Evaluating Resources with Amazon Config Rules - Amazon Config
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Evaluating Resources with Amazon Config Rules

Use Amazon Config to evaluate the configuration settings of your Amazon resources. You do this by creating Amazon Config rules, which represent your ideal configuration settings. Amazon Config provides customizable, predefined rules called managed rules to help you get started. While Amazon Config continuously tracks the configuration changes that occur among your resources, it checks whether these changes do not comply with the conditions in your rules. If a resource does not comply with rule, Amazon Config flags the resource and the rule as noncompliant. The following are the possible evaluation results for an Amazon Config rule:

  • COMPLIANT - the rule passes the conditions of the compliance check.

  • NON_COMPLIANT - the rule fails the conditions of the compliance check.

  • ERROR - one of the required/optional parameters is not valid, or not of the correct type, or is formatted incorrectly.

  • NOT_APPLICABLE - used to filter out resources that the logic of the rule cannot be applied to. For example, the alb-desync-mode-check rule only checks Application Load Balancers, and ignores Network Load Balancers and Gateway Load Balancers.

For example, when an EC2 volume is created, Amazon Config can evaluate the volume against a rule that requires volumes to be encrypted. If the volume is not encrypted, Amazon Config flags the volume and the rule as noncompliant. Amazon Config can also check all of your resources for account-wide requirements. For example, Amazon Config can check whether the number of EC2 volumes in an account stays within a desired total, or whether an account uses Amazon CloudTrail for logging.

Service-linked rules are a unique type of managed rule that support other Amazon services to create Amazon Config rules in your account. These rules are predefined to include all the permissions required to call other Amazon services on your behalf. These rules are similar to standards that an Amazon service recommends in your Amazon account for compliance verification. For more information, see Service-Linked Amazon Config Rules.

The Amazon Config console shows the compliance status of your rules and resources. You can see how your Amazon resources comply overall with your desired configurations, and learn which specific resources are noncompliant. You can also use the Amazon CLI, the Amazon Config API, and Amazon SDKs to make requests to the Amazon Config service for compliance information.

By using Amazon Config to evaluate your resource configurations, you can assess how well your resource configurations comply with internal practices, industry guidelines, and regulations.

For the maximum number of Amazon Config rules per Region per account and other service limits, see Amazon Config Service Limits.

You can also create custom rules to evaluate additional resources that Amazon Config doesn't yet record. For more information, see Amazon Config Custom Rules and Evaluating Additional Resource Types.

Important

Avoid Unnecessary Amazon Config Custom Lambda Rule Evaluations

When creating Amazon Config custom lambda rules, it is highly recommended that you add logic to handle the evaluation of deleted resources.

When evaluation results are marked as NOT_APPLICABLE, they will be marked for deletion and cleaned up. If they're NOT marked as NOT_APPLICABLE, the evaluation results will remain unchanged until the rule is deleted, which can cause an unexpected spike in the creation of configuration items (CIs) for ResourceCompliance upon rule deletion.

For information on how to set Amazon Config custom lambda rules to return NOT_APPLICABLE for deleted resources, see Managing deleted resources with Amazon Config custom lambda rules. Amazon Config managed rules and Amazon Config custom policy rules handle this behavior by default.

Evaluation Results for Deleted Resources Can Persist if the Configuration Recorder is Turned Off

If the configuration recorder is turned off, it disables the ability of Amazon Config to track changes to the configuration of your resources, including their deletions. This means you might see evaluation results for resources that have been previously deleted if you turn off the configuration recorder.

Region Support

Currently, the Amazon Config Rule feature is supported in the following Amazon regions. For a list of which individual Amazon Config rules are supported in which Regions, see List of Amazon Config Managed Rules by Region Availability.

