AWS services or capabilities described in AWS Documentation may vary by region/location. Click Getting Started with Amazon AWS to see specific differences applicable to the China (Beijing) Region.
Adds or updates an Config rule to evaluate if your Amazon Web Services resources comply with your desired configurations. For information on how many Config rules you can have per account, see Service Limits in the Config Developer Guide.
There are two types of rules: Config Managed Rules and Config Custom Rules.
You can use PutConfigRule
to create both Config Managed Rules and Config Custom
Rules.
Config Managed Rules are predefined, customizable rules created by Config. For a list
of managed rules, see List
of Config Managed Rules. If you are adding an Config managed rule, you must specify
the rule's identifier for the SourceIdentifier
key.
Config Custom Rules are rules that you create from scratch. There are two ways to create Config custom rules: with Lambda functions ( Lambda Developer Guide) and with Guard (Guard GitHub Repository), a policy-as-code language. Config custom rules created with Lambda are called Config Custom Lambda Rules and Config custom rules created with Guard are called Config Custom Policy Rules.
If you are adding a new Config Custom Lambda rule, you first need to create an Lambda
function that the rule invokes to evaluate your resources. When you use PutConfigRule
to add a Custom Lambda rule to Config, you must specify the Amazon Resource Name (ARN)
that Lambda assigns to the function. You specify the ARN in the SourceIdentifier
key. This key is part of the Source
object, which is part of the ConfigRule
object.
For any new Config rule that you add, specify the ConfigRuleName
in the ConfigRule
object. Do not specify the ConfigRuleArn
or the ConfigRuleId
. These
values are generated by Config for new rules.
If you are updating a rule that you added previously, you can specify the rule by
ConfigRuleName
, ConfigRuleId
, or ConfigRuleArn
in the ConfigRule
data type that you use in this request.
For more information about developing and using Config rules, see Evaluating Resources with Config Rules in the Config Developer Guide.
PutConfigRule
is an idempotent API. Subsequent requests won’t create a duplicate
resource if one was already created. If a following request has different tags
values, Config will ignore these differences and treat it as an idempotent request
of the previous. In this case, tags
will not be updated, even if they are different.
For .NET Core this operation is only available in asynchronous form. Please refer to PutConfigRuleAsync.
Namespace: Amazon.ConfigService
Assembly: AWSSDK.ConfigService.dll
Version: 3.x.y.z
public abstract PutConfigRuleResponse PutConfigRule( PutConfigRuleRequest request )
Container for the necessary parameters to execute the PutConfigRule service method.
Exception | Condition |
---|---|
InsufficientPermissionsException | Indicates one of the following errors: For PutConfigRule, the rule cannot be created because the IAM role assigned to Config lacks permissions to perform the config:Put* action. For PutConfigRule, the Lambda function cannot be invoked. Check the function ARN, and check the function's permissions. For PutOrganizationConfigRule, organization Config rule cannot be created because you do not have permissions to call IAM GetRole action or create a service-linked role. For PutConformancePack and PutOrganizationConformancePack, a conformance pack cannot be created because you do not have the following permissions: You do not have permission to call IAM GetRole action or create a service-linked role. You do not have permission to read Amazon S3 bucket or call SSM:GetDocument. |
InvalidParameterValueException | One or more of the specified parameters are not valid. Verify that your parameters are valid and try again. |
MaxNumberOfConfigRulesExceededException | Failed to add the Config rule because the account already contains the maximum number of 1000 rules. Consider deleting any deactivated rules before you add new rules. |
NoAvailableConfigurationRecorderException | There are no configuration recorders available to provide the role needed to describe your resources. Create a configuration recorder. |
ResourceInUseException | You see this exception in the following cases: For DeleteConfigRule, Config is deleting this rule. Try your request again later. For DeleteConfigRule, the rule is deleting your evaluation results. Try your request again later. For DeleteConfigRule, a remediation action is associated with the rule and Config cannot delete this rule. Delete the remediation action associated with the rule before deleting the rule and try your request again later. For PutConfigOrganizationRule, organization Config rule deletion is in progress. Try your request again later. For DeleteOrganizationConfigRule, organization Config rule creation is in progress. Try your request again later. For PutConformancePack and PutOrganizationConformancePack, a conformance pack creation, update, and deletion is in progress. Try your request again later. For DeleteConformancePack, a conformance pack creation, update, and deletion is in progress. Try your request again later. |
.NET Framework:
Supported in: 4.5, 4.0, 3.5