Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
Managing Deleted Resources for
Amazon Config Custom Lambda Rules
Rules reporting on deleted resources should return the evaluation result of
NOT_APPLICABLE
in order to avoid unnecessary rule evaluations.
When you delete a resource, Amazon Config creates a configurationItem
with
ResourceDeleted
for the configurationItemStatus
. You can
use this metadata to check if a rule reports on a deleted resource. For more information
on configuration items, see Concepts | Configuration
Items.
Include the following code snippets to check for deleted resources and set the
evaluation result of an Amazon Config custom lambda rule to NOT_APPLICABLE
if it
reports on a deleted resource:
- Custom Lambda Rules (Node.js)
-
// Check whether the resource has been deleted. If the resource was deleted, then the evaluation returns not applicable.
function isApplicable(configurationItem, event) {
checkDefined(configurationItem, 'configurationItem');
checkDefined(event, 'event');
const status = configurationItem.configurationItemStatus;
const eventLeftScope = event.eventLeftScope;
return (status === 'OK' || status === 'ResourceDiscovered') && eventLeftScope === false;
}
- Custom Lambda Rules (Python)
-
# Check whether the resource has been deleted. If the resource was deleted, then the evaluation returns not applicable.
def is_applicable(configurationItem, event):
try:
check_defined(configurationItem, 'configurationItem')
check_defined(event, 'event')
except:
return True
status = configurationItem['configurationItemStatus']
eventLeftScope = event['eventLeftScope']
if status == 'ResourceDeleted':
print("Resource Deleted, setting Compliance Status to NOT_APPLICABLE.")
return (status == 'OK' or status == 'ResourceDiscovered') and not eventLeftScope
Amazon Config managed rules and Amazon Config custom policy rules handle this behavior by
default.
If you create an Amazon Config custom lambd rule with Python using the Amazon Config Development Kit
(RDK) and Amazon Config Development Kit Library (RDKlib), the imported Evaluator class will check this behavior. For information on how to
write rules with the RDK and RDKlib, see Writing rules with the RDK and RDKlib.