Evaluating Resources with Amazon Config Rules - Amazon Config
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Evaluating Resources with Amazon Config Rules

Use Amazon Config to evaluate the configuration settings of your Amazon resources. You do this by creating Amazon Config rules, which represent your ideal configuration settings. Amazon Config provides customizable, predefined rules called managed rules to help you get started. While Amazon Config continuously tracks the configuration changes that occur among your resources, it checks whether these changes violate any of the conditions in your rules. If a resource violates a rule, Amazon Config flags the resource and the rule as noncompliant.

For example, when an EC2 volume is created, Amazon Config can evaluate the volume against a rule that requires volumes to be encrypted. If the volume is not encrypted, Amazon Config flags the volume and the rule as noncompliant. Amazon Config can also check all of your resources for account-wide requirements. For example, Amazon Config can check whether the number of EC2 volumes in an account stays within a desired total, or whether an account uses Amazon CloudTrail for logging.

Service-linked rules are a unique type of managed rule that support other Amazon services to create Amazon Config rules in your account. These rules are predefined to include all the permissions required to call other Amazon services on your behalf. These rules are similar to standards that an Amazon service recommends in your Amazon account for compliance verification. For more information, see Service-Linked Amazon Config Rules.

The Amazon Config console shows the compliance status of your rules and resources. You can see how your Amazon resources comply overall with your desired configurations, and learn which specific resources are noncompliant. You can also use the Amazon CLI, the Amazon Config API, and Amazon SDKs to make requests to the Amazon Config service for compliance information.

By using Amazon Config to evaluate your resource configurations, you can assess how well your resource configurations comply with internal practices, industry guidelines, and regulations.

For regions that support Amazon Config rules, see Amazon Config Regions and Endpoints in the Amazon Web Services General Reference.

You can create up to 400 Amazon Config rules per region in your account. For more information, see Amazon Config Limits.

You can also create custom rules to evaluate additional resources that Amazon Config doesn't yet record. For more information, see Amazon Config Custom Rules and Evaluating Additional Resource Types.

Region Support

Currently, Amazon Config Rules is supported in the following regions:

Region name Region Endpoint Protocol
Africa (Cape Town) af-south-1 config.af-south-1.amazonaws.com HTTPS
Asia Pacific (Hong Kong) ap-east-1 config.ap-east-1.amazonaws.com HTTPS
Asia Pacific (Mumbai) ap-south-1 config.ap-south-1.amazonaws.com HTTPS
Asia Pacific (Osaka) ap-northeast-3 config.ap-northeast-3.amazonaws.com HTTPS
Asia Pacific (Seoul) ap-northeast-2 config.ap-northeast-2.amazonaws.com HTTPS
Asia Pacific (Singapore) ap-southeast-1 config.ap-southeast-1.amazonaws.com HTTPS
Asia Pacific (Sydney) ap-southeast-2 config.ap-southeast-2.amazonaws.com HTTPS
Asia Pacific (Tokyo) ap-northeast-1 config.ap-northeast-1.amazonaws.com HTTPS
Amazon GovCloud (US-East) us-gov-east-1 config.us-gov-east-1.amazonaws.com HTTPS
Amazon GovCloud (US-West) us-gov-west-1 config.us-gov-west-1.amazonaws.com HTTPS
Canada (Central) ca-central-1 config.ca-central-1.amazonaws.com HTTPS
China (Beijing) cn-north-1 config.cn-north-1.amazonaws.com HTTPS
China (Ningxia) cn-northwest-1 config.cn-northwest-1.amazonaws.com HTTPS
Europe (Stockholm) eu-north-1 config.eu-north-1.amazonaws.com HTTPS
Europe (Frankfurt) eu-central-1 config.eu-central-1.amazonaws.com HTTPS
Europe (Ireland) eu-west-1 config.eu-west-1.amazonaws.com HTTPS
Europe (London) eu-west-2 config.eu-west-2.amazonaws.com HTTPS
Europe (Milan) eu-south-1 config.eu-south-1.amazonaws.com HTTPS
Europe (Paris) eu-west-3 config.eu-west-3.amazonaws.com HTTPS
Middle East (Bahrain) me-south-1 config.me-south-1.amazonaws.com HTTPS
Middle East (UAE) me-central-1 config.me-central-1.amazonaws.com HTTPS
South America (São Paulo) sa-east-1 config.sa-east-1.amazonaws.com HTTPS
US East (N. Virginia) us-east-1 config.us-east-1.amazonaws.com HTTPS
US East (Ohio) us-east-2 config.us-east-2.amazonaws.com HTTPS
US West (N. California) us-west-1 config.us-west-1.amazonaws.com HTTPS
US West (Oregon) us-west-2 config.us-west-2.amazonaws.com HTTPS

Deploying Amazon Config Rules across member accounts in an Amazon Organization is supported in the following Regions.

Region name Region Endpoint Protocol
Asia Pacific (Seoul) ap-northeast-2 config.ap-northeast-2.amazonaws.com HTTPS
Asia Pacific (Singapore) ap-southeast-1 config.ap-southeast-1.amazonaws.com HTTPS
Asia Pacific (Sydney) ap-southeast-2 config.ap-southeast-2.amazonaws.com HTTPS
Asia Pacific (Tokyo) ap-northeast-1 config.ap-northeast-1.amazonaws.com HTTPS
Canada (Central) ca-central-1 config.ca-central-1.amazonaws.com HTTPS
Europe (Stockholm) eu-north-1 config.eu-north-1.amazonaws.com HTTPS
Europe (Frankfurt) eu-central-1 config.eu-central-1.amazonaws.com HTTPS
Europe (Ireland) eu-west-1 config.eu-west-1.amazonaws.com HTTPS
Europe (London) eu-west-2 config.eu-west-2.amazonaws.com HTTPS
Europe (Paris) eu-west-3 config.eu-west-3.amazonaws.com HTTPS
Middle East (UAE) me-central-1 config.me-central-1.amazonaws.com HTTPS
South America (São Paulo) sa-east-1 config.sa-east-1.amazonaws.com HTTPS
US East (N. Virginia) us-east-1 config.us-east-1.amazonaws.com HTTPS
US East (Ohio) us-east-2 config.us-east-2.amazonaws.com HTTPS
US West (N. California) us-west-1 config.us-west-1.amazonaws.com HTTPS
US West (Oregon) us-west-2 config.us-west-2.amazonaws.com HTTPS