AWS::Config::OrganizationConfigRule - AWS CloudFormation


An organization config rule that has information about config rules that AWS Config creates in member accounts. Only a master account and a delegated administrator can create or update an organization config rule.

OrganizationConfigRule resource enables organization service access through EnableAWSServiceAccess action and creates a service linked role in the master account of your organization. The service linked role is created only when the role does not exist in the master account. AWS Config verifies the existence of role with GetRole action.

When creating custom organization config rules using a centralized Lambda function, you will need to allow Lambda permissions to sub-accounts and you will need to create an IAM role will to pass to the Lambda function. For more information, see How to Centrally Manage AWS Config Rules across Multiple AWS Accounts.


To declare this entity in your AWS CloudFormation template, use the following syntax:



A comma-separated list of accounts excluded from organization AWS Config rule.

Required: No

Type: List of String

Maximum: 1000

Update requires: No interruption


The name that you assign to organization AWS Config rule.

Required: Yes

Type: String

Minimum: 1

Maximum: 64

Pattern: .*\S.*

Update requires: Replacement


Not currently supported by AWS CloudFormation.

Required: No

Type: OrganizationCustomCodeRuleMetadata

Update requires: No interruption


An OrganizationCustomRuleMetadata object.

Required: No

Type: OrganizationCustomRuleMetadata

Update requires: No interruption


An OrganizationManagedRuleMetadata object.

Required: No

Type: OrganizationManagedRuleMetadata

Update requires: No interruption

Return values


When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the OrganizationConfigRuleName.

For more information about using the Ref function, see Ref.


Managed Rule

The following example creates a managed organization config rule.


{ "BasicOrganizationConfigRule": { "Type": "AWS::Config::OrganizationConfigRule", "Properties": { "OrganizationConfigRuleName": "OrganizationConfigRuleName", "OrganizationManagedRuleMetadata": { "RuleIdentifier": "CLOUD_TRAIL_ENABLED", "Description": "Cloudtrail enabled rule" }, "ExcludedAccounts": [ "accountId" ] } } }


BasicOrganizationConfigRule: Type: "AWS::Config::OrganizationConfigRule" Properties: OrganizationConfigRuleName: "OrganizationConfigRuleName" OrganizationManagedRuleMetadata: RuleIdentifier: "CLOUD_TRAIL_ENABLED" Description: "Cloudtrail enabled rule" ExcludedAccounts: - "accountId"

Custom Rule

The following example creates a custom organization config rule.


{ "BasicOrganizationConfigRule": { "Type": "AWS::Config::OrganizationConfigRule", "Properties": { "OrganizationConfigRuleName": "OrganizationConfigRuleName", "OrganizationCustomRuleMetadata": { "LambdaFunctionArn": "CustomRuleLambdaArn", "OrganizationConfigRuleTriggerTypes": [ "ScheduledNotification" ] }, "ExcludedAccounts": [ "accountId" ] } } }


BasicOrganizationConfigRule: Type: "AWS::Config::OrganizationConfigRule" Properties: OrganizationConfigRuleName: "OrganizationConfigRuleName" OrganizationCustomRuleMetadata: LambdaFunctionArn: "CustomRuleLambdaArn" OrganizationConfigRuleTriggerTypes: - "ScheduledNotification" ExcludedAccounts: - "accountId"