Amazon Config Managed Rules - Amazon Config
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Config Managed Rules

Amazon Config provides Amazon managed rules, which are predefined, customizable rules that Amazon Config uses to evaluate whether your Amazon resources comply with common best practices. For example, you could use a managed rule to quickly start assessing whether specific tags are applied to your resources. The Amazon Config console guides you through the process of configuring and activating a managed rule. You can also use the Amazon Command Line Interface or Amazon Config API to pass the JSON code that defines your configuration of a managed rule.

You can customize the behavior of a managed rule to suit your needs. For example, you can define the rule's scope to constrain which resources trigger an evaluation for the rule, such as EC2 instances or volumes. You can customize the rule's parameters to define attributes that your resources must have to comply with the rule. For example, you can customize a parameter to specify that your security group should block incoming traffic to a specific port number.

Cost Considerations

For details about the costs associated with resource recording, see Amazon Config pricing.

Recommendation: Stop recording resource compliance before deleting rules

It is highly recommended that you stop recording for the AWS::Config::ResourceCompliance resource type before you delete rules in your account. Deleting rules creates configuration items (CIs) for AWS::Config::ResourceCompliance and can affect your Amazon Config configuration recorder costs. If you are deleting rules which evaluate a large number of resource types, this can lead to a spike in the number of CIs recorded.

Best practice:

  1. Stop recording AWS::Config::ResourceCompliance

  2. Delete rule(s)

  3. Turn on recording for AWS::Config::ResourceCompliance

Trigger Types

After you add a rule to your account, Amazon Config compares your resources to the conditions of the rule. After this initial evaluation, Amazon Config continues to run evaluations each time one is triggered. The evaluation triggers are defined as part of the rule, and they can include the following types.

Trigger type Description
Configuration changes Amazon Config runs evaluations for the rule when there is a resource that matches the rule's scope and there is a change in configuration of the resource. The evaluation runs after Amazon Config sends a configuration item change notification.

You choose which resources initiate the evaluation by defining the rule's scope. The scope can include the following:

  • One or more resource types

  • A combination of a resource type and a resource ID

  • A combination of a tag key and value

  • When any recorded resource is created, updated, or deleted

Amazon Config runs the evaluation when it detects a change to a resource that matches the rule's scope. You can use the scope to define which resources initiate evaluations.

Periodic Amazon Config runs evaluations for the rule at a frequency that you choose; for example, every 24 hours.
Hybrid Some rules have both configuration change and periodic triggers. For these rules, Amazon Config evaluates your resources when it detects a configuration change and also at the frequency that you specify.

Evaluation Modes

There are two evaluation modes for Amazon Config rules.

Evaluation mode Description
Proactive

Use proactive evaluation to evaluate resources before they have been deployed. This allows you to evaluate whether a set of resource properties, if used to define an Amazon resource, would be COMPLIANT or NON_COMPLIANT given the set of proactive rules that you have in your account in your Region.

For more information, see Evaluation modes. For a list of managed rules that support proactive evaluation, see List of Amazon Config Managed Rules by Evaluation Mode.

Detective Use detective evaluation to evaluate resources that have already been deployed. This allows you to evaluate the configuration settings of your existing resources.
Note

Proactive rules do not remediate resources that are flagged as NON_COMPLIANT or prevent them from being deployed.