# Evaluating Resources with Amazon Config Rules
Use Amazon Config to evaluate the configuration settings of your Amazon resources. You do this by creating Amazon Config rules, which represent your ideal configuration settings. Amazon Config provides customizable, predefined rules called managed rules to help you get started.
**Topics**
+ [Considerations](#evaluate-config-considerations)
+ [Region Support](#region-support-config-rules)
+ [Components of a Rule](evaluate-config_components.md)
+ [Managed Rules](evaluate-config_use-managed-rules.md)
+ [Custom Rules](evaluate-config_develop-rules.md)
+ [Service-Linked Rules](service-linked-awsconfig-rules.md)
+ [Adding Rules](evaluate-config_add-rules.md)
+ [Updating Rules](evaluate-config_update-rules.md)
+ [Deleting Rules](evaluate-config_delete-rules.md)
+ [Viewing Rules](evaluate-config_view-rules.md)
+ [Turning on Proactive Evaluation](evaluate-config_turn-on-proactive-rules.md)
+ [Sending Evaluations to Security Hub CSPM](setting-up-aws-config-rules-with-console-integration.md)
+ [Evaluating Resources with Rules](evaluating-your-resources.md)
+ [Deleting Evaluation Results](deleting-evaluations-results.md)
+ [Troubleshooting](troubleshooting-rules.md)
## Considerations
------
#### [ Cost Considerations ]
For details about the costs associated with resource recording, see [Amazon Config pricing](https://www.amazonaws.cn/config/pricing/).
**Recommendation: Consider excluding the `AWS::Config::ResourceCompliance` resource type from recording before deleting rules**
Deleting rules creates configuration items (CIs) for `AWS::Config::ResourceCompliance` that can affect your costs for the configuration recorder. If you are deleting rules which evaluate a large number of resource types, this can lead to a spike in the number of CIs recorded.
To avoid the associated costs, you can opt to disable recording for the `AWS::Config::ResourceCompliance` resource type before deleting rules, and re-enable recording after the rules have been deleted.
However, since deleting rules is an asynchronous process, it might take an hour or more to complete. During the time when recording is disabled for `AWS::Config::ResourceCompliance`, rule evaluations will not be recorded in the associated resource’s history.
Amazon Config recommends that you weigh these factors on a case-by-case basis before deciding how to proceed with deleting rules.
**Recommendation: Add logic to handle the evaluation of deleted resources for custom lambda rules**
When creating Amazon Config custom lambda rules, it is highly recommended that you add logic to handle the evaluation of deleted resources.
When evaluation results are marked as `NOT_APPLICABLE`, they will be marked for deletion and cleaned up. If they're NOT marked as `NOT_APPLICABLE`, the evaluation results will remain unchanged until the rule is deleted, which can cause an unexpected spike in the creation of CIs for `AWS::Config::ResourceCompliance` upon rule deletion.
For information on how to set Amazon Config custom lambda rules to return `NOT_APPLICABLE` for deleted resources, see [Managing deleted resources with Amazon Config custom lambda rules](https://docs.amazonaws.cn/config/latest/developerguide/evaluate-config_develop-rules.html#evaluate-config_develop-rules-delete).
**Recommendation: Provide the resources in scope for custom lambda rules**
Amazon Config Custom Lambda Rules can cause a high number of Lambda function invocations if the rule is not scoped to one or more resource types. To avoid increased activity associated with your account, it is highly recommended to provide resources in scope for your Custom Lambda rules. If no resource types are selected, the rule will invoke the Lambda function for all resources in the account.
------
#### [ Other considerations ]
**Defaut Values for Managed Rules**
The default values specified for managed rules are pre-populated only when using the Amazon console. Default values are not supplied for the API, CLI, or SDK.
**Configuration Item Recording Delays**
Amazon Config usually records configuration changes to your resources right after a change is detected, or at the frequency that you specify. However, this is on a best effort basis and can take longer at times. For example, a resource type with known delays is `AWS::SecretsManager::Secret`. This resource type is an example, and this list is non-exhaustive.
**Policies and compliance results**
[IAM policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies.html) and [other policies managed in Amazon Organizations](https://docs.amazonaws.cn/organizations/latest/userguide/orgs_manage_policies.html) can impact whether Amazon Config has permissions to record configuration changes for your resources. Additionally, rules directly evaluate the configuration of a resource and rules don't take into account these policies when running evaluations. Make sure that the policies in effect align with how you intend to use Amazon Config.
**Tagging support for resource types**
If a resource type does not support tagging or does not include tag information in its describe API response, Amazon Config won't capture tag data in the configuration items (CIs) for that resource type. Amazon Config will still record these resources. However, any functionality that relies on tag data won't work. This affects tag-based filtering, grouping, or compliance evaluation that relies on tag data.
**Directory Buckets Are Not Supported**
Managed rules only support general purpose buckets when evaluating Amazon Simple Storage Service (Amazon S3) resources. For more information on general purpose buckets and directory buckets, see [Buckets overview](https://docs.amazonaws.cn/AmazonS3/latest/userguide/UsingBucket.html) and [Directory buckets](https://docs.amazonaws.cn/AmazonS3/latest/userguide/directory-buckets-overview.html) in the Amazon S3 User Guide.
**Managed Rules and Global IAM Resource Types**
The global IAM resource types onboarded before February 2022 (`AWS::IAM::Group`, `AWS::IAM::Policy`, `AWS::IAM::Role`, and `AWS::IAM::User`) can only be recorded by Amazon Config in Amazon Regions where Amazon Config was available before February 2022. These resource types cannot be recorded in Regions supported by Amazon Config after February 2022. For a list of those Regions, see [Recording Amazon Resources \| Global Resources](https://docs.amazonaws.cn/config/latest/developerguide/select-resources.html#select-resources-all).
If you record a global IAM resource type in at least one Region, periodic rules that report compliance on the global IAM resource type will run evaluations in all Regions where the periodic rule is added, even if you have not enabled the recording of the global IAM resource type in the Region where the periodic rule was added.
To avoid unnecessary evaluations, you should only deploy periodic rules that report compliance on a global IAM resource type to one of the supported Regions. For a list of which managed rules are supported in which Regions, see [List of Amazon Config Managed Rules by Region Availability](https://docs.amazonaws.cn/config/latest/developerguide/managing-rules-by-region-availability.html).
------
## Region Support
Currently, the Amazon Config Rule feature is supported in the following Amazon regions. For a list of which individual Amazon Config rules are supported in which Regions, see [List of Amazon Config Managed Rules by Region Availability](https://docs.amazonaws.cn/config/latest/developerguide/managing-rules-by-region-availability.html).
| Region Name | Region | Endpoint | Protocol |
| --- | --- | --- | --- |
| China (Beijing) | cn-north-1 | config.cn-north-1.amazonaws.com.cn | HTTPS |
| China (Ningxia) | cn-northwest-1 | config.cn-northwest-1.amazonaws.com.cn | HTTPS |
Deploying Amazon Config Rules across member accounts in an Amazon Organization is supported in the following Regions.
| Region Name | Region | Endpoint | Protocol |
| --- | --- | --- | --- |
| China (Beijing) | cn-north-1 | config.cn-north-1.amazonaws.com.cn | HTTPS |
| China (Ningxia) | cn-northwest-1 | config.cn-northwest-1.amazonaws.com.cn | HTTPS |