Creating Amazon Config Custom Policy Rules - Amazon Config
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Creating Amazon Config Custom Policy Rules

You can create Amazon Config Custom Policy rules from the Amazon Web Services Management Console, Amazon CLI, or Amazon Config API. For more information on how to write rules with Guard, see Writing Guard rules in the Amazon CloudFormation Guard User Guide. For more information on the schemas of supported resource types that Amazon Config can evalute, see resource-types in the Amazon Config Resource Schema GitHub Repository.

Creating Amazon Config Custom Policy Rules (Console)

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Config console at https://console.amazonaws.cn/config/.

  2. In the Amazon Web Services Management Console menu, verify that the Region selector is set to an Amazon Region that supports Amazon Config rules. For the list of supported Regions, see Amazon Config Regions and Endpoints in the Amazon Web Services General Reference.

  3. In the left navigation, choose Rules.

  4. On the Rules page, choose Add rule.

  5. On the Specify rule type page, choose Create custom rule using Guard.

  6. On the Configure rule page, create your rule by completing the following steps:

    1. For Rule name, type a unique name for the rule.

    2. For Description, type a description for the rule.

    3. For Guard runtime version, choose the runtime system for your Amazon Config Custom Policy rule.

    4. For Rule Content, you can populate it with the Guard Custom policy for your rule. For more information about the structure and features for Guard Custom policies, see the Amazon CloudFormation Guard 2.0's Modes of Operation in the Guard GitHub Repository.

      The following example shows the policy definition for an Amazon Config Custom Policy rule version of the Amazon Config Managed rule dynamodb-pitr-enabled

      # This rule checks if point in time recovery (PITR) is enabled on active Amazon DynamoDB tables let status = ['ACTIVE'] rule tableisactive when resourceType == "AWS::DynamoDB::Table" { configuration.tableStatus == %status } rule checkcompliance when resourceType == "AWS::DynamoDB::Table" tableisactive { let pitr = supplementaryConfiguration.ContinuousBackupsDescription.pointInTimeRecoveryDescription.pointInTimeRecoveryStatus %pitr == "ENABLED" }
    5. For Trigger, Amazon Config Custom Policy rules are initiated by Configuration changes. This option will be pre-selected.

      Specify one of the following options for Scope of changes:

      • Resources – When a resource that matches the specified resource type, or the type plus identifier, is created, changed, or deleted.

      • Tags – When a resource with the specified tag is created, changed, or deleted.

      • All changes – When a resource recorded by Amazon Config is created, changed, or deleted.

    6. If your rule includes parameters, in the Rule parameters section you can customize the values for the provided keys. A parameter is an attribute that your resources must have before they are considered COMPLIANT with the rule.

  7. After you finish editing your rule, choose Next. On the Review and create page, you can review all your editing choices before adding the rule to your Amazon account.

  8. When you finish reviewing your rules, choose Add rule.

Creating Amazon Config Custom Policy Rules (Amazon CLI)

Use the put-config-rule command.

The Owner field should be CUSTOM_POLICY. The following additional fields are required for Amazon Config Custom Policy rules:

  • Runtime: The runtime system for your Amazon Config Custom Policy rules.

  • PolicyText: The policy definition containing the logic for your Amazon Config Custom Policy rules.

  • EnableDebugLogDelivery: The Boolean expression for enabling debug logging for your Amazon Config Custom Policy rule. The default value is false.

Creating Amazon Config Custom Policy Rules (API)

Use the PutConfigRule action.

The Owner field should be CUSTOM_POLICY. The following additional fields are required for Amazon Config Custom Policy rules:

  • Runtime: The runtime system for your Amazon Config Custom Policy rules.

  • PolicyText: The policy that defines the logic for your Amazon Config Custom Policy rules.

  • EnableDebugLogDelivery: The Boolean expression for enabling debug logging for your Amazon Config Custom Policy rule. The default value is false.