Managing your Amazon Config Rules - Amazon Config
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Managing your Amazon Config Rules

You can use the Amazon Config console, Amazon CLI, and Amazon Config API to view, add, and delete your rules.

Add, View, Update and Delete Rules (Console)

The Rules page shows your rules and their current compliance results in a table. The result for each rule is Evaluating... until Amazon Config finishes evaluating your resources against the rule. You can update the results with the refresh button. When Amazon Config finishes evaluations, you can see the rules and resource types that are compliant or noncompliant. For more information, see Viewing Configuration Compliance.

Note

Amazon Config evaluates only the resource types that it is recording. For example, if you add the cloudtrail-enabled rule but don't record the CloudTrail trail resource type, Amazon Config can't evaluate whether the trails in your account are compliant or noncompliant. For more information, see Selecting Which Resources Amazon Config Records.

To view your rules

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Config console at https://console.amazonaws.cn/config/.

  2. In the Amazon Web Services Management Console, verify that the region selector is set to a region that supports Amazon Config rules. For the list of supported regions, see Amazon Config Regions and Endpoints in the Amazon Web Services General Reference.

  3. Choose Rules. The Rules page shows all the rule that are currently in your Amazon Web Services account. It lists the name, associated remediation action, and compliance status of each rule.

    • Choose Add rule to get started with creating a rule.

    • Choose a rule to see its settings, or choose a rule and View details.

    • See the compliance status of the rule when it evaluates your resources.

    • Choose a rule and Edit rule to change the configuration settings of the rule and set a remediation action for a noncompliant rule.

To update a rule

  1. Choose a rule and Edit rule for the rule that you want to update.

  2. Modify the settings on the Edit rule page to change your rule as needed.

  3. Choose Save.

To delete a rule

  1. Choose a rule from the table that you want to delete.

  2. From the Actions dropdown list, choose Delete rule.

  3. When prompted, type "Delete" (case-sensitive) and then choose Delete.

To add a rule

If you choose Add rule, you can see the available Amazon Config managed rules on the Add rule page. You can also see the complete list of Amazon Config managed rules at List of Amazon Config Managed Rules. In addition to Amazon Config managed rules, you can also create your own custom rule using either Guard or Amazon Lambda functions.

  1. To add a managed rule, choose a rule on the page and follow the procedure in Working with Amazon Config Managed Rules.

  2. If you want to create your own rule, choose Add custom rule and follow the procedure in Creating Amazon Config Custom Policy Rules or Creating Amazon Config Custom Lambda Rules.

On the Add rule page, you can do the following:

  • Choose Add custom rule to create your own rule.

  • Type in the search field to filter results by rule name, description, or label. For example, type EC2 to return rules that evaluate EC2 resource types or type periodic to return rules with periodic triggers. Type "new" to search for newly added rules. For more information about trigger types, see Specifying Triggers for Amazon Config Rules.

  • Reorder the results alphabetically by choosing the arrow by the Name label.

  • Choose the arrow icon to see the next page of rules.

  • See recently added rules that are marked as New.

  • See labels to identify the resource type that the rule evaluates and if the rule has a periodic trigger.

View, Update, and Delete Rules (Amazon CLI)

To view your rules

  • Use the describe-config-rules command:

    $ aws configservice describe-config-rules

    Amazon Config returns the details for all of your rules.

To update a rule

  1. Use the put-config-rule command with the --generate-cli-skeleton parameter to create a local JSON file that has the parameters for your rule:

    $ aws configservice put-config-rule --generate-cli-skeleton > putConfigRule.json
  2. Open the JSON file in a text editor and remove any parameters that don't need updating, with the following exceptions:

    • Include at least one of the following parameters to identify the rule:

      ConfigRuleName, ConfigRuleArn, or ConfigRuleId.

    • If you are updating a custom rule, you must include the Source object and its parameters.

  3. Fill in the values for the parameters that remain. To reference the details of your rule, use the describe-config-rules command.

    For example, the following JSON code updates the resource types that are in the scope of a custom rule:

    { "ConfigRule": { "ConfigRuleName": "ConfigRuleName", "Scope": { "ComplianceResourceTypes": [ "AWS::EC2::Instance", "AWS::EC2::Volume", "AWS::EC2::VPC" ] }, "Source": { "Owner": "CUSTOM_LAMBDA", "SourceIdentifier": "arn:aws:lambda:us-east-2:123456789012:function:ConfigRuleName", "SourceDetails": [ { "EventSource": "aws.config", "MessageType": "ConfigurationItemChangeNotification" } ] } } }
  4. Use the put-config-rule command with the --cli-input-json parameter to pass your JSON configuration to Amazon Config:

    $ aws configservice put-config-rule --cli-input-json file://putConfigRule.json
  5. To verify that you successfully updated your rule, use the describe-config-rules command to view the rule's configuration:

    $ aws configservice describe-config-rules --config-rule-name ConfigRuleName { "ConfigRules": [ { "ConfigRuleState": "ACTIVE", "ConfigRuleName": "ConfigRuleName", "ConfigRuleArn": "arn:aws:config:us-east-2:123456789012:config-rule/config-rule-nnnnnn", "Source": { "Owner": "CUSTOM_LAMBDA", "SourceIdentifier": "arn:aws:lambda:us-east-2:123456789012:function:ConfigRuleName", "SourceDetails": [ { "EventSource": "aws.config", "MessageType": "ConfigurationItemChangeNotification" } ] }, "Scope": { "ComplianceResourceTypes": [ "AWS::EC2::Instance", "AWS::EC2::Volume", "AWS::EC2::VPC" ] }, "ConfigRuleId": "config-rule-nnnnnn" } ] }

To delete a rule

  • Use the delete-config-rule command as shown in the following example:

    $ aws configservice delete-config-rule --config-rule-name ConfigRuleName

View, Update, and Delete Rules (API)

To view your rules

Use the DescribeConfigRules action.

To update or add a rule

Use the PutConfigRule action.

To delete a rule

Use the DeleteConfigRule action.

Note

If a rule is creating invalid evaluation results, you might want to delete these results before you fix the rule and run a new evaluation. For more information, see Deleting Evaluation Results.

Sending Rule Evaluations to Security Hub

After adding an Amazon Config rule, you can also send rule evaluations to Amazon Security Hub. The integration between Amazon Config and Security Hub allows you to triage and remediate rule evaluations alongside other misconfigurations and security issues.

Send Rule Evaluations to Security Hub

To send rule evaluations to Security Hub, you must first set up Amazon Security Hub and Amazon Config, and then add at least one Amazon Config managed or custom rule. After this, Amazon Config immediately starts sending rule evaluations to Security Hub. Security Hub enriches the rule evaluations and transforms them into Security Hub findings.

For more information about this integration, see Available Amazon Service Integrations in the Amazon Security Hub User Guide.