# Components of an Amazon Config Rule
<a name="evaluate-config_components"></a>

Amazon Config rules evaluate the configuration settings of your Amazon resources. This page discusses the components of a rule.

**Topics**
+ [How Amazon Config Rules Work](#evaluate-config-how-rules-work)
+ [Trigger Types](#evaluate-config_use-managed-rules-trigger)
+ [Evaluation Modes](#evaluate-config_use-managed-rules-proactive-detective)
+ [Rule Metadata](#evaluate-config_components_metadata)

## How Amazon Config Rules Work
<a name="evaluate-config-how-rules-work"></a>

While Amazon Config continuously tracks the configuration changes that occur among your resources, it checks whether these changes do not comply with the conditions in your rules. If a resource does not comply with rule, Amazon Config flags the resource and the rule as *noncompliant*.

There are four possible evaluation results for an Amazon Config rule.


| **Evaluation result** | **Description** | 
| --- | --- | 
| COMPLIANT | The rule passes the conditions of the compliance check. | 
| NON\$1COMPLIANT | The rule fails the conditions of the compliance check. | 
| ERROR | The one of the required/optional parameters is not valid, not of the correct type, or is formatted incorrectly. | 
| NOT\$1APPLICABLE | Used to filter out resources that the logic of the rule cannot be applied to. For example, the [alb-desync-mode-check](https://docs.amazonaws.cn/config/latest/developerguide/alb-desync-mode-check.html) rule only checks Application Load Balancers, and ignores Network Load Balancers and Gateway Load Balancers. | 

For example, when an EC2 volume is created, Amazon Config can evaluate the volume against a rule that requires volumes to be encrypted. If the volume is not encrypted, Amazon Config flags the volume and the rule as noncompliant. Amazon Config can also check all of your resources for account-wide requirements. For example, Amazon Config can check whether the number of EC2 volumes in an account stays within a desired total, or whether an account uses Amazon CloudTrail for logging.

## Trigger Types
<a name="evaluate-config_use-managed-rules-trigger"></a>

After you add a rule to your account, Amazon Config compares your resources to the conditions of the rule. After this initial evaluation, Amazon Config continues to run evaluations each time one is triggered. The evaluation triggers are defined as part of the rule, and they can include the following types.


| **Trigger type** | **Description** | 
| --- | --- | 
| Configuration changes | Amazon Config runs evaluations for the rule when there is a resource that matches the rule's scope and there is a change in configuration of the resource. The evaluation runs after Amazon Config sends a configuration item change notification. You choose which resources initiate the evaluation by defining the rule's *scope*. The scope can include the following: [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/config/latest/developerguide/evaluate-config_components.html) Amazon Config runs the evaluation when it detects a change to a resource that matches the rule's scope. You can use the scope to define which resources initiate evaluations. | 
| Periodic | Amazon Config runs evaluations for the rule at a frequency that you choose; for example, every 24 hours. | 
| Hybrid | Some rules have both configuration change and periodic triggers. For these rules, Amazon Config evaluates your resources when it detects a configuration change and also at the frequency that you specify.  | 

## Evaluation Modes
<a name="evaluate-config_use-managed-rules-proactive-detective"></a>

There are two evaluation modes for Amazon Config rules.


| **Evaluation mode** | **Description** | 
| --- | --- | 
| Proactive | Use proactive evaluation to evaluate resources before they have been deployed. This allows you to evaluate whether a set of resource properties, if used to define an Amazon resource, would be COMPLIANT or NON\$1COMPLIANT given the set of proactive rules that you have in your account in your Region.  | 
| Detective | Use detective evaluation to evaluate resources that have already been deployed. This allows you to evaluate the configuration settings of your existing resources. | 

**Note**  
Proactive rules do not remediate resources that are flagged as NON\$1COMPLIANT or prevent them from being deployed.

For more information, see [Turning on Proactive Evaluation for Amazon Config Rules](https://docs.amazonaws.cn/config/latest/developerguide/evaluate-config_turn-on-proactive-rules.html).

### List of managed rules with proactive evaluation
<a name="list-proactive-rules"></a>

For a list of managed rules that support proactive evaluation, see [List of Amazon Config Managed Rules by Evaluation Mode](https://docs.amazonaws.cn/config/latest/developerguide/managed-rules-by-evaluation-mode.html).

### List of supported resource types for proactive evaluation
<a name="list-proactive-resource-types"></a>

The following is a list of resource types that are supported for proactive evaluation:
+ `AWS::EC2::EIP`
+ `AWS::EC2::Subnet`

## Amazon Config Rule Metadata
<a name="evaluate-config_components_metadata"></a>

Amazon Config rules can contain the following mutable metadata:

**defaultName**  
The defaultName is the name that instances of a rule will get by default.

**description**  
The rule description provides context for what the rule evaluates. The Amazon Config Console has a limit of 256 characters. As a best practice, the rule description should begin with “Checks if” and include a description of the NON\$1COMPLIANT scenario. Service Names should be written in full beginning with Amazon or Amazon when first mentioned in the rule description. For example, Amazon CloudTrail or Amazon CloudWatch instead of CloudTrail or CloudWatch for first use. Services names can be abbreviated after subsequent reference. 

**scope**  
The scope determines which resource types the rule targets. For a list of supported resource types, see [Supported Resource Types](https://docs.amazonaws.cn/config/latest/developerguide/resource-config-reference.html#supported-resources.html).

**compulsoryInputParameterDetails**  
The compulsoryInputParameterDetails are used for parameters that are required for a rule to do its evaluation. For example, the `access-keys-rotated` managed rule includes `maxAccessKeyAge` as a required parameter. If a parameter is required, it will not be marked as (Optional). For each parameter, a type must be specified. Type can be one of "String", "int", "double", "CSV", "boolean" and "StringMap".

**optionalInputParameterDetails**  
The optionalInputParameterDetails are used for parameters that are optional for a rule to do its evaluation. For example, the `elasticsearch-logs-to-cloudwatch` managed rule includes `logTypes` as an optional parameter. For each parameter, a type must be specified. Type can be one of "String", "int", "double", "CSV", "boolean" and "StringMap".

**supportedEvaluationModes**  
The supportedEvaluationModes determines when resources will be evaluated, either before a resource has been deployed or after a resource has been deployed.  
 `DETECTIVE` is used to evaluate resources which have already been deployed. This allows you to evaluate the configuration settings of your existing resources. `PROACTIVE` is used to evaluate resources before they have been deployed.   
This allows you to evaluate whether a set of resource properties, if used to define an Amazon resource, would be COMPLIANT or NON\$1COMPLIANT given the set of proactive rules that you have in your account in your Region.   
You can specify the supportedEvaluationModes to `DETECTIVE`, `PROACTIVE`, or both `DETECTIVE` and `PROACTIVE`. You must specify an evaluation mode and this field cannot remain empty.  
Proactive rules do not remediate resources that are flagged as NON\$1COMPLIANT or prevent them from being deployed.