Evaluation Mode and Trigger Types for Amazon Config Rules - Amazon Config
Trigger typesEvaluation modesRule evaluations
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Evaluation Mode and Trigger Types for Amazon Config Rules

When you add a rule to your account, you can specify when in the resource creation and management process that you want Amazon Config to evaluate your resources. The resource creation and management process is known as resource provisioning. You choose the evaluation mode to specify when in this process you want Amazon Config to evaluate your resources.

Depending on the rule, Amazon Config can evaluate your resource configurations before a resource has been deployed, after a resource has been deployed, or both. Evaluating a resource before it has been deployed is proactive evaluation. Evaluating a resource after it has been deployed is detective evaluation.

You can also choose the trigger type to specify how often your Amazon Config rules evaluate your resources. Resources can be evaluated when there are configuration changes, on a periodic schedule, or both.

Trigger types

After you add a rule to your account, Amazon Config compares your resources to the conditions of the rule. After this initial evaluation, Amazon Config continues to run evaluations each time one is triggered. The evaluation triggers are defined as part of the rule, and they can include the following types:

Configuration changes

Amazon Config runs evaluations for the rule when there is a resource that matches the rule's scope and there is a change in configuration of the resource. The evaluation runs after Amazon Config sends a configuration item change notification.

You choose which resources initiate the evaluation by defining the rule's scope. The scope can include the following:

  • One or more resource types

  • A combination of a resource type and a resource ID

  • A combination of a tag key and value

  • When any recorded resource is created, updated, or deleted

Amazon Config runs the evaluation when it detects a change to a resource that matches the rule's scope. You can use the scope to define which resources initiate evaluations.

Periodic

Amazon Config runs evaluations for the rule at a frequency that you choose; for example, every 24 hours.

Hybrid

Some rules have both configuration change and periodic triggers. For these rules, Amazon Config evaluates your resources when it detects a configuration change and also at the frequency that you specify.

Evaluation modes

There are two evaluation modes:

Use proactive evaluation to evaluate resources before they have been deployed. This allows you to evaluate whether a set of resource properties, if used to define an Amazon resource, would be COMPLIANT or NON_COMPLIANT given the set of proactive rules that you have in your account in your Region.

The Resource type schema states the properties of a resource. You can find the resource type schema in "Amazon public extensions" within the Amazon CloudFormation registry or with the following CLI commmand:

aws cloudformation describe-type --type-name "AWS::S3::Bucket" --type RESOURCE

For more information, see Managing extensions through the Amazon CloudFormation registry and Amazon resource and property types reference in the Amazon CloudFormation User Guide.

Note

Proactive rules do not remediate resources that are flagged as NON_COMPLIANT or prevent them from being deployed.

List of managed rules with proactive evaluation

For a list of managed rules that support proactive evaluation, see List of Amazon Config Managed Rules by Evaluation Mode.

List of supported resource types for proactive evaluation

The following is a list of resource types that are supported for proactive evaluation:

  • AWS::ApiGateway::Stage

  • AWS::AutoScaling::AutoScalingGroup

  • AWS::EC2::EIP

  • AWS::EC2::Instance

  • AWS::EC2::Subnet

  • AWS::Elasticsearch::Domain

  • AWS::Lambda::Function

  • AWS::RDS::DBInstance

  • AWS::Redshift::Cluster

  • AWS::S3::Bucket

  • AWS::SNS::Topic

Example rule with proactive evaluation

Example proactive rule

  1. You add the Amazon Config managed rule, S3_BUCKET_LOGGING_ENABLED, to your account to check if your S3 buckets have logging enabled.

  2. For the evaluation mode, choose Turn on proactive evaluation in the Amazon Management Console, or enable PROACTIVE for EvaluationModes in the PutConfigRule API.

Once you have turned on proactive evaluation, you can use the StartResourceEvaluation API and GetResourceEvaluationSummary API to check if a bucket in your account, which has not been deployed to production, does not have logging enabled. This allows you to test resource configurations before you deploy and re-evaluate if you want to deploy the resource to production.

