Components of an Amazon Config Rule
Amazon Config rules evaluate the configuration settings of your Amazon resources. There are two types of rules: Amazon Config Managed Rules and Amazon Config Custom Rules.
Amazon Config Managed Rules are predefined, customizable rules created by Amazon Config. For a list of managed rules, see List of Amazon Config Managed Rules.
Amazon Config Custom Rules are rules that you create from scratch. There are two ways to create
Amazon Config custom rules: with Lambda functions (Amazon Lambda Developer Guide) and with Guard (Guard GitHub
Repository
This page discusses the metadata of Amazon Config managed rules and best practices on how to write Amazon Config custom rules with Python using the Amazon Config Rules Development Kit (RDK) and Amazon Config Rules Development Kit Library (RDKlib).
For a walkthrough showing how to create Amazon Config Custom Policy Rules, see Creating Amazon Config Custom Policy Rules. For a walkthrough showing how to create Amazon Config Custom Lambda Rules, see Creating Amazon Config Custom Lambda Rules.
Amazon Config Managed Rule Metadata
Amazon Config managed rules can contain the following mutable metadata:
- defaultName
-
The defaultName is the name that instances of a rule will get by default.
- description
-
The rule description provides context for what the rule evaluates. The Amazon Config Console has a limit of 256 characters. As a best practice, the rule description should begin with “Checks if” and include a description of the NON_COMPLIANT scenario. Service Names should be written in full beginning with Amazon or Amazon when first mentioned in the rule description. For example, Amazon CloudTrail or Amazon CloudWatch instead of CloudTrail or CloudWatch for first use. Services names can be abbreviated after subsequent reference.
- scope
-
The scope determines which resource types the rule targets. For a list of supported resource types, see Supported Resource Types.
- compulsoryInputParameterDetails
-
The compulsoryInputParameterDetails are used for parameters that are required for a rule to do its evaluation. For example, the
access-keys-rotated
managed rule includesmaxAccessKeyAge
as a required parameter. If a parameter is required, it will not be marked as (Optional). For each parameter, a type must be specified. Type can be one of "String", "int", "double", "CSV", "boolean" and "StringMap". - optionalInputParameterDetails
-
The optionalInputParameterDetails are used for parameters that are optional for a rule to do its evaluation. For example, the
elasticsearch-logs-to-cloudwatch
managed rule includeslogTypes
as an optional parameter. For each parameter, a type must be specified. Type can be one of "String", "int", "double", "CSV", "boolean" and "StringMap". - supportedEvaluationModes
-
The supportedEvaluationModes determines when resources will be evaluated, either before a resource has been deployed or after a resource has been deployed.
DETECTIVE
is used to evaluate resources which have already been deployed. This allows you to evaluate the configuration settings of your existing resources.PROACTIVE
is used to evaluate resources before they have been deployed.This allows you to evaluate whether a set of resource properties, if used to define an Amazon resource, would be COMPLIANT or NON_COMPLIANT given the set of proactive rules that you have in your account in your Region.
You can specify the supportedEvaluationModes to
DETECTIVE
,PROACTIVE
, or bothDETECTIVE
andPROACTIVE
. You must specify an evaluation mode and this field cannot remain empty.For more information, see Evaluation modes. For a list of managed rules that support proactive evaluation, see List of Amazon Config Managed Rules by Evaluation Mode.
Note
Proactive rules do not remediate resources that are flagged as NON_COMPLIANT or prevent them from being deployed.
Amazon Config Custom Rule Structure
This section contains information on using the Amazon Config Rules Development Kit (RDK) and
Amazon Config Rules Development Kit Library (RDKlib). For more information on the RDK or RDKlib,
see the aws-config-rdk
Writing rules
-
Follow the steps in Installing the Amazon CLI.
-
Follow the steps in Setting Up Amazon Config with the Console or Setting Up Amazon Config with the Amazon CLI. For information about the Amazon Regions where Amazon Config is supported, select your Region from the Amazon Regional Services list
. -
Install the RDK, using the recommended method with pip:
pip install rdk
Note
Before using pip, make sure it is installed on your machine.
