Using the console Using the AWS CLI Using the API Reference

Creating AWS Config Custom Policy Rules

You can create AWS Config Custom Policy rules from the AWS Management Console, AWS CLI, or AWS Config API. For more information on how to write rules with Guard, see Writing Guard rules in the AWS CloudFormation Guard User Guide.

Creating AWS Config Custom Policy Rules (Console)

Sign in to the AWS Management Console and open the AWS Config console at https://console.aws.amazon.com/config/.
In the AWS Management Console menu, verify that the Region selector is set to an AWS Region that supports AWS Config rules. For the list of supported Regions, see AWS Config Regions and Endpoints in the Amazon Web Services General Reference.
In the left navigation, choose Rules.
On the Rules page, choose Add rule.
On the Specify rule type page, choose Create custom rule using Guard.
On the Configure rule page, create your rule by completing the following steps:
1. For Rule name, type a unique name for the rule.
2. For Description, type a description for the rule.
3. For Guard runtime version, choose the runtime system for your AWS Config Custom Policy rule.
4. For Rule Content, you can populate it with the Guard Custom policy for your rule. For more information about the structure and features for Guard Custom policies, see the AWS CloudFormation Guard 2.0's Modes of Operation in the Guard GitHub Repository.
  
  The following example shows the policy definition for an AWS Config Custom Policy rule version of the AWS Config Managed rule dynamodb-pitr-enabled
```
# This rule checks if point in time recovery (PITR) is enabled on active Amazon DynamoDB tables
let status = ['ACTIVE']

rule tableisactive when
    resourceType == "AWS::DynamoDB::Table" {
    configuration.tableStatus == %status
}

rule checkcompliance when
    resourceType == "AWS::DynamoDB::Table"
    tableisactive {
        let pitr = supplementaryConfiguration.ContinuousBackupsDescription.pointInTimeRecoveryDescription.pointInTimeRecoveryStatus
        %pitr == "ENABLED"
}
                        
```
5. For Evaluation mode, choose when in the resource creation and management process you want AWS Config to evaluate your resources. Depending on the rule, AWS Config can evaluate your resource configurations before a resource has been provisioned, after a resource has been provisoned, or both.
  1. Choose Turn on proactive evaluation to allow you to run evaluations on the configuration settings of your resources before they are deployed.
    
    After you have turned on proactive evaluation, you can use the StartResourceEvaluation API and GetResourceEvaluationSummary API to check if the resources you specify in these commands would be flagged as NON_COMPLIANT by the proactive rules in your account in your Region.
    
    For more information on using this commands, see Evaluating Your Resources with AWS Config Rules. For a list of managed rules that support proactive evaluation, see List of AWS Config Managed Rules by Evaluation Mode.
  2. Choose Turn on detective evaluation to evaluate the configuration settings of your existing resources.
    
    For detective evaluation, AWS Config Custom Policy rules are initiated by Configuration changes. This option will be pre-selected.
    - Resources – When a resource that matches the specified resource type, or the type plus identifier, is created, changed, or deleted.
    - Tags – When a resource with the specified tag is created, changed, or deleted.
    - All changes – When a resource recorded by AWS Config is created, changed, or deleted.
    AWS Config runs the evaluation when it detects a change to a resource that matches the rule's scope. You can use the scope to constrain which resources initiate evaluations. Otherwise, evaluations are initiated when there is a change to a post-provisioned resource.
6. For Parameters, you can customize the values for the provided keys if your rule includes parameters. A parameter is an attribute that your resources must adhere to before they are considered compliant with the rule.
On the Review and create page, review all your selections before adding the rule to your AWS account.
When you finish reviewing your rules, choose Add rule.

Creating AWS Config Custom Policy Rules (AWS CLI)

Use the put-config-rule command.

The Owner field should be CUSTOM_POLICY. The following additional fields are required for AWS Config Custom Policy rules:

Runtime: The runtime system for your AWS Config Custom Policy rules.
PolicyText: The policy definition containing the logic for your AWS Config Custom Policy rules.
EnableDebugLogDelivery: The Boolean expression for enabling debug logging for your AWS Config Custom Policy rule. The default value is false.

Creating AWS Config Custom Policy Rules (API)

Use the PutConfigRule action.

The Owner field should be CUSTOM_POLICY. The following additional fields are required for AWS Config Custom Policy rules:

Runtime: The runtime system for your AWS Config Custom Policy rules.
PolicyText: The policy that defines the logic for your AWS Config Custom Policy rules.
EnableDebugLogDelivery: The Boolean expression for enabling debug logging for your AWS Config Custom Policy rule. The default value is false.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Custom Rules

Creating Custom Lambda Rules