Turning on Proactive Evaluation for Amazon Config Rules - Amazon Config
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Turning on Proactive Evaluation for Amazon Config Rules

You can use the Amazon Config console or the Amazon SDKs to turn on proactive evaluation rules.

Turning on Proactive Evaluation (Console)

The Rules page shows your rules and their current compliance results in a table. The result for each rule is Evaluating... until Amazon Config finishes evaluating your resources against the rule. You can update the results with the refresh button. When Amazon Config finishes evaluations, you can see the rules and resource types that are compliant or noncompliant. For more information, see Viewing Compliance Information and Evaluation Results for your Amazon Resources.

Note

Amazon Config evaluates only the resource types that it is recording. For example, if you add the cloudtrail-enabled rule but don't record the CloudTrail trail resource type, Amazon Config can't evaluate whether the trails in your account are compliant or noncompliant. For more information, see Recording Amazon Resources.

You can use proactive evaluation to evaluate resources before they have been deployed. This allows you to evaluate whether a set of resource properties, if used to define an Amazon resource, would be COMPLIANT or NON_COMPLIANT given the set of proactive rules that you have in your account in your Region.

The Resource type schema states the properties of a resource. You can find the resource type schema in "Amazon public extensions" within the Amazon CloudFormation registry or with the following CLI commmand:

aws cloudformation describe-type --type-name "AWS::S3::Bucket" --type RESOURCE

For more information, see Managing extensions through the Amazon CloudFormation registry and Amazon resource and property types reference in the Amazon CloudFormation User Guide.

Note

Proactive rules do not remediate resources that are flagged as NON_COMPLIANT or prevent them from being deployed.

To turn on proactive evalution
  1. Sign in to the Amazon Web Services Management Console and open the Amazon Config console at https://console.amazonaws.cn/config/.

  2. In the Amazon Web Services Management Console menu, verify that the Region selector is set to a Region that supports Amazon Config rules. For the list of supported Amazon Regions, see Amazon Config Regions and Endpoints in the Amazon Web Services General Reference.

  3. In the left navigation, choose Rules. For a list of managed rules that support proactive evaluation, see List of Amazon Config Managed Rules by Evaluation Mode.

  4. Choose a rule, and then choose Edit rule for the rule that you want to update.

  5. For Evaluation mode, choose Turn on proactive evaluation to allow you to run evaluations on the configuration settings of your resources before they are deployed.

  6. Choose Save.

After you have turned on proactive evaluation, you can use the StartResourceEvaluation API and GetResourceEvaluationSummary API to check if the resources you specify in these commands would be flagged as NON_COMPLIANT by the proactive rules in your account in your Region.

For example, start with the StartResourceEvaluation API:

aws configservice start-resource-evaluation --evaluation-mode PROACTIVE --resource-details '{"ResourceId":"MY_RESOURCE_ID", "ResourceType":"AWS::RESOURCE::TYPE", "ResourceConfiguration":"RESOURCE_DEFINITION_AS_PER_THE_RESOURCE_CONFIGURATION_SCHEMA", "ResourceConfigurationSchemaType":"CFN_RESOURCE_SCHEMA"}'

You should receive the ResourceEvaluationId in the output:

{ "ResourceEvaluationId": "MY_RESOURCE_EVALUATION_ID" }

Then, use the ResourceEvaluationId with the GetResourceEvaluationSummary API to check the evaluation result:

aws configservice get-resource-evaluation-summary --resource-evaluation-id MY_RESOURCE_EVALUATION_ID

You should receive output similiar to the following:

{ "ResourceEvaluationId": "MY_RESOURCE_EVALUATION_ID", "EvaluationMode": "PROACTIVE", "EvaluationStatus": { "Status": "SUCCEEDED" }, "EvaluationStartTimestamp": "2022-11-15T19:13:46.029000+00:00", "Compliance": "COMPLIANT", "ResourceDetails": { "ResourceId": "MY_RESOURCE_ID", "ResourceType": "AWS::RESOURCE::TYPE", "ResourceConfiguration": "RESOURCE_DEFINITION_AS_PER_THE_RESOURCE_CONFIGURATION_SCHEMA" } }

To see additional information about the evaluation result, such as which rule flagged a resource as NON_COMPLIANT, use the GetComplianceDetailsByResource API.

Turning on Proactive Evaluation (Amazon SDKs)

You can use proactive evaluation to evaluate resources before they have been deployed. This allows you to evaluate whether a set of resource properties, if used to define an Amazon resource, would be COMPLIANT or NON_COMPLIANT given the set of proactive rules that you have in your account in your Region.

The Resource type schema states the properties of a resource. You can find the resource type schema in "Amazon public extensions" within the Amazon CloudFormation registry or with the following CLI commmand:

aws cloudformation describe-type --type-name "AWS::S3::Bucket" --type RESOURCE

For more information, see Managing extensions through the Amazon CloudFormation registry and Amazon resource and property types reference in the Amazon CloudFormation User Guide.