-
Install the RDKLib, using the recommended method with pip:
pip install rdklib
Note
Before using pip, make sure it is installed on your machine.
-
To create a rule that is triggered by a change to specified resource type, run the following command:
rdk create
YOUR_RULE_NAME
--runtime python3.6-lib --resource-typesAWS::Resource::Type
The following example creates a rule that is triggered by a change to the
AWS::IAM::User
resource type:rdk create MFA_ENABLED_RULE --runtime python3.6-lib --resource-types AWS::IAM::User
The following are the flags you can use with the
rdk create
command for change-triggered rules:rdk create
RULE_NAME
--runtime pythonX.X
-lib // Python runtime version --input-parametersREQUIRED_PARAMETERS
// Parameters that are required for a rule to do its evaluation --optional-parametersOPTIONAL_PARAMETERS
// Parameters that are optional for a rule to do its evaluation --resource-typesAWS::Resource::Type
// Resource type(s) that the rule targetsNote
To use the RDKLib, the runtime of the rule must be set to
python3.6-lib
.After running
rdk create
, you should see a new directory with the rule name and 3 files in it:-
- Python file where the rule logic is storedRULE_NAME
.py -
- Python file where the rule's unit tests is storedRULE_NAME
_test.py -
parameters.json
- JSON file for RDK's deployment settings
-
-
The next step is writing the rule logic. You will only need to edit the
.py file. If you open theRULE_NAME
.py file, you will see a template where you can add rule logic. The following is the template that was generated for MFA_ENABLED_RULE:RULE_NAME
from rdklib import Evaluator, Evaluation, ConfigRule, ComplianceType APPLICABLE_RESOURCES = ['AWS::IAM::User'] class MFA_ENABLED_RULE(ConfigRule): def evaluate_change(self, event, client_factory, configuration_item, valid_rule_parameters): ############################### # Add your custom logic here. # ############################### return [Evaluation(ComplianceType.NOT_APPLICABLE)] #def evaluate_periodic(self, event, client_factory, valid_rule_parameters): # pass def evaluate_parameters(self, rule_parameters): valid_rule_parameters = rule_parameters return valid_rule_parameters ################################ # DO NOT MODIFY ANYTHING BELOW # ################################ def lambda_handler(event, context): my_rule = MFA_ENABLED_RULE() evaluator = Evaluator(my_rule, APPLICABLE_RESOURCES) return evaluator.handle(event, context)
The following example is an edited version of the MFA_ENABLED_RULE template with the rule logic. The rule checks if IAM users have multi-factor authentication (MFA) enabled. The rule is NON_COMPLIANT if an IAM user does not have MFA not enabled. For more information on rule logic and the methods provided in the template, see Rule logic.
from rdklib import ComplianceType, ConfigRule, Evaluation, Evaluator APPLICABLE_RESOURCES = ["AWS::IAM::User"] class MFA_ENABLED_RULE(ConfigRule): def evaluate_change(self, event, client_factory, configuration_item, valid_rule_parameters): username = configuration_item.get("resourceName") iam_client = client_factory.build_client("iam") response = iam_client.list_mfa_devices(UserName=username) # Scenario:1 IAM user has MFA enabled. if response["MFADevices"]: return [Evaluation(ComplianceType.COMPLIANT)] # Scenario:2 IAM user has MFA not enabled. annotation = "MFA needs to be enabled for user." return [Evaluation(ComplianceType.NON_COMPLIANT, annotation=annotation)] def evaluate_parameters(self, rule_parameters): valid_rule_parameters = rule_parameters return valid_rule_parameters ################################ # DO NOT MODIFY ANYTHING BELOW # ################################ def lambda_handler(event, context): my_rule = MFA_ENABLED_RULE() evaluator = Evaluator(my_rule, APPLICABLE_RESOURCES) return evaluator.handle(event, context)
-
The next step is installing the RDKlib layer in Amazon with either the Amazon Console or Amazon CLI. RDKLib is designed to work as an Amazon Lambda Layer. It allows you to use the library without needing to include it in your deployment package.
