Evaluating Resources with Amazon Config Rules

For details about the costs associated with resource recording, see Amazon Config pricing.

Recommendation: Consider excluding the AWS::Config::ResourceCompliance resource type from recording before deleting rules

Deleting rules creates configuration items (CIs) for AWS::Config::ResourceCompliance that can affect your costs for the configuration recorder. If you are deleting rules which evaluate a large number of resource types, this can lead to a spike in the number of CIs recorded.

To avoid the associated costs, you can opt to disable recording for the AWS::Config::ResourceCompliance resource type before deleting rules, and re-enable recording after the rules have been deleted.

However, since deleting rules is an asynchronous process, it might take an hour or more to complete. During the time when recording is disabled for AWS::Config::ResourceCompliance, rule evaluations will not be recorded in the associated resource’s history.

Amazon Config recommends that you weigh these factors on a case-by-case basis before deciding how to proceed with deleting rules.

Recommendation: Add logic to handle the evaluation of deleted resources for custom lambda rules

When creating Amazon Config custom lambda rules, it is highly recommended that you add logic to handle the evaluation of deleted resources.

When evaluation results are marked as NOT_APPLICABLE, they will be marked for deletion and cleaned up. If they're NOT marked as NOT_APPLICABLE, the evaluation results will remain unchanged until the rule is deleted, which can cause an unexpected spike in the creation of CIs for AWS::Config::ResourceCompliance upon rule deletion.

For information on how to set Amazon Config custom lambda rules to return NOT_APPLICABLE for deleted resources, see Managing deleted resources with Amazon Config custom lambda rules.

Recommendation: Provide the resources in scope for custom lambda rules

Amazon Config Custom Lambda Rules can cause a high number of Lambda function invocations if the rule is not scoped to one or more resource types. To avoid increased activity associated with your account, it is highly recommended to provide resources in scope for your Custom Lambda rules. If no resource types are selected, the rule will invoke the Lambda function for all resources in the account.

Defaut Values for Managed Rules

The default values specified for managed rules are pre-populated only when using the Amazon console. Default values are not supplied for the API, CLI, or SDK.

Configuration Item Recording Delays

Amazon Config usually records configuration changes to your resources right after a change is detected, or at the frequency that you specify. However, this is on a best effort basis and can take longer at times. For example, a resource type with known delays is AWS::SecretsManager::Secret. This resource type is an example, and this list is non-exhaustive.

Policies and compliance results

IAM policies and other policies managed in Amazon Organizations can impact whether Amazon Config has permissions to record configuration changes for your resources. Additionally, rules directly evaluate the configuration of a resource and rules don't take into account these policies when running evaluations. Make sure that the policies in effect align with how you intend to use Amazon Config.

Tagging support for resource types

If a resource type does not support tagging or does not include tag information in its describe API response, Amazon Config won't capture tag data in the configuration items (CIs) for that resource type. Amazon Config will still record these resources. However, any functionality that relies on tag data won't work. This affects tag-based filtering, grouping, or compliance evaluation that relies on tag data.

Directory Buckets Are Not Supported

Managed rules only support general purpose buckets when evaluating Amazon Simple Storage Service (Amazon S3) resources. For more information on general purpose buckets and directory buckets, see Buckets overview and Directory buckets in the Amazon S3 User Guide.

Managed Rules and Global IAM Resource Types

The global IAM resource types onboarded before February 2022 (AWS::IAM::Group, AWS::IAM::Policy, AWS::IAM::Role, and AWS::IAM::User) can only be recorded by Amazon Config in Amazon Regions where Amazon Config was available before February 2022. These resource types cannot be recorded in Regions supported by Amazon Config after February 2022. For a list of those Regions, see Recording Amazon Resources | Global Resources.

If you record a global IAM resource type in at least one Region, periodic rules that report compliance on the global IAM resource type will run evaluations in all Regions where the periodic rule is added, even if you have not enabled the recording of the global IAM resource type in the Region where the periodic rule was added.

To avoid unnecessary evaluations, you should only deploy periodic rules that report compliance on a global IAM resource type to one of the supported Regions. For a list of which managed rules are supported in which Regions, see List of Amazon Config Managed Rules by Region Availability.