For example, start with the StartResourceEvaluation API:

aws configservice start-resource-evaluation --evaluation-mode PROACTIVE
                --resource-details '{"ResourceId":"MY_RESOURCE_ID",
                                     "ResourceType":"AWS::S3::Bucket",
                                     "ResourceConfiguration": "{\"BucketName\": \"my-bucket\", \"LoggingConfiguration\": {\"DestinationBucketName\": \"my-log-bucket\",\"LogFilePrefix\":\"my-log\"}}",
                                     "ResourceConfigurationSchemaType":"CFN_RESOURCE_SCHEMA"}'

You should receive the ResourceEvaluationId in the output:

{
    "ResourceEvaluationId": "MY_RESOURCE_EVALUATION_ID"
}

Then, use the ResourceEvaluationId with the GetResourceEvaluationSummary API to check the evaluation result:

aws configservice get-resource-evaluation-summary
    --resource-evaluation-id MY_RESOURCE_EVALUATION_ID

You should receive output similiar to the following:

{
    "ResourceEvaluationId": "MY_RESOURCE_EVALUATION_ID",
    "EvaluationMode": "PROACTIVE",
    "EvaluationStatus": {
        "Status": "SUCCEEDED"
    },
    "EvaluationStartTimestamp": "2022-11-15T19:13:46.029000+00:00",
    "Compliance": "COMPLIANT",
    "ResourceDetails": {
        "ResourceId": "MY_RESOURCE_ID",
        "ResourceType": "AWS::RESOURCE::TYPE",
        "ResourceConfiguration": "{\"BucketName\": \"my-bucket\", \"LoggingConfiguration\": {\"DestinationBucketName\": \"my-log-bucket\",\"LogFilePrefix\":\"my-log\"}}",

    }
}

To see additional information about the evaluation result, such as which rule flagged a resource as NON_COMPLIANT, use the GetComplianceDetailsByResource API.

Use detective evaluation to evaluate resources that have already been deployed. This allows you to evaluate the configuration settings of your existing resources.

Example rules with detective evaluation

Example change-triggered rule

  1. You add the managed rule, S3_BUCKET_LOGGING_ENABLED, to your account to check if your S3 buckets have logging enabled.

  2. The trigger type for the rule is configuration changes. Amazon Config runs the evaluations for the rule when an S3 bucket is created, changed, or deleted.

  3. When a bucket is updated, the configuration change initiates the rule and Amazon Config evaluates whether the bucket is compliant against the rule.

Example periodic rule

  1. You add the managed rule, IAM_PASSWORD_POLICY, to your account. The rule checks if the password policy for your IAM users comply with your account policy, such as requiring a minimum length or requiring specific characters.

  2. The trigger type for the rule is periodic. Amazon Config runs evaluation for the rule at a frequency that you specify, such as every 24 hours.

  3. Every 24 hours, the rule is initiated and Amazon Config evaluates whether the passwords for your IAM users are compliant against the rule.

Example hybrid rule with both configuration change and periodic triggers

  1. Create a custom rule that evaluates whether Amazon CloudTrail trails in your account are turned on and logging for all Regions.

  2. You want Amazon Config to run evaluations for the rule every time a trail is created, updated, or deleted. You also want Amazon Config to run the rule every 12 hours.

  3. For the trigger type, you write logic for both configuration change and periodic triggers. For more information, see Components of an Amazon Config Rule: Writing Rules.

Rule evaluations when the configuration recorder is turned off

If you turn off the configuration recorder, Amazon Config stops recording changes to your resource configurations. This affects your rule evaluations in the following ways:

  • Periodic rules continue to run evaluations at the specified frequency.

  • Change-triggered rules do not run evaluations.

  • Hybrid rules run evaluations only at the specified frequency. The rules do not run evaluations for configuration changes.

  • If you run an on-demand evaluation for a rule with a configuration change trigger, the rule evaluates the last known state of the resource, which is the last recorded configuration item.

Important

Avoid Unnecessary Amazon Config Evaluations

Periodic rules and hybrid rules will continue to run unless deleted, even if you have turned off the configuration recorder. These rules will only evaluate configuration items that were recorded before the configuration recorder was turned off, meaning these rules will reproduce the same evaluation results with no new information. Delete periodic rules and hybrid rules when you turn off the configuration recorder in order to avoid unnecessary activity and rule evaluations.