-
To install the RDKlib layer with the Amazon Console, do the following steps:
Open the Amazon Serverless Application Repository console at https://console.amazonaws.cn/serverlessrepo
. -
On the left navigation menu, choose Available applications.
-
Search for
rdklib
, and choose rdklib. -
Review the function details and then deploy it. You shouldn't have to make any changes.
-
In the Resources section on the Overview page, copy the Amazon Resource Name (ARN) of the Lambda layer. You will need the ARN of the Lambda layer when you deploy your rule.
-
To install the RDKlib layer with the Amazon CLI, run the following commands:
-
Create the change set for the RDKlib-Layer.
aws serverlessrepo create-cloud-formation-change-set --application-id arn:aws:serverlessrepo:ap-southeast-1:711761543063:applications/rdklib --stack-name RDKlib-Layer
It returns the following output:
{ "ApplicationId": "arn:aws:serverlessrepo:ap-southeast-1:711761543063:applications/rdklib", "ChangeSetId": "arn:aws:cloudformation:us-east-1:123456789012:changeSet/a3d536322-585e-4ffd-9e2f-552c8b887d6f/ffe7ff5c-ab38-4ab9-b746-9c1617ca95c1", "SemanticVersion": "0.1.0", "StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/serverlessrepo-RDKlib-Layer/365436a0-a58a-11ea-9b04-12ae8fb95b53" }
-
Execute the change-set. You can copy/paste the full change-set ARN (ChangeSetId from the output generated in the previous step) to customize the following command:
aws cloudformation execute-change-set --change-set-name
NAME_OF_THE_CHANGE_SET
-
Return all the associated resources that are part of the deployed stack.
aws cloudformation describe-stack-resources --stack-name serverlessrepo-RDKlib-Layer
It returns the following output:
{ "StackResources": [ { "StackName": "serverlessrepo-RDKlib-Layer", "StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/serverlessrepo-RDKlib-Layer/365436a0-a58a-11ea-9b04-12ae8fb95b53", "LogicalResourceId": "RdklibLayercf22317faf", "PhysicalResourceId": "arn:aws:lambda:us-east-1:123456789012:layer:rdklib-layer:1", "ResourceType": "AWS::Lambda::LayerVersion", "Timestamp": "2020-06-03T11:26:30.501Z", "ResourceStatus": "CREATE_COMPLETE", "DriftInformation": { "StackResourceDriftStatus": "NOT_CHECKED" } } ] }
-
Copy the ARN of the Lambda layer from the output generated in the previous step. The ARN of the Lambda layer is the
PhysicalResourceId
."PhysicalResourceId": "arn:aws:lambda:us-east-1:123456789012:layer:rdklib-layer:1"
-
-
-
The next step is providing a role for the Lambda function to assume. By default, Lambda functions attempt to assume the
AWSServiceRoleForConfig
role, which is not allowed. You need to create a role with theAWS_ConfigRole
managed policy. The role must have a trust relationship with Amazon Config and all roles under the /rdk/ path should assume the role. The following is an example trust policy:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "config.amazonaws.com" }, "Action": "sts:AssumeRole" }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::
account-ID
:root" }, "Action": "sts:AssumeRole", "Condition": { "StringLike": { "aws:PrincipalArn": "arn:aws:iam::account-ID
:role/rdk/*" } } } ] }Using this trust policy, run the following command:
aws iam create-role --role-name
your-role-name
--assume-role-policy-document file://trust-policy.jsonNow, run the following command to update the input parameter for
ExecutionRoleName
and provide the role name:rdk modify
YOUR_RULE_NAME
--input-parameters '{"ExecutionRoleName":"your-role-name
"}'You can also use
rdk modify
to update the change-triggered rule details using the following flags:rdk modify
RULE_NAME
--input-parametersREQUIRED_PARAMETERS
// Parameters that are required for a rule to do its evaluation --optional-parametersOPTIONAL_PARAMETERS
// Parameters that are optional for a rule to do its evaluation --resource-typesAWS::Resource::Type
// Resource type(s) that the rule targets -
The final step is deploying your rule. To deploy your rule, run the following command with the ARN of the Lambda layer from step 3:
rdk deploy
YOUR_RULE_NAME
--rdklib-layer-arnYOUR_RDKLIB_LAYER_ARN
-
The rule is now deployed. You can use the Amazon Config Console to check if the rule is working as expected.
