Creating Amazon Config Managed Rules With Amazon CloudFormation Templates - Amazon Config
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Creating Amazon Config Managed Rules With Amazon CloudFormation Templates


You must first create and start the Amazon Config configuration recorder in order to create Amazon Config managed rules with Amazon CloudFormation. For more information, see Managing the Configuration Recorder.

For supported Amazon Config managed rules, you can use the Amazon CloudFormation templates to create the rule for your account or update an existing Amazon CloudFormation stack. A stack is a collection of related resources that you provision and update as a single unit. When you launch a stack with a template, the Amazon Config managed rule is created for you. The templates create only the rule, and don't create additional Amazon resources.


When Amazon Config managed rules are updated, the templates are updated for the latest changes. To save a specific version of a template for a rule, download the template, and upload it to your S3 bucket.

For more information about working with Amazon CloudFormation templates, see Getting Started with Amazon CloudFormation in the Amazon CloudFormation User Guide.

To launch an Amazon CloudFormation stack for an Amazon Config managed rule
  1. Go to the CloudFormation console and create a new stack.

  2. For Specify template:

    • If you downloaded the template, choose Upload a template file, and then Choose file to upload the template.

    • You can also choose Amazon S3 URL, and enter the template URL


    The rule identifier should be written in ALL_CAPS_WITH_UNDERSCORES. For example, CLOUDWATCH_LOG_GROUP_ENCRYPTED instead of cloudwatch-log-group-encrypted.

    For some rules, the rule identifier is different from the rule name. Make sure to use the rule identifier. For example, the rule identifier for restricted-ssh is INCOMING_SSH_DISABLED.

  3. Choose Next.

  4. For Specify stack details, type a stack name and enter parameter values for the Amazon Config rule. For example, if you are using the DESIRED_INSTANCE_TYPE managed rule template, you can specify the instance type such as "m4.large".

  5. Choose Next.

  6. For Options, you can create tags or configure other advanced options. These are not required.

  7. Choose Next.

  8. For Review, verify that the template, parameters, and other options are correct.

  9. Choose Create. The stack is created in a few minutes. You can view the created rule in the Amazon Config console.

You can use the templates to create a single stack for Amazon Config managed rules or update an existing stack in your account. If you delete a stack, the managed rules created from that stack are also deleted. For more information, see Working with Stacks in the Amazon CloudFormation User Guide.