Custom Lambda Rules (Amazon EC2 Example) - AWS Config

Custom Lambda Rules (Amazon EC2 Example)

This procedure guides you through the process of creating a Custom Lambda rule that evaluates whether each of your EC2 instances is the t2.micro type. AWS Config will run event-based evaluations for this rule, meaning it will check your instance configurations each time AWS Config detects a configuration change in an instance. AWS Config will flag t2.micro instances as compliant and all other instances as noncompliant. The compliance status will appear in the AWS Config console.

To have the best outcome with this procedure, you should have one or more EC2 instances in your AWS account. Your instances should include a combination of at least one t2.micro instance and other types.

To create this rule, first, you will create an AWS Lambda function by customizing a blueprint in the AWS Lambda console. Then, you will create a Custom Lambda rule in AWS Config, and you will associate the rule with the function.

Creating an AWS Lambda Function for a Custom Config Rule

  1. Sign in to the AWS Management Console and open the AWS Lambda console at

  2. In the AWS Management Console menu, verify that the region selector is set to a region that supports AWS Config rules. For the list of supported regions, see AWS Config Regions and Endpoints in the Amazon Web Services General Reference.

  3. In the AWS Lambda console, choose Create a Lambda function.

  4. Choose Use a blueprint. In the search bar, type config-rule-change-triggered. Select the blueprint in the filter results and choose Configure.

  5. On the Configure triggers page, choose Next.

  6. On the Basic information page, complete the following steps:

    1. For Function name, type InstanceTypeCheck.

    2. For Execution role, choose Create new role from AWS Policy templates.

    3. For Runtime, keep Node.js.

    4. For Role name, type name.

    5. For Policy templates, choose AWS Config Rules permission.

    6. For Lambda function code function, keep the preconfigured code. The Node.js code for your function is provided in the code editor. For this procedure, you do not need to change the code.

    7. Verify the details and choose Create function. The AWS Lambda console displays your function.

  7. To verify that your function is set up correctly, test it with the following steps:

    1. Choose Test from the menu below Function overview and then choose Configure test event.

    2. For Template, choose AWS Config Configuration Item Change Notification.

    3. For Name, type a name.

    4. Choose Test. AWS Lambda tests your function with the example event. If your function is working as expected, an error message similar to the following appears under Execution result:

      { "errorType": "InvalidResultTokenException," "errorMessage": "Result Token provided is invalid", . . .

      The InvalidResultTokenException is expected because your function runs successfully only when it receives a result token from AWS Config. The result token identifies the AWS Config rule and the event that caused the evaluation, and the result token associates an evaluation with a rule. This exception indicates that your function has the permission it needs to send results to AWS Config. Otherwise, the following error message appears: not authorized to perform: config:PutEvaluations. If this error occurs, update the role that you assigned to your function to allow the config:PutEvaluations action, and test your function again.

Creating a Custom Lambda Rule to Evaluate Amazon EC2 Instances

  1. Open the AWS Config console at

  2. In the AWS Management Console menu, verify that the region selector is set to the same region in which you created the AWS Lambda function for your Custom Lambda rule.

  3. On the Rules page, choose Add rule.

  4. On the Specify rule type page, choose Create custom rule.

  5. On the Configure rule page, complete the following steps:

    1. For Name, type InstanceTypesAreT2micro.

    2. For Description, type Evaluates whether EC2 instances are the t2.micro type.

    3. For AWS Lambda function ARN, specify the ARN that AWS Lambda assigned to your function.


      The ARN that you specify in this step must not include the $LATEST qualifier. You can specify an ARN without a version qualifier or with any qualifier besides $LATEST. AWS Lambda supports function versioning, and each version is assigned an ARN with a qualifier. AWS Lambda uses the $LATEST qualifier for the latest version.

    4. For Trigger type, choose When configuration changes.

    5. For Scope of changes, choose Resources.

    6. For Resources, choose AWS EC2 Instance from the Resource Type dropdown list.

    7. In the Parameters section, you must specify the rule parameter that your AWS Lambda function evaluates and the desired value. The function for this procedure evaluates the desiredInstanceType parameter.

      For Key, type desiredInstanceType. For Value, type t2.micro.

  6. Choose Next. On the Review and create page, verify the details about your rule, and choose Add rule function. Your new rule displays on the Rules page.

    Compliance will display Evaluating... until AWS Config receives evaluation results from your AWS Lambda function. If the rule and the function are working as expected, a summary of the results appears after several minutes. For example, a result of 2 noncompliant resource(s) indicates that 2 of your instances are not t2.micro instances, and a result of Compliant indicates that all instances are t2.micro. You can update the results with the refresh button.

    If the rule or function is not working as expected, you might see one of the following for Compliance:

    • No results reported - AWS Config evaluated your resources against the rule. The rule did not apply to the AWS resources in its scope, the specified resources were deleted, or the evaluation results were deleted. To get evaluation results, update the rule, change its scope, or choose Re-evaluate.

      Verify that the scope includes AWS EC2 Instance for Resources, and try again.

    • No resources in scope - AWS Config cannot evaluate your recorded AWS resources against this rule because none of your resources are within the rule’s scope. To get evaluation results, edit the rule and change its scope, or add resources for AWS Config to record by using the Settings page.

      Verify that AWS Config is recording EC2 instances.

    • Evaluations failed - For information that can help you determine the problem, choose the rule name to open its details page and see the error message.

If your rule works correctly and AWS Config provides evaluation results, you can learn which conditions affect the compliance status of your rule. You can learn which resources, if any, are noncompliant, and why. For more information, see Viewing Compliance Information and Evaluation Results for your AWS Resources.