Creating Amazon Config Custom Policy Rules
You can create Amazon Config Custom Policy rules from the Amazon Web Services Management Console, Amazon CLI, or Amazon Config API. For more
information on how to write rules with Guard, see Writing Guard
rules
Creating Amazon Config Custom Policy Rules (Console)
Sign in to the Amazon Web Services Management Console and open the Amazon Config console at https://console.amazonaws.cn/config/
. -
In the Amazon Web Services Management Console menu, verify that the Region selector is set to an Amazon Region that supports Amazon Config rules. For the list of supported Regions, see Amazon Config Regions and Endpoints in the Amazon Web Services General Reference.
-
In the left navigation, choose Rules.
-
On the Rules page, choose Add rule.
-
On the Specify rule type page, choose Create custom rule using Guard.
-
On the Configure rule page, create your rule by completing the following steps:
-
For Rule name, type a unique name for the rule.
-
For Description, type a description for the rule.
-
For Guard runtime version, choose the runtime system for your Amazon Config Custom Policy rule.
-
For Rule Content, you can populate it with the Guard Custom policy for your rule. For more information about the structure and features for Guard Custom policies, see the Amazon CloudFormation Guard 2.0's Modes of Operation
in the Guard GitHub Repository. The following example shows the policy definition for an Amazon Config Custom Policy rule version of the Amazon Config Managed rule dynamodb-pitr-enabled
# This rule checks if point in time recovery (PITR) is enabled on active Amazon DynamoDB tables let status = ['ACTIVE'] rule tableisactive when resourceType == "AWS::DynamoDB::Table" { configuration.tableStatus == %status } rule checkcompliance when resourceType == "AWS::DynamoDB::Table" tableisactive { let pitr = supplementaryConfiguration.ContinuousBackupsDescription.pointInTimeRecoveryDescription.pointInTimeRecoveryStatus %pitr == "ENABLED" }
-
For Evaluation mode, choose when in the resource creation and management process you want Amazon Config to evaluate your resources. Depending on the rule, Amazon Config can evaluate your resource configurations before a resource has been provisioned, after a resource has been provisoned, or both.
-
Choose Turn on proactive evaluation to allow you to run evaluations on the configuration settings of your resources before they are deployed.
After you have turned on proactive evaluation, you can use the StartResourceEvaluation API and GetResourceEvaluationSummary API to check if the resources you specify in these commands would be flagged as NON_COMPLIANT by the proactive rules in your account in your Region.
For more information on using this commands, see Evaluating Your Resources with Amazon Config Rules. For a list of managed rules that support proactive evaluation, see List of Amazon Config Managed Rules by Evaluation Mode.
-
Choose Turn on detective evaluation to evaluate the configuration settings of your existing resources.
For detective evaluation, Amazon Config Custom Policy rules are initiated by Configuration changes. This option will be pre-selected.
-
Resources – When a resource that matches the specified resource type, or the type plus identifier, is created, changed, or deleted.
-
Tags – When a resource with the specified tag is created, changed, or deleted.
-
All changes – When a resource recorded by Amazon Config is created, changed, or deleted.
Amazon Config runs the evaluation when it detects a change to a resource that matches the rule's scope. You can use the scope to constrain which resources initiate evaluations. Otherwise, evaluations are initiated when there is a change to a post-provisioned resource.
-
-
-
For Parameters, you can customize the values for the provided keys if your rule includes parameters. A parameter is an attribute that your resources must adhere to before they are considered compliant with the rule.
-
-
On the Review and create page, review all your selections before adding the rule to your Amazon Web Services account.
-
When you finish reviewing your rules, choose Add rule.
Creating Amazon Config Custom Policy Rules (Amazon CLI)
Use the put-config-rule
command.
The Owner
field should be CUSTOM_POLICY
. The following
additional fields are required for Amazon Config Custom Policy rules:
-
Runtime
: The runtime system for your Amazon Config Custom Policy rules. -
PolicyText
: The policy definition containing the logic for your Amazon Config Custom Policy rules. -
EnableDebugLogDelivery
: The Boolean expression for enabling debug logging for your Amazon Config Custom Policy rule. The default value isfalse
.
Creating Amazon Config Custom Policy Rules (API)
Use the PutConfigRule action.
The Owner
field should be CUSTOM_POLICY
. The following
additional fields are required for Amazon Config Custom Policy rules:
-
Runtime
: The runtime system for your Amazon Config Custom Policy rules. -
PolicyText
: The policy that defines the logic for your Amazon Config Custom Policy rules. -
EnableDebugLogDelivery
: The Boolean expression for enabling debug logging for your Amazon Config Custom Policy rule. The default value isfalse
.