Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
Managing Deleted Resources for Amazon Config Custom Lambda Rules
Rules reporting on deleted resources should return the evaluation result of NOT_APPLICABLE
in order to avoid unnecessary rule evaluations.
When you delete a resource, Amazon Config creates a configurationItem
with ResourceDeleted
for the configurationItemStatus
.
You can use this metadata to check if a rule reports on a deleted resource.
For more information on configuration
items, see Concepts | Configuration
Items.
Include the following code snippets to check for deleted resources and set the evaluation result of an Amazon Config custom lambda rule to NOT_APPLICABLE
if it reports on a deleted resource:
- Custom Lambda Rules (Node.js)
-
// Check whether the resource has been deleted. If the resource was deleted, then the evaluation returns not applicable.
function isApplicable(configurationItem, event) {
checkDefined(configurationItem, 'configurationItem');
checkDefined(event, 'event');
const status = configurationItem.configurationItemStatus;
const eventLeftScope = event.eventLeftScope;
return (status === 'OK' || status === 'ResourceDiscovered') && eventLeftScope === false;
}
- Custom Lambda Rules (Python)
-
# Check whether the resource has been deleted. If the resource was deleted, then the evaluation returns not applicable.
def is_applicable(configurationItem, event):
try:
check_defined(configurationItem, 'configurationItem')
check_defined(event, 'event')
except:
return True
status = configurationItem['configurationItemStatus']
eventLeftScope = event['eventLeftScope']
if status == 'ResourceDeleted':
print("Resource Deleted, setting Compliance Status to NOT_APPLICABLE.")
return (status == 'OK' or status == 'ResourceDiscovered') and not eventLeftScope
Amazon Config managed rules and Amazon Config custom policy rules handle this behavior by default.
If you create an Amazon Config custom lambd rule
with Python using the Amazon Config Development Kit (RDK) and Amazon Config Development Kit Library (RDKlib),
the imported Evaluator class will check this behavior. For information on how to write rules with the RDK and RDKlib,
see Writing rules with the RDK and RDKlib.