Custom Lambda Rules (Amazon EC2 Example) - Amazon Config
Creating an Amazon Lambda Function for a Custom Config RuleCreating a Custom Lambda Rule to Evaluate Amazon EC2 Instances
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Custom Lambda Rules (Amazon EC2 Example)

This procedure guides you through the process of creating a Custom Lambda rule that evaluates whether each of your EC2 instances is the t2.micro type. Amazon Config will run event-based evaluations for this rule, meaning it will check your instance configurations each time Amazon Config detects a configuration change in an instance. Amazon Config will flag t2.micro instances as compliant and all other instances as noncompliant. The compliance status will appear in the Amazon Config console.

To have the best outcome with this procedure, you should have one or more EC2 instances in your Amazon account. Your instances should include a combination of at least one t2.micro instance and other types.

To create this rule, first, you will create an Amazon Lambda function by customizing a blueprint in the Amazon Lambda console. Then, you will create a Custom Lambda rule in Amazon Config, and you will associate the rule with the function.

Creating an Amazon Lambda Function for a Custom Config Rule

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Lambda console at https://console.amazonaws.cn/lambda/.

  2. In the Amazon Web Services Management Console menu, verify that the region selector is set to a region that supports Amazon Config rules. For the list of supported regions, see Amazon Config Regions and Endpoints in the Amazon Web Services General Reference.

  3. In the Amazon Lambda console, choose Create a Lambda function.

  4. Choose Use a blueprint. In the search bar, type config-rule-change-triggered. Select the blueprint in the filter results and choose Configure.

  5. On the Configure triggers page, choose Next.

  6. On the Basic information page, complete the following steps:

    1. For Function name, type InstanceTypeCheck.

    2. For Execution role, choose Create new role from Amazon Policy templates.

    3. For Runtime, keep Node.js.

    4. For Role name, type name.

    5. For Policy templates, choose Amazon Config Rules permission.

    6. For Lambda function code function, keep the preconfigured code. The Node.js code for your function is provided in the code editor. For this procedure, you do not need to change the code.

    7. Verify the details and choose Create function. The Amazon Lambda console displays your function.

  7. To verify that your function is set up correctly, test it with the following steps:

    1. Choose Test from the menu below Function overview and then choose Configure test event.

    2. For Template, choose Amazon Config Configuration Item Change Notification.

    3. For Name, type a name.

    4. Choose Test. Amazon Lambda tests your function with the example event. If your function is working as expected, an error message similar to the following appears under Execution result:

      {
  "errorType": "InvalidResultTokenException,"
  "errorMessage": "Result Token provided is invalid",
. . .

      The InvalidResultTokenException is expected because your function runs successfully only when it receives a result token from Amazon Config. The result token identifies the Amazon Config rule and the event that caused the evaluation, and the result token associates an evaluation with a rule. This exception indicates that your function has the permission it needs to send results to Amazon Config. Otherwise, the following error message appears: not authorized to perform: config:PutEvaluations. If this error occurs, update the role that you assigned to your function to allow the config:PutEvaluations action, and test your function again.

Creating a Custom Lambda Rule to Evaluate Amazon EC2 Instances

  1. Open the Amazon Config console at https://console.amazonaws.cn/config/.

  2. In the Amazon Web Services Management Console menu, verify that the region selector is set to the same region in which you created the Amazon Lambda function for your Custom Lambda rule.

  3. On the Rules page, choose Add rule.

  4. On the Specify rule type page, choose Create custom rule.

  5. On the Configure rule page, complete the following steps:

    1. For Name, type InstanceTypesAreT2micro.

    2. For Description, type Evaluates whether EC2 instances are the t2.micro type.

    3. For Amazon Lambda function ARN, specify the ARN that Amazon Lambda assigned to your function.

      Note

      The ARN that you specify in this step must not include the $LATEST qualifier. You can specify an ARN without a version qualifier or with any qualifier besides $LATEST. Amazon Lambda supports function versioning, and each version is assigned an ARN with a qualifier. Amazon Lambda uses the $LATEST qualifier for the latest version.

    4. For Trigger type, choose When configuration changes.

    5. For Scope of changes, choose Resources.

    6. For Resources, choose Amazon EC2 Instance from the Resource Type dropdown list.

    7. In the Parameters section, you must specify the rule parameter that your Amazon Lambda function evaluates and the desired value. The function for this procedure evaluates the desiredInstanceType parameter.

      For Key, type desiredInstanceType. For Value, type t2.micro.

  6. Choose Next. On the Review and create page, verify the details about your rule, and choose Add rule function. Your new rule displays on the Rules page.

    Compliance will display Evaluating... until Amazon Config receives evaluation results from your Amazon Lambda function. If the rule and the function are working as expected, a summary of the results appears after several minutes. For example, a result of 2 noncompliant resource(s) indicates that 2 of your instances are not t2.micro instances, and a result of Compliant indicates that all instances are t2.micro. You can update the results with the refresh button.

    If the rule or function is not working as expected, you might see one of the following for Compliance:

    • No results reported - Amazon Config evaluated your resources against the rule. The rule did not apply to the Amazon resources in its scope, the specified resources were deleted, or the evaluation results were deleted. To get evaluation results, update the rule, change its scope, or choose Re-evaluate.

      Verify that the scope includes Amazon EC2 Instance for Resources, and try again.

    • No resources in scope - Amazon Config cannot evaluate your recorded Amazon resources against this rule because none of your resources are within the rule’s scope. To get evaluation results, edit the rule and change its scope, or add resources for Amazon Config to record by using the Settings page.

      Verify that Amazon Config is recording EC2 instances.

    • Evaluations failed - For information that can help you determine the problem, choose the rule name to open its details page and see the error message.

If your rule works correctly and Amazon Config provides evaluation results, you can learn which conditions affect the compliance status of your rule. You can learn which resources, if any, are noncompliant, and why. For more information, see Viewing Configuration Compliance.