Working with Amazon Config Managed Rules - Amazon Config
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Working with Amazon Config Managed Rules

You can set up and activate Amazon managed rules from the Amazon Web Services Management Console, Amazon CLI, or Amazon Config API.

Setting Up and Activating an Amazon Managed Rule (Console)

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Config console at https://console.amazonaws.cn/config/.

  2. In the Amazon Web Services Management Console menu, verify that the region selector is set to a region that supports Amazon Config rules. For the list of supported regions, see Amazon Config Regions and Endpoints in the Amazon Web Services General Reference.

  3. In the left navigation, choose Rules.

  4. On the Rules page, choose Add rule.

  5. On the Rules page, you can do the following:

    • Type in the search field to filter results by rule name, description, and label. For example, type EC2 to return rules that evaluate EC2 resource types or type periodic to return rules that are triggered periodically.

    • Choose the arrow icon to see the next page of rules. Recently added rules are marked as New.

  6. Choose a rule that you want to create.

  7. On the Configure rule page, configure the rule by completing the following steps:

    1. For Name, type a unique name for the rule.

    2. If the trigger types for your rule include Configuration changes, specify one of the following options for Scope of changes with which Amazon Config invokes your Lambda function:

      • Resources – When a resource that matches the specified resource type, or the type plus identifier, is created, changed, or deleted.

      • Tags – When a resource with the specified tag is created, changed, or deleted.

      • All changes – When a resource recorded by Amazon Config is created, changed, or deleted.

    3. If the trigger types for your rule include Periodic, specify the Frequency with which Amazon Config invokes your Lambda function.

    4. If your rule includes parameters in the Rule parameters section, you can customize the values for the provided keys. A parameter is an attribute that your resources must have before they are considered COMPLIANT with the rule.

  8. Choose Save. Your new rule displays on the Rules page.

    Compliance will display Evaluating... until Amazon Config has evaluation results for your rule. A summary of the results appears after several minutes. You can update the results with the refresh button.

    If the rule or function is not working as expected, you might see one of the following for Compliance:

    • No results reported - Amazon Config evaluated your resources against the rule. The rule did not apply to the Amazon resources in its scope, the specified resources were deleted, or the evaluation results were deleted. To get evaluation results, update the rule, change its scope, or choose Re-evaluate.

      This message may also appear if the rule didn't report evaluation results.

    • No resources in scope - Amazon Config cannot evaluate your recorded Amazon resources against this rