Amazon Config Managed Rules - Amazon Config
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Amazon Config Managed Rules

Amazon Config provides Amazon managed rules, which are predefined, customizable rules that Amazon Config uses to evaluate whether your Amazon resources comply with common best practices. For example, you could use a managed rule to quickly start assessing whether specific tags are applied to your resources. You can set up and activate these rules without writing the code to create an Amazon Lambda function, which is required if you want to create custom rules. The Amazon Config console guides you through the process of configuring and activating a managed rule. You can also use the Amazon Command Line Interface or Amazon Config API to pass the JSON code that defines your configuration of a managed rule.

You can customize the behavior of a managed rule to suit your needs. For example, you can define the rule's scope to constrain which resources trigger an evaluation for the rule, such as EC2 instances or volumes. You can customize the rule's parameters to define attributes that your resources must have to comply with the rule. For example, you can customize a parameter to specify that your security group should block incoming traffic to a specific port number.

After you activate a rule, Amazon Config compares your resources to the conditions of the rule. After this initial evaluation, Amazon Config continues to run evaluations each time one is triggered. The evaluation triggers are defined as part of the rule, and they can include the following types:

  • Configuration changes – Amazon Config triggers the evaluation when any resource that matches the rule's scope changes in configuration. The evaluation runs after Amazon Config sends a configuration item change notification.

  • Periodic – Amazon Config runs evaluations for the rule at a frequency that you choose (for example, every 24 hours).

The Amazon Config console shows which resources comply with the rule and which rules are being followed. For more information, see Viewing Configuration Compliance.