Use PutConfigRule
with an Amazon SDK or CLI
The following code examples show how to use PutConfigRule
.
- CLI
-
- Amazon CLI
-
To add an Amazon managed Config rule
The following command provides JSON code to add an Amazon managed Config rule:
aws configservice put-config-rule --config-rule
file://RequiredTagsForEC2Instances.json
RequiredTagsForEC2Instances.json
is a JSON file that contains the rule configuration:{ "ConfigRuleName": "RequiredTagsForEC2Instances", "Description": "Checks whether the CostCenter and Owner tags are applied to EC2 instances.", "Scope": { "ComplianceResourceTypes": [ "AWS::EC2::Instance" ] }, "Source": { "Owner": "AWS", "SourceIdentifier": "REQUIRED_TAGS" }, "InputParameters": "{\"tag1Key\":\"CostCenter\",\"tag2Key\":\"Owner\"}" }
For the
ComplianceResourceTypes
attribute, this JSON code limits the scope to resources of theAWS::EC2::Instance
type, so Amazon Config will evaluate only EC2 instances against the rule. Because the rule is a managed rule, theOwner
attribute is set toAWS
, and theSourceIdentifier
attribute is set to the rule identifier,REQUIRED_TAGS
. For theInputParameters
attribute, the tag keys that the rule requires,CostCenter
andOwner
, are specified.If the command succeeds, Amazon Config returns no output. To verify the rule configuration, run the describe-config-rules command, and specify the rule name.
To add a customer managed Config rule
The following command provides JSON code to add a customer managed Config rule:
aws configservice put-config-rule --config-rule
file://InstanceTypesAreT2micro.json
InstanceTypesAreT2micro.json
is a JSON file that contains the rule configuration:{ "ConfigRuleName": "InstanceTypesAreT2micro", "Description": "Evaluates whether EC2 instances are the t2.micro type.", "Scope": { "ComplianceResourceTypes": [ "AWS::EC2::Instance" ] }, "Source": { "Owner": "CUSTOM_LAMBDA", "SourceIdentifier": "arn:aws:lambda:us-east-1:123456789012:function:InstanceTypeCheck", "SourceDetails": [ { "EventSource": "aws.config", "MessageType": "ConfigurationItemChangeNotification" } ] }, "InputParameters": "{\"desiredInstanceType\":\"t2.micro\"}" }
For the
ComplianceResourceTypes
attribute, this JSON code limits the scope to resources of theAWS::EC2::Instance
type, so Amazon Config will evaluate only EC2 instances against the rule. Because this rule is a customer managed rule, theOwner
attribute is set toCUSTOM_LAMBDA
, and theSourceIdentifier
attribute is set to the ARN of the Amazon Lambda function. TheSourceDetails
object is required. The parameters that are specified for theInputParameters
attribute are passed to the Amazon Lambda function when Amazon Config invokes it to evaluate resources against the rule.If the command succeeds, Amazon Config returns no output. To verify the rule configuration, run the describe-config-rules command, and specify the rule name.
-
For API details, see PutConfigRule
in Amazon CLI Command Reference.
-
- Python
-
- SDK for Python (Boto3)
-
Note
There's more on GitHub. Find the complete example and learn how to set up and run in the Amazon Code Examples Repository
. class ConfigWrapper: """ Encapsulates AWS Config functions. """ def __init__(self, config_client): """ :param config_client: A Boto3 AWS Config client. """ self.config_client = config_client def put_config_rule(self, rule_name): """ Sets a configuration rule that prohibits making Amazon S3 buckets publicly readable. :param rule_name: The name to give the rule. """ try: self.config_client.put_config_rule( ConfigRule={ "ConfigRuleName": rule_name, "Description": "S3 Public Read Prohibited Bucket Rule", "Scope": { "ComplianceResourceTypes": [ "AWS::S3::Bucket", ], }, "Source": { "Owner": "AWS", "SourceIdentifier": "S3_BUCKET_PUBLIC_READ_PROHIBITED", }, "InputParameters": "{}", "ConfigRuleState": "ACTIVE", } ) logger.info("Created configuration rule %s.", rule_name) except ClientError: logger.exception("Couldn't create configuration rule %s.", rule_name) raise
-
For API details, see PutConfigRule in Amazon SDK for Python (Boto3) API Reference.
-
For a complete list of Amazon SDK developer guides and code examples, see Using Amazon Config with an Amazon SDK. This topic also includes information about getting started and details about previous SDK versions.