS |
Deploying conformance packs across member accounts in an AWS Organization is supported in the following Regions.
| Region name | Region | Endpoint | Protocol |
|---|---|---|---|
| Asia Pacific (Seoul) | ap-northeast-2 | config.ap-northeast-2.amazonaws.com | HTTPS |
| Asia Pacific (Singapore) | ap-southeast-1 | config.ap-southeast-1.amazonaws.com | HTTPS |
| Asia Pacific (Sydney) | ap-southeast-2 | config.ap-southeast-2.amazonaws.com | HTTPS |
| Asia Pacific (Tokyo) | ap-northeast-1 | config.ap-northeast-1.amazonaws.com | HTTPS |
| Asia Pacific (Mumbai) | ap-south-1 | config.ap-south-1.amazonaws.com | HTTPS |
| Canada (Central) | ca-central-1 | config.ca-central-1.amazonaws.com | HTTPS |
| Europe (Frankfurt) | eu-central-1 | config.eu-central-1.amazonaws.com | HTTPS |
| Europe (Ireland) | eu-west-1 | config.eu-west-1.amazonaws.com | HTTPS |
| Europe (London) | eu-west-2 | config.eu-west-2.amazonaws.com | HTTPS |
| Europe (Paris) | eu-west-3 | config.eu-west-3.amazonaws.com | HTTPS |
| Europe (Stockholm) | eu-north-1 | config.eu-north-1.amazonaws.com | HTTPS |
| South America (São Paulo) | sa-east-1 | config.sa-east-1.amazonaws.com | HTTPS |
| US East (N. Virginia) | us-east-1 | config.us-east-1.amazonaws.com | HTTPS |
| US East (Ohio) | us-east-2 | config.us-east-2.amazonaws.com | HTTPS |
| US West (N. California) | us-west-1 | config.us-west-1.amazonaws.com | HTTPS |
| US West (Oregon) | us-west-2 | config.us-west-2.amazonaws.com | HTTPS |
Troubleshooting
If you get an error indicating that the conformance pack failed while creating, updating, or deleting it, you can check the status of your conformance pack.
aws configservice describe-conformance-pack-status --conformance-pack-name MyConformancePack1
You should see output similar to the following.
"ConformancePackStatusDetails": [ { "ConformancePackName": "ConformancePackName", "ConformancePackId": "ConformancePackId", "ConformancePackArn": "ConformancePackArn", "ConformancePackState": "CREATE_FAILED", "StackArn": "CloudFormation stackArn", "ConformancePackStatusReason": "Failure Reason", "LastUpdateRequestedTime": 1573865201.619, "LastUpdateCompletedTime": 1573864244.653 } ]
Check the ConformancePackStatusReason for information about the failure.
When the stackArn is present in the response
If the error message is not clear or if the failure is due to an internal error, go to the AWS CloudFormation console and do the following:
Search for the stackArn from the output.
Choose the Events tab of the AWS CloudFormation stack and check for failed events.
The status reason indicates why the conformance pack failed.
When the stackArn is not present in the response
If you receive a failure while you create a conformance pack but the stackArn is not present in the status response, the possible reason is that the stack creation failed and AWS CloudFormation rolled back and deleted the stack. Go to the AWS CloudFormation console and search for stacks that are in a Deleted state. The failed stack might be available there. The AWS CloudFormation stack contains the conformance pack name. If you find the failed stack, choose the Events tab of the AWS CloudFormation stack and check for failed events.
If none of these steps worked and if the failure reason is an internal service error, then try operation again or contact AWS Config support.