Region Name Region Endpoint Protocol
US East (Ohio) us-east-2

config.us-east-2.amazonaws.com

config-fips.us-east-2.amazonaws.com

HTTPS

HTTPS

US East (N. Virginia) us-east-1

config.us-east-1.amazonaws.com

config-fips.us-east-1.amazonaws.com

HTTPS

HTTPS

US West (N. California) us-west-1

config.us-west-1.amazonaws.com

config-fips.us-west-1.amazonaws.com

HTTPS

HTTPS

US West (Oregon) us-west-2

config.us-west-2.amazonaws.com

config-fips.us-west-2.amazonaws.com

HTTPS

HTTPS

Africa (Cape Town) af-south-1 config.af-south-1.amazonaws.com HTTPS
Asia Pacific (Hong Kong) ap-east-1 config.ap-east-1.amazonaws.com HTTPS
Asia Pacific (Hyderabad) ap-south-2 config.ap-south-2.amazonaws.com HTTPS
Asia Pacific (Jakarta) ap-southeast-3 config.ap-southeast-3.amazonaws.com HTTPS
Asia Pacific (Melbourne) ap-southeast-4 config.ap-southeast-4.amazonaws.com HTTPS
Asia Pacific (Mumbai) ap-south-1 config.ap-south-1.amazonaws.com HTTPS
Asia Pacific (Osaka) ap-northeast-3 config.ap-northeast-3.amazonaws.com HTTPS
Asia Pacific (Seoul) ap-northeast-2 config.ap-northeast-2.amazonaws.com HTTPS
Asia Pacific (Singapore) ap-southeast-1 config.ap-southeast-1.amazonaws.com HTTPS
Asia Pacific (Sydney) ap-southeast-2 config.ap-southeast-2.amazonaws.com HTTPS
Asia Pacific (Tokyo) ap-northeast-1 config.ap-northeast-1.amazonaws.com HTTPS
Canada (Central) ca-central-1 config.ca-central-1.amazonaws.com HTTPS
Canada West (Calgary) ca-west-1 config.ca-west-1.amazonaws.com HTTPS
China (Beijing) cn-north-1 config.cn-north-1.amazonaws.com.cn HTTPS
China (Ningxia) cn-northwest-1 config.cn-northwest-1.amazonaws.com.cn HTTPS
Europe (Frankfurt) eu-central-1 config.eu-central-1.amazonaws.com HTTPS
Europe (Ireland) eu-west-1 config.eu-west-1.amazonaws.com HTTPS
Europe (London) eu-west-2 config.eu-west-2.amazonaws.com HTTPS
Europe (Milan) eu-south-1 config.eu-south-1.amazonaws.com HTTPS
Europe (Paris) eu-west-3 config.eu-west-3.amazonaws.com HTTPS
Europe (Spain) eu-south-2 config.eu-south-2.amazonaws.com HTTPS
Europe (Stockholm) eu-north-1 config.eu-north-1.amazonaws.com HTTPS
Europe (Zurich) eu-central-2 config.eu-central-2.amazonaws.com HTTPS
Israel (Tel Aviv) il-central-1 config.il-central-1.amazonaws.com HTTPS
Middle East (Bahrain) me-south-1 config.me-south-1.amazonaws.com HTTPS
Middle East (UAE) me-central-1 config.me-central-1.amazonaws.com HTTPS
South America (São Paulo) sa-east-1 config.sa-east-1.amazonaws.com HTTPS

Deploying Amazon Config Rules across member accounts in an Amazon Organization is supported in the following Regions.

Region Name Region Endpoint Protocol
US East (Ohio) us-east-2 config.us-east-2.amazonaws.com HTTPS
US East (N. Virginia) us-east-1 config.us-east-1.amazonaws.com HTTPS
US West (N. California) us-west-1 config.us-west-1.amazonaws.com HTTPS
US West (Oregon) us-west-2 config.us-west-2.amazonaws.com HTTPS
Asia Pacific (Melbourne) ap-southeast-4 config.ap-southeast-4.amazonaws.com HTTPS
Asia Pacific (Mumbai) ap-south-1 config.ap-south-1.amazonaws.com HTTPS
Asia Pacific (Seoul) ap-northeast-2 config.ap-northeast-2.amazonaws.com HTTPS
Asia Pacific (Singapore) ap-southeast-1 config.ap-southeast-1.amazonaws.com HTTPS
Asia Pacific (Sydney) ap-southeast-2 config.ap-southeast-2.amazonaws.com HTTPS
Asia Pacific (Tokyo) ap-northeast-1 config.ap-northeast-1.amazonaws.com HTTPS
Canada (Central) ca-central-1 config.ca-central-1.amazonaws.com HTTPS
Europe (Frankfurt) eu-central-1 config.eu-central-1.amazonaws.com HTTPS
Europe (Ireland) eu-west-1 config.eu-west-1.amazonaws.com HTTPS
Europe (London) eu-west-2 config.eu-west-2.amazonaws.com HTTPS
Europe (Paris) eu-west-3 config.eu-west-3.amazonaws.com HTTPS
Europe (Stockholm) eu-north-1 config.eu-north-1.amazonaws.com HTTPS
South America (São Paulo) sa-east-1 config.sa-east-1.amazonaws.com HTTPS