Note

Proactive rules do not remediate resources that are flagged as NON_COMPLIANT or prevent them from being deployed.

To turn on proactive evaluation

Use the put-config-rule command and enable PROACTIVE for EvaluationModes.

After you have turned on proactive evaluation, you can use the start-resource-evaluation CLI command and get-resource-evaluation-summary CLI command to check if the resources you specify in these commands would be flagged as NON_COMPLIANT by the proactive rules in your account in your Region.

For example, start with the start-resource-evaluation command:

aws configservice start-resource-evaluation --evaluation-mode PROACTIVE --resource-details '{"ResourceId":"MY_RESOURCE_ID", "ResourceType":"AWS::RESOURCE::TYPE", "ResourceConfiguration":"RESOURCE_DEFINITION_AS_PER_THE_RESOURCE_CONFIGURATION_SCHEMA", "ResourceConfigurationSchemaType":"CFN_RESOURCE_SCHEMA"}'

You should receive the ResourceEvaluationId in the output:

{ "ResourceEvaluationId": "MY_RESOURCE_EVALUATION_ID" }

Then, use the ResourceEvaluationId with the get-resource-evaluation-summary to check the evaluation result:

aws configservice get-resource-evaluation-summary --resource-evaluation-id MY_RESOURCE_EVALUATION_ID

You should receive output similiar to the following:

{ "ResourceEvaluationId": "MY_RESOURCE_EVALUATION_ID", "EvaluationMode": "PROACTIVE", "EvaluationStatus": { "Status": "SUCCEEDED" }, "EvaluationStartTimestamp": "2022-11-15T19:13:46.029000+00:00", "Compliance": "COMPLIANT", "ResourceDetails": { "ResourceId": "MY_RESOURCE_ID", "ResourceType": "AWS::RESOURCE::TYPE", "ResourceConfiguration": "RESOURCE_DEFINITION_AS_PER_THE_RESOURCE_CONFIGURATION_SCHEMA" } }

To see additional information about the evaluation result, such as which rule flagged a resource as NON_COMPLIANT, use the get-compliance-details-by-resource CLI command.

Note

For a list of managed rules that support proactive evaluation, see List of Amazon Config Managed Rules by Evaluation Mode.

You can use proactive evaluation to evaluate resources before they have been deployed. This allows you to evaluate whether a set of resource properties, if used to define an Amazon resource, would be COMPLIANT or NON_COMPLIANT given the set of proactive rules that you have in your account in your Region.

The Resource type schema states the properties of a resource. You can find the resource type schema in "Amazon public extensions" within the Amazon CloudFormation registry or with the following CLI commmand:

aws cloudformation describe-type --type-name "AWS::S3::Bucket" --type RESOURCE

For more information, see Managing extensions through the Amazon CloudFormation registry and Amazon resource and property types reference in the Amazon CloudFormation User Guide.

Note

Proactive rules do not remediate resources that are flagged as NON_COMPLIANT or prevent them from being deployed.

To turn on proactive evaluation for a rule

Use the PutConfigRule action and enable PROACTIVE for EvaluationModes.

After you have turned on proactive evaluation, you can use the StartResourceEvaluation API and GetResourceEvaluationSummary API to check if the resources you specify in these commands would be flagged as NON_COMPLIANT by the proactive rules in your account in your Region. For example, start with the StartResourceEvaluation API:

aws configservice start-resource-evaluation --evaluation-mode PROACTIVE --resource-details '{"ResourceId":"MY_RESOURCE_ID", "ResourceType":"AWS::RESOURCE::TYPE", "ResourceConfiguration":"RESOURCE_DEFINITION_AS_PER_THE_RESOURCE_CONFIGURATION_SCHEMA", "ResourceConfigurationSchemaType":"CFN_RESOURCE_SCHEMA"}'

You should receive the ResourceEvaluationId in the output:

{ "ResourceEvaluationId": "MY_RESOURCE_EVALUATION_ID" }

Then, use the ResourceEvaluationId with the GetResourceEvaluationSummary API to check the evaluation result:

aws configservice get-resource-evaluation-summary --resource-evaluation-id MY_RESOURCE_EVALUATION_ID

You should receive output similiar to the following:

{ "ResourceEvaluationId": "MY_RESOURCE_EVALUATION_ID", "EvaluationMode": "PROACTIVE", "EvaluationStatus": { "Status": "SUCCEEDED" }, "EvaluationStartTimestamp": "2022-11-15T19:13:46.029000+00:00", "Compliance": "COMPLIANT", "ResourceDetails": { "ResourceId": "MY_RESOURCE_ID", "ResourceType": "AWS::RESOURCE::TYPE", "ResourceConfiguration": "RESOURCE_DEFINITION_AS_PER_THE_RESOURCE_CONFIGURATION_SCHEMA" } }

To see additional information about the evaluation result, such as which rule flagged a resource as NON_COMPLIANT, use the GetComplianceDetailsByResource API.

Note

For a list of managed rules that support proactive evaluation, see List of Amazon Config Managed Rules by Evaluation Mode.