-
To create a rule that is triggered periodically for a specified resource type, run the following command:
rdk create
YOUR_RULE_NAME
--runtime python3.6-lib --resource-typesAWS::Resource::Type
--maximum-frequencyEXECUTION_FREQUENCY
The following example creates a rule that is triggered every 24 hours for the
AWS::IAM::User
resource type:rdk create MFA_ENABLED_RULE --runtime python3.6-lib --resource-types AWS::IAM::User --maximum-frequency TwentyFour_Hours
The following are the flags you can use with the
rdk create
command for periodic rules:rdk create
RULE_NAME
--runtime pythonX.X
-lib // Python runtime version --input-parametersREQUIRED_PARAMETERS
// Parameters that are required for a rule to do its evaluation --optional-parametersOPTIONAL_PARAMETERS
// Parameters that are optional for a rule to do its evaluation --resource-typesAWS::Resource::Type
// Resource type(s) that the rule targets --maximum-frequencyEXECUTION_FREQUENCY
// How often the rule should be run on a periodic trigger. One of ['One_Hour','Three_Hours','Six_Hours','Twelve_Hours','TwentyFour_Hours']Note
To use the RDKLib, the runtime of the rule must be set to
python3.6-lib
.After running
rdk create
, you should see a new directory with the rule name and 3 files in it:-
- Python file where the rule logic is storedRULE_NAME
.py -
- Python file where the rule's unit tests is storedRULE_NAME
_test.py -
parameters.json
- JSON file for RDK's deployment settings
-
-
The next step is writing the rule logic. You will only need to edit the
.py file. If you open theRULE_NAME
.py file, you will see a template where you can add rule logic. The following is the template that was generated for MFA_ENABLED_RULE:RULE_NAME
from rdklib import Evaluator, Evaluation, ConfigRule, ComplianceType APPLICABLE_RESOURCES = ['AWS::IAM::User'] class MFA_ENABLED_RULE(ConfigRule): def evaluate_change(self, event, client_factory, configuration_item, valid_rule_parameters): ############################### # Add your custom logic here. # ############################### return [Evaluation(ComplianceType.NOT_APPLICABLE)] #def evaluate_periodic(self, event, client_factory, valid_rule_parameters): # pass def evaluate_parameters(self, rule_parameters): valid_rule_parameters = rule_parameters return valid_rule_parameters ################################ # DO NOT MODIFY ANYTHING BELOW # ################################ def lambda_handler(event, context): my_rule = MFA_ENABLED_RULE() evaluator = Evaluator(my_rule, APPLICABLE_RESOURCES) return evaluator.handle(event, context)
The template defaults to change-triggered rules. Instead, add your logic to the
evaluate_periodic
