Managing your AWS Config Rules - AWS Config

Managing your AWS Config Rules

You can use the AWS Config console, AWS CLI, and AWS Config API to view, add, and delete your rules.

Add, View, Update and Delete Rules (Console)

On the Rules page, you can view the rules for the region in your account. You can also see the evaluation status for each rule.

To view your rules

  1. Sign in to the AWS Management Console and open the AWS Config console at

  2. In the AWS Management Console, verify that the region selector is set to a region that supports AWS Config rules. For the list of supported regions, see AWS Config Regions and Endpoints in the Amazon Web Services General Reference.

  3. Choose Rules. The Rules page shows all the rule that are currently in your AWS account. It lists the name, associated remediation action, and compliance status of each rule.

    • Choose Add rule to get started with creating a rule.

    • Choose a rule to see its settings, or choose a rule and View details.

    • See the compliance status of the rule when it evaluates your resources.

    • Choose a rule and Edit rule to change the configuration settings of the rule and set a remediation action for a noncompliant rule.

To update a rule

  1. Choose a rule and Edit rule for the rule that you want to update.

  2. Modify the settings on the Edit rule page to change your rule as needed.

  3. Choose Save.

To delete a rule

  1. Choose a rule from the table that you want to delete.

  2. From the Actions dropdown list, choose Delete rule.

  3. When prompted, type "Delete" (case-sensitive) and then choose Delete.

To add a rule

If you choose Add rule, you can see the available AWS managed rules on the Add rule page. You can also create your own custom rule.

  1. If you want to create your own rule, choose Add custom rule and follow the procedure in Custom Lambda Rules (General Example).

  2. To add a managed rule, choose a rule on the page and follow the procedure in Working with AWS Config Managed Rules.

On the Add rule page, you can do the following:

  • Choose Add custom rule to create your own rule.

  • Type in the search field to filter results by rule name, description, or label. For example, type EC2 to return rules that evaluate EC2 resource types or type periodic to return rules with periodic triggers. Type "new" to search for newly added rules. For more information about trigger types, see Specifying Triggers for AWS Config Rules.

  • Reorder the results alphabetically by choosing the arrow by the Name label.

  • Choose the arrow icon to see the next page of rules.

  • See recently added rules that are marked as New.

  • See labels to identify the resource type that the rule evaluates and if the rule has a periodic trigger.

View, Update, and Delete Rules (AWS CLI)

To view your rules

  • Use the describe-config-rules command:

    $ aws configservice describe-config-rules

    AWS Config returns the details for all of your rules.

To update a rule

  1. Use the put-config-rule command with the --generate-cli-skeleton parameter to create a local JSON file that has the parameters for your rule:

    $ aws configservice put-config-rule --generate-cli-skeleton > putConfigRule.json
  2. Open the JSON file in a text editor and remove any parameters that don't need updating, with the following exceptions:

    • Include at least one of the following parameters to identify the rule:

      ConfigRuleName, ConfigRuleArn, or ConfigRuleId.

    • If you are updating a custom rule, you must include the Source object and its parameters.

  3. Fill in the values for the parameters that remain. To reference the details of your rule, use the describe-config-rules command.

    For example, the following JSON code updates the resource types that are in the scope of a custom rule:

    { "ConfigRule": { "ConfigRuleName": "ConfigRuleName", "Scope": { "ComplianceResourceTypes": [ "AWS::EC2::Instance", "AWS::EC2::Volume", "AWS::EC2::VPC" ] }, "Source": { "Owner": "CUSTOM_LAMBDA", "SourceIdentifier": "arn:aws:lambda:us-east-2:123456789012:function:ConfigRuleName", "SourceDetails": [ { "EventSource": "aws.config", "MessageType": "ConfigurationItemChangeNotification" } ] } } }
  4. Use the put-config-rule command with the --cli-input-json parameter to pass your JSON configuration to AWS Config:

    $ aws configservice put-config-rule --cli-input-json file://putConfigRule.json
  5. To verify that you successfully updated your rule, use the describe-config-rules command to view the rule's configuration:

    $ aws configservice describe-config-rules --config-rule-name ConfigRuleName { "ConfigRules": [ { "ConfigRuleState": "ACTIVE", "ConfigRuleName": "ConfigRuleName", "ConfigRuleArn": "arn:aws:config:us-east-2:123456789012:config-rule/config-rule-nnnnnn", "Source": { "Owner": "CUSTOM_LAMBDA", "SourceIdentifier": "arn:aws:lambda:us-east-2:123456789012:function:ConfigRuleName", "SourceDetails": [ { "EventSource": "aws.config", "MessageType": "ConfigurationItemChangeNotification" } ] }, "Scope": { "ComplianceResourceTypes": [ "AWS::EC2::Instance", "AWS::EC2::Volume", "AWS::EC2::VPC" ] }, "ConfigRuleId": "config-rule-nnnnnn" } ] }

To delete a rule

  • Use the delete-config-rule command as shown in the following example:

    $ aws configservice delete-config-rule --config-rule-name ConfigRuleName

View, Update, and Delete Rules (API)

To view your rules

Use the DescribeConfigRules action.

To update or add a rule

Use the PutConfigRule action.

To delete a rule

Use the DeleteConfigRule action.


If a rule is creating invalid evaluation results, you might want to delete these results before you fix the rule and run a new evaluation. For more information, see Deleting Evaluation Results.