AWS Config
Developer Guide

List of AWS Config Managed Rules

AWS Config currently supports the following managed rules in the compute; management and governance; network and content delivery; security, identity, and compliance; and storage categories. This page also lists the rules that AWS Config does not currently support in the China (Beijing) and China (Ningxia) regions.



Cryptography and PKI


Machine Learning

Management and Governance

Migration and Transfer

Network and Content Delivery

Security, Identity & Compliance


*This rule uses automated reasoning tools (ART) to evaluate IAM permissions and resource policies for correctness.

Rules not Supported in China (Beijing) Region

AWS Config does not currently support the following rules in the Beijing region:

  • acm-certificate-expiration-check

  • cmk-backing-key-rotation-enabled

  • cloud-trail-encryption-enabled

  • cloud-trail-log-file-validation-enabled

  • cloudformation-stack-drift-detection-check

  • codebuild-project-envvar-awscred-check

  • codebuild-project-source-repo-url-check

  • codepipeline-deployment-count-check

  • codepipeline-region-fanout-check

  • elb-acm-certificate-required

  • encrypted-volumes

  • fms-webacl-resource-policy-check

  • fms-webacl-rulegroup-association-check

  • guardduty-enabled-centralized

  • lambda-function-public-access-prohibited

  • rds-storage-encrypted

  • root-account-hardware-mfa-enabled

  • root-account-mfa-enabled

  • s3-bucket-blacklisted-actions-prohibited

  • s3-bucket-policy-grantee-check

  • s3-bucket-policy-not-more-permissive

  • s3-bucket-public-read-prohibited

  • s3-bucket-public-write-prohibited

  • s3-bucket-server-side-encryption-enabled

  • s3-bucket-ssl-requests-only

Rules not Supported in China (Ningxia) Region

All the rules that are not available in the Beijing region are also not available in the Ningxia region. In addition to the above mentioned rules, AWS Config does not currently support the following rules in the Ningxia region:

  • lambda-function-settings-check

  • cloudformation-stack-notification-check

  • dynamodb-table-encryption-enable