Creating Amazon Config Custom Policy Rules

Sign in to the Amazon Web Services Management Console and open the Amazon Config console at https://console.amazonaws.cn/config/.

In the Amazon Web Services Management Console menu, verify that the Region selector is set to an Amazon Region that supports Amazon Config rules. For the list of supported Regions, see Amazon Config Regions and Endpoints in the Amazon Web Services General Reference.

In the left navigation, choose Rules.

On the Rules page, choose Add rule.

On the Specify rule type page, choose Create custom rule using Guard.

On the Configure rule page, create your rule by completing the following steps:

1. For Rule name, type a unique name for the rule.

2. For Description, type a description for the rule.

3. For Guard runtime version, choose the runtime system for your Amazon Config Custom Policy rule.

4. For Rule Content, you can populate it with the Guard Custom policy for your rule. For more information about the structure and features for Guard Custom policies, see the Amazon CloudFormation Guard 2.0's Modes of Operation in the Guard GitHub Repository.

   Note

   The Amazon Config resource schema to evaluate configuration items is different than the CFN schema to evaluate Amazon CloudFormation templates. If you use the CFN schema for Amazon Config Custom Policy rules, your evaluation results will return NOT_APPLICABLE. Use the Amazon Config resource schema when creating Amazon Config Custom Policy rules and write policies based on the configuration item structure. For a list Amazon Config resource schemas, see resource-types in the Amazon Config Resource Schema GitHub Repository.

   The following example shows the policy definition for an Amazon Config Custom Policy rule version of the Amazon Config Managed rule dynamodb-pitr-enabled

   # This rule checks if point in time recovery (PITR) is enabled on active Amazon DynamoDB tables
   let status = ['ACTIVE']
   
   rule tableisactive when
       resourceType == "AWS::DynamoDB::Table" {
       configuration.tableStatus == %status
   }
   
   rule checkcompliance when
       resourceType == "AWS::DynamoDB::Table"
       tableisactive {
           let pitr = supplementaryConfiguration.ContinuousBackupsDescription.pointInTimeRecoveryDescription.pointInTimeRecoveryStatus
           %pitr == "ENABLED"
   }
                           

5. For Evaluation mode, choose when in the resource creation and management process you want Amazon Config to evaluate your resources. Depending on the rule, Amazon Config can evaluate your resource configurations before a resource has been provisioned, after a resource has been provisoned, or both.

   1. Choose Turn on proactive evaluation to allow you to run evaluations on the configuration settings of your resources before they are deployed.

      Once you have turned on proactive evaluation, you can use the StartResourceEvaluation API and GetResourceEvaluationSummary API to check if the resources you specify in these commands would be flagged as NON_COMPLIANT by the proactive rules in your account in your Region.

      For more information on using this commands, see Evaluating Your Resources with Amazon Config Rules. For a list of managed rules that support proactive evaluation, see List of Amazon Config Managed Rules by Evaluation Mode.

   2. Choose Turn on detective evaluation to evaluate the configuration settings of your existing resources.

      For detective evaluation, Amazon Config Custom Policy rules are initiated by Configuration changes. This option will be pre-selected.

      • Resources – When a resource that matches the specified resource type, or the type plus identifier, is created, changed, or deleted.

      • Tags – When a resource with the specified tag is created, changed, or deleted.

      • All changes – When a resource recorded by Amazon Config is created, changed, or deleted.

      Amazon Config runs the evaluation when it detects a change to a resource that matches the rule's scope. You can use the scope to constrain which resources initiate evaluations. Otherwise, evaluations are initiated when there is a change to a post-provisioned resource.

6. For Parameters, you can customize the values for the provided keys if your rule includes parameters. A parameter is an attribute that your resources must adhere to before they are considered compliant with the rule.

On the Review and create page, review all your selections before adding the rule to your Amazon account.

When you finish reviewing your rules, choose Add rule.