AWS::Config::ConfigRule Source - Amazon CloudFormation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

AWS::Config::ConfigRule Source

Provides the CustomPolicyDetails, the rule owner ( Amazon for managed rules, CUSTOM_POLICY for Custom Policy rules, and CUSTOM_LAMBDA for Custom Lambda rules), the rule identifier, and the events that cause the evaluation of your Amazon resources.


To declare this entity in your Amazon CloudFormation template, use the following syntax:


{ "CustomPolicyDetails" : CustomPolicyDetails, "Owner" : String, "SourceDetails" : [ SourceDetail, ... ], "SourceIdentifier" : String }



Provides the runtime system, policy definition, and whether debug logging is enabled. Required when owner is set to CUSTOM_POLICY.

Required: No

Type: CustomPolicyDetails

Update requires: No interruption


Indicates whether Amazon or the customer owns and manages the Amazon Config rule.

Amazon Config Managed Rules are predefined rules owned by Amazon. For more information, see Amazon Config Managed Rules in the Amazon Config developer guide.

Amazon Config Custom Rules are rules that you can develop either with Guard (CUSTOM_POLICY) or Amazon Lambda (CUSTOM_LAMBDA). For more information, see Amazon Config Custom Rules in the Amazon Config developer guide.

Required: Yes

Type: String


Update requires: No interruption


Provides the source and the message types that cause Amazon Config to evaluate your Amazon resources against a rule. It also provides the frequency with which you want Amazon Config to run evaluations for the rule if the trigger type is periodic.

If the owner is set to CUSTOM_POLICY, the only acceptable values for the Amazon Config rule trigger message type are ConfigurationItemChangeNotification and OversizedConfigurationItemChangeNotification.

Required: No

Type: Array of SourceDetail

Minimum: 0

Maximum: 25

Update requires: No interruption


For Amazon Config Managed rules, a predefined identifier from a list. For example, IAM_PASSWORD_POLICY is a managed rule. To reference a managed rule, see List of Amazon Config Managed Rules.

For Amazon Config Custom Lambda rules, the identifier is the Amazon Resource Name (ARN) of the rule's Amazon Lambda function, such as arn:aws:lambda:us-east-2:123456789012:function:custom_rule_name.

For Amazon Config Custom Policy rules, this field will be ignored.

Required: No

Type: String

Minimum: 1

Maximum: 256

Update requires: No interruption