Amazon Config Custom Rules - Amazon Config
Custom Policy RulesCustom Lambda RulesCost ConsiderationsTrigger TypesEvaluation ModesManaging deleted resources
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Config Custom Rules

Amazon Config Custom Rules are rules that you create from scratch. There are two ways to create Amazon Config custom rules: with Lambda functions (Amazon Lambda Developer Guide) and with Guard (Guard GitHub Repository), a policy-as-code language.

Amazon Config custom rules created with Lambda are called Amazon Config Custom Lambda Rules and Amazon Config custom rules created with Guard are called Amazon Config Custom Policy Rules.

Amazon Config Custom Policy Rules

Rules written using Guard can be created from the Amazon Config console or by using the Amazon Config rule APIs. Amazon Config Custom Policy rules allow you to create Amazon Config Custom rules without needing to use Java or Python to develop Lambda functions to manage your custom rules. Amazon Config Custom Policy rules are initiated by configuration changes. For more information about Guard, see the Guard GitHub Repository.

Amazon Config Custom Lambda Rules

Custom Lambda rules provide you with the option to use Java or Python to create a Lambda function for a Amazon Config Custom rule. A Lambda function is custom code that you upload to Amazon Lambda, and it is invoked by events that are published to it by an event source. If the Lambda function is associated with an Amazon Config rule, Amazon Config invokes it when the rule is initiated. The Lambda function then evaluates the configuration information that is sent by Amazon Config, and it returns the evaluation results. For more information about Lambda functions, see Function and Event Sources in the Amazon Lambda Developer Guide.

Cost Considerations

For details about the costs associated with resource recording, see Amazon Config pricing.

Recommendation: Add logic to handle the evaluation of deleted resources for custom lambda rules

When creating Amazon Config custom lambda rules, it is highly recommended that you add logic to handle the evaluation of deleted resources.

When evaluation results are marked as NOT_APPLICABLE, they will be marked for deletion and cleaned up. If they're NOT marked as NOT_APPLICABLE, the evaluation results will remain unchanged until the rule is deleted, which can cause an unexpected spike in the creation of configuration items (CIs) for AWS::Config::ResourceCompliance upon rule deletion.

For information on how to set Amazon Config custom lambda rules to return NOT_APPLICABLE for deleted resources, see Managing deleted resources with Amazon Config custom lambda rules.

Recommendation: Provide the resources in scope for custom lambda rules

Amazon Config Custom Lambda Rules can cause a high number of Lambda function invocations if the rule is not scoped to one or more resource types. To avoid increased activity associated with your account, it is highly recommended to provide resources in scope for your Custom Lambda rules. If no resource types are selected, the rule will invoke the Lambda function for all resources in the account.

Recommendation: Stop recording resource compliance before deleting rules

It is highly recommended that you stop recording for the AWS::Config::ResourceCompliance resource type before you delete rules in your account. Deleting rules creates CIs for AWS::Config::ResourceCompliance and can affect your Amazon Config configuration recorder costs. If you are deleting rules which evaluate a large number of resource types, this can lead to a spike in the number of CIs recorded.

Best practice:

  1. Stop recording AWS::Config::ResourceCompliance

  2. Delete rule(s)

  3. Turn on recording for AWS::Config::ResourceCompliance

Trigger Types

After you add a rule to your account, Amazon Config compares your resources to the conditions of the rule. After this initial evaluation, Amazon Config continues to run evaluations each time one is triggered. The evaluation triggers are defined as part of the rule, and they can include the following types.

Trigger type Description
Configuration changes Amazon Config runs evaluations for the rule when there is a resource that matches the rule's scope and there is a change in configuration of the resource. The evaluation runs after Amazon Config sends a configuration item change notification.

You choose which resources initiate the evaluation by defining the rule's scope. The scope can include the following:

  • One or more resource types

  • A combination of a resource type and a resource ID

  • A combination of a tag key and value

  • When any recorded resource is created, updated, or deleted

Amazon Config runs the evaluation when it detects a change to a resource that matches the rule's scope. You can use the scope to define which resources initiate evaluations.
Periodic Amazon Config runs evaluations for the rule at a frequency that you choose; for example, every 24 hours.
Hybrid Some rules have both configuration change and periodic triggers. For these rules, Amazon Config evaluates your resources when it detects a configuration change and also at the frequency that you specify.

Evaluation Modes

There are two evaluation modes for Amazon Config rules.

Evaluation mode Description
Proactive

Use proactive evaluation to evaluate resources before they have been deployed. This allows you to evaluate whether a set of resource properties, if used to define an Amazon resource, would be COMPLIANT or NON_COMPLIANT given the set of proactive rules that you have in your account in your Region.

For more information, see Evaluation modes. For a list of managed rules that support proactive evaluation, see List of Amazon Config Managed Rules by Evaluation Mode.
Detective Use detective evaluation to evaluate resources that have already been deployed. This allows you to evaluate the configuration settings of your existing resources.
Note

Proactive rules do not remediate resources that are flagged as NON_COMPLIANT or prevent them from being deployed.

Managing deleted resources with Amazon Config custom lambda rules

Rules reporting on deleted resources should return the evaluation result of NOT_APPLICABLE in order to avoid unnecessary rule evaluations.

When you delete a resource, Amazon Config creates a configurationItem with ResourceDeleted for the configurationItemStatus. You can use this metadata to check if a rule reports on a deleted resource. For more information on configuration items, see Concepts | Configuration Items.

Include the following code snippets to check for deleted resources and set the evaluation result of an Amazon Config custom lambda rule to NOT_APPLICABLE if it reports on a deleted resource:

Custom Lambda Rules (Node.js)
// Check whether the resource has been deleted. If the resource was deleted, then the evaluation returns not applicable.
function isApplicable(configurationItem, event) {
    checkDefined(configurationItem, 'configurationItem');
    checkDefined(event, 'event');
    const status = configurationItem.configurationItemStatus;
    const eventLeftScope = event.eventLeftScope;
    return (status === 'OK' || status === 'ResourceDiscovered') && eventLeftScope === false;
}
Custom Lambda Rules (Python)
# Check whether the resource has been deleted. If the resource was deleted, then the evaluation returns not applicable.
def is_applicable(configurationItem, event):
    try:
        check_defined(configurationItem, 'configurationItem')
        check_defined(event, 'event')
    except:
        return True
    status = configurationItem['configurationItemStatus']
    eventLeftScope = event['eventLeftScope']
    if status == 'ResourceDeleted':
        print("Resource Deleted, setting Compliance Status to NOT_APPLICABLE.")
    return (status == 'OK' or status == 'ResourceDiscovered') and not eventLeftScope
Note

Amazon Config managed rules and Amazon Config custom policy rules handle this behavior by default.

If you create an Amazon Config custom lambd rule with Python using the Amazon Config Development Kit (RDK) and Amazon Config Development Kit Library (RDKlib), the imported Evaluator class will check this behavior. For information on how to write rules with the RDK and RDKlib, see Writing rules with the RDK and RDKlib.

Topics