method. The following example is an edited version of the MFA_ENABLED_RULE template with the rule logic. The rule checks if IAM users have multi-factor authentication (MFA) enabled. The rule is NON_COMPLIANT if an IAM user does not have MFA not enabled. For more information on rule logic and the methods provided in the template, see Rule logic.from rdklib import ComplianceType, ConfigRule, Evaluation, Evaluator APPLICABLE_RESOURCES = ["AWS::IAM::User"] class MFA_ENABLED_RULE(ConfigRule):l def evaluate_periodic(self, event, client_factory, valid_rule_parameters): evaluations = [] iam_client = client_factory.build_client("iam") paginator = iam_client.get_paginator("list_users") response_iterator = paginator.paginate() for response in response_iterator: for user in response["Users"]: username = user["UserName"] response = iam_client.list_mfa_devices(UserName=username) # Scenario:1 IAM user has MFA enabled. if response["MFADevices"]: evaluations.append(Evaluation(ComplianceType.COMPLIANT, username, "AWS::IAM::User")) # Scenario:2 IAM user has MFA not enabled. if not response["MFADevices"]: annotation = "MFA needs to be enabled for user." evaluations.append( Evaluation(ComplianceType.NON_COMPLIANT, username, "AWS::IAM::User", annotation=annotation) ) return evaluations def evaluate_parameters(self, rule_parameters): valid_rule_parameters = rule_parameters return valid_rule_parameters ################################ # DO NOT MODIFY ANYTHING BELOW # ################################ def lambda_handler(event, context): my_rule = MFA_ENABLED_RULE() evaluator = Evaluator(my_rule, APPLICABLE_RESOURCES) return evaluator.handle(event, context)
-
The next step is installing the RDKlib layer in Amazon with either the Amazon Console or Amazon CLI. RDKLib is designed to work as an Amazon Lambda Layer. It allows you to use the library without needing to include it in your deployment package.
-
To install the RDKlib layer with the Amazon Console, do the following steps:
Open the Amazon Serverless Application Repository console at https://console.amazonaws.cn/serverlessrepo
. -
On the left navigation menu, choose Available applications.
-
Search for
rdklib
, and choose rdklib. -
Review the function details and then deploy it. You shouldn't have to make any changes.
-
In the Resources section on the Overview page, copy the Amazon Resource Name (ARN) of the Lambda layer. You will need the ARN of the Lambda layer when you deploy your rule.
-
To install the RDKlib layer with the Amazon CLI, run the following commands:
-
Create the change set for the RDKlib-Layer.
aws serverlessrepo create-cloud-formation-change-set --application-id arn:aws:serverlessrepo:ap-southeast-1:711761543063:applications/rdklib --stack-name RDKlib-Layer
It returns the following output:
{ "ApplicationId": "arn:aws:serverlessrepo:ap-southeast-1:711761543063:applications/rdklib", "ChangeSetId": "arn:aws:cloudformation:us-east-1:123456789012:changeSet/a3d536322-585e-4ffd-9e2f-552c8b887d6f/ffe7ff5c-ab38-4ab9-b746-9c1617ca95c1", "SemanticVersion": "0.1.0", "StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/serverlessrepo-RDKlib-Layer/365436a0-a58a-11ea-9b04-12ae8fb95b53" }
-
Execute the change-set. You can copy/paste the full change-set ARN (ChangeSetId from the output generated in the previous step) to customize the following command:
aws cloudformation execute-change-set --change-set-name
NAME_OF_THE_CHANGE_SET
-
Return all the associated resources that are part of the deployed stack.
aws cloudformation describe-stack-resources --stack-name serverlessrepo-RDKlib-Layer
It returns the following output:
{ "StackResources": [ { "StackName": "serverlessrepo-RDKlib-Layer", "StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/serverlessrepo-RDKlib-Layer/365436a0-a58a-11ea-9b04-12ae8fb95b53", "LogicalResourceId": "RdklibLayercf22317faf", "PhysicalResourceId": "arn:aws:lambda:us-east-1:123456789012:layer:rdklib-layer:1", "ResourceType": "AWS::Lambda::LayerVersion", "Timestamp": "2020-06-03T11:26:30.501Z", "ResourceStatus": "CREATE_COMPLETE", "DriftInformation": { "StackResourceDriftStatus": "NOT_CHECKED" } } ] }
-
Copy the ARN of the Lambda layer from the output generated in the previous step. The ARN of the Lambda layer is the
PhysicalResourceId
."PhysicalResourceId": "arn:aws:lambda:us-east-1:123456789012:layer:rdklib-layer:1"
-
-
-
The next step is providing a role for the Lambda function to assume. By default, Lambda functions attempt to assume the
AWSServiceRoleForConfig
role, which is not allowed. You need to create a role with theAWS_ConfigRole
managed policy. The role must have a trust relationship with Amazon Config and all roles under the /rdk/ path should assume the role. The following is an example trust policy:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "config.amazonaws.com" }, "Action": "sts:AssumeRole" }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::
account-ID
:root" }, "Action": "sts:AssumeRole", "Condition": { "StringLike": { "aws:PrincipalArn": "arn:aws:iam::account-ID
:role/rdk/*" } } } ] }Using this trust policy, run the following command:
aws iam create-role --role-name
your-role-name
--assume-role-policy-document file://trust-policy.jsonNow, run the following command to update the input parameter for
ExecutionRoleName
and provide the role name:rdk modify
YOUR_RULE_NAME
--input-parameters '{"ExecutionRoleName":"your-role-name
"}'You can also use
rdk modify
to update the periodic rule details using the following flags:rdk modify
RULE_NAME
--input-parametersREQUIRED_PARAMETERS
// Parameters that are required for a rule to do its evaluation --optional-parametersOPTIONAL_PARAMETERS
// Parameters that are optional for a rule to do its evaluation --resource-typesAWS::Resource::Type
// Resource type(s) that the rule targets --maximum-frequencyEXECUTION_FREQUENCY
// How often the rule should be run on a periodic trigger. One of ['One_Hour','Three_Hours','Six_Hours','Twelve_Hours','TwentyFour_Hours'] -
The final step is deploying your rule. To deploy your rule, run the following command with the ARN of the Lambda layer from step 3:
rdk deploy
YOUR_RULE_NAME
--rdklib-layer-arnYOUR_RDKLIB_LAYER_ARN
-
The rule is now deployed. You can use the Amazon Config Console to check if the rule is working as expected.
Rule logic
The following Python code sample is a template for writing a rule using the RDK
and RDKLib. You should only make changes inside the
evaluate_parameters
, evaluate_change
, and
evaluate_periodic
methods, or write completely new functions to
help with the logic if needed. For prerequistes to writing rules with the RDK and
RDKlib, see Prerequisites.
from rdklib import Evaluator, Evaluation, ConfigRule, ComplianceType APPLICABLE_RESOURCES = ["
AWS::Resource::Type
"] # When you create a rule, the class name will be the name you give the rule when you create it instead of ConfigRule class ConfigRule (ConfigRule): def evaluate_parameters(self, rule_parameters): return rule_parameters def evaluate_change(self, event, client_factory, configuration_item, valid_rule_parameters): ############################### # Add your custom logic here. # ############################### def evaluate_periodic(self, event, client_factory, valid_rule_parameters): ############################### # Add your custom logic here. # ############################### ################################ # DO NOT MODIFY ANYTHING BELOW # ################################ def lambda_handler(event, context): my_rule = ConfigRule() evaluator = Evaluator(my_rule, APPLICABLE_RESOURCES) return evaluator.handle(event, context)
- APPLICABLE_RESOURCES
-
APPLICABLE_RESOURCES
are the resource type(s) that the rule targets. If used, this should be a global variable set to the resource type(s) that the rule targets. For a list of supported resource types, see Supported Resource Types. - evaluate_parameters
-
Description
This method is used to check if the input parameters for the rule are valid. The following are best practices:
-
Check if the correct number of parameters is listed.
-
Check if the parameter name is correct.
-
Check if the parameter value is of the correct type.
-
If the parameter is an integer, check if the parameter is between a reasonable bounds.
-
If the parameter has a limited number of possible options, check if the parameter is one of those options.
-
If the parameter is a String, check if it is a reasonable length and trim any space before or after the value.
-
Check if any case-sensitivity is handled appropriately.
-
Limit parameter input when possible. For example, if you're receiving a comma-separated list of ARNs, make sure that the only characters allowed are commas and the characters supported by ARNs.
Parameters
rule_parameters
is a dictionary of input parameter(s) for the rule.Return syntax
If one of the parameters is not valid, you can raise an
InvalidParametersError
error:from rdklib import InvalidParametersError raise InvalidParametersError("Error message to display")
If the parameters are all valid, the method should return a dictionary:
return valid_rule_parameters
-
- evaluate_change
-
Description
This method is used for the logic to evaluate a change-triggered rule.
Parameters
event
is the Amazon Lambda event provided by Amazon Config. It is a JSON-formatted document that contains data for a Lambda function to operate. For examples, see Example Events for Amazon Config Rules.client_factory
is the ClientFactory object to be used for the rule. The ClientFactory class creates or reuses a boto3 client, which provides low-level interface to an Amazon service. The boto3 client methods map with an Amazon service API, which means that service operations map to client methods of the same name and provide access to the same operation parameters. For a list of available services, see Available servicesin the Boto3 Docs documentation. The request syntax of
client_factory
is as follows:response = client_factory.build_client( service='string')
For example:
iam_client = client_factory.build_client("iam")
Note
The boto3 name of the Amazon service is required.
configuration_item
is dictionary of the full configuration Item, even if oversized. A configuration item represents a point-in-time view of the various attributes of a supported Amazon resource. For information on the contents ofConfigurationItem
, see ConfigurationItem in the Amazon Config API Reference.valid_rule_parameters
is the output of theevaluate_parameters()
method.Return syntax
The method should return one or more of the following:
[Evaluation(ComplianceType.COMPLIANT)]
[Evaluation(ComplianceType.NON_COMPLIANT)]
[Evaluation(ComplianceType.NOT_APPLICABLE)]
Note
Rules reporting on deleted resources should return the evaluation result of
NOT_APPLICABLE
in order to avoid unnecessary rule evaluations.You should use annotations for all noncompliant evaluations. For example:
[return [Evaluation(ComplianceType.NON_COMPLIANT, annotation="Explanation for why the rule is NON_COMPLIANT")]]
- evaluate_periodic
-
Description
This method is used to evaluate a periodic rule.
Parameters
event
is the Amazon Lambda event provided by Amazon Config. It is a JSON-formatted document that contains data for a Lambda function to operate. For examples, see Example Events for Amazon Config Rules.client_factory
is the ClientFactory object to be used for the rule. The ClientFactory class creates or reuses a boto3 client, which provides low-level interface to an Amazon service. The boto3 client methods map with an Amazon service API, which means that service operations map to client methods of the same name and provide access to the same operation parameters. For a list of available services, see Available servicesin the Boto3 Docs documentation. The request syntax of
client_factory
is as follows:response = client_factory.build_client( service='string')
For example:
iam_client = client_factory.build_client("iam")
Note
The boto3 name of the Amazon service is required.
valid_rule_parameters
is the output of theevaluate_parameters()
method.Return syntax
The method should return one or more of the following:
[Evaluation(ComplianceType.COMPLIANT)]
[Evaluation(ComplianceType.NON_COMPLIANT)]
[Evaluation(ComplianceType.NOT_APPLICABLE)]
Note
Rules reporting on deleted resources should return the evaluation result of
NOT_APPLICABLE
in order to avoid unnecessary rule evaluations.You should use annotations for all noncompliant evaluations. For example:
[return [Evaluation(ComplianceType.NON_COMPLIANT, annotation="Explanation for why the rule is NON_COMPLIANT")]]
- lambda_handler
-
Description
You should not need to modify this method. The lambda handler is used to processes events. The function runs when Amazon Lambda passes the
event
object to thehandler
method. For more information, see Lambda function handler in Python.Parameters
event
is the Amazon Lambda event provided by Amazon Config. It is a JSON-formatted document that contains data for a Lambda function to operate. For examples, see Example Events for Amazon Config Rules.context
is an object is passed to your function by Lambda at runtime. This object provides methods and properties that provide information and methods that the function can use while it runs. Note that in newer versions of Lambda, context is no longer used.