Using AWS Config Rules with the Console - AWS Config

Using AWS Config Rules with the Console

The Rules page provides initial AWS managed rules that you can add to your account. After set up, AWS Config evaluates your AWS resources against the rules that you choose. You can update the rules and create additional managed rules after set up.

To see the complete list of AWS managed rules, see List of AWS Config Managed Rules.

For example, you can choose the cloudtrail-enabled rule, which evaluates whether your account has a CloudTrail trail. If your account doesn't have a trail, AWS Config flags the resource type and the rule as noncompliant.

On the Rules page, you can do the following:

  • Type in the search field to filter results by rule name, description, or label. For example, type EC2 to return rules that evaluate EC2 resource types or type periodic to return rules that have a periodic trigger. Type "new" to search for newly added rules. For more information about trigger types, see Specifying Triggers for AWS Config Rules.

  • Choose a rule to view its specific details. You can also reorder the results alphabetically by choosing the arrow by the Rule name label.

  • Choose the arrow icon to see the next page of rules.

  • See recently added rules that are marked as New.

  • See labels to identify the resource type that a rule evaluates and if the rule has a periodic trigger.

To set up AWS Config rules

  1. On the Rules page, choose the rules that you want. You can customize these rules and add other rules to your account after set up.

  2. Choose Next.

  3. On the Review page, verify your setup details, and then choose Confirm.

    The Rules page shows your rules and their current compliance results in the table. The result for each rule is Evaluating... until AWS Config finishes evaluating your resources against the rule. You can update the results with the refresh button. When AWS Config finishes evaluations, you can see the rules and resource types that are compliant or noncompliant. For more information, see Viewing Configuration Compliance.

Note

AWS Config evaluates only the resource types that it is recording. For example, if you add the cloudtrail-enabled rule but don't record the CloudTrail trail resource type, AWS Config can't evaluate whether the trails in your account are compliant or noncompliant. For more information, see Selecting Which Resources AWS Config Records.

You can view, edit, and delete your existing rules. You can also create additional AWS managed rules or create your own. For more information, see Managing your AWS Config Rules.

Sending Rule Evaluations to Security Hub

After adding an AWS Config rule, you can also send rule evaluations to AWS Security Hub. The integration between AWS Config and Security Hub allows you to triage and remediate rule evaluations alongside other misconfigurations and security issues.

Send Rule Evaluations to Security Hub

To send rule evaluations to Security Hub, you must first set up AWS Security Hub and AWS Config, and then add at least one AWS Config managed or custom rule. After this, AWS Config immediately starts sending rule evaluations to Security Hub. Security Hub enriches the rule evaluations and transforms them into Security Hub findings.

For more information about this integration, see Available AWS Service Integrations in the AWS Security Hub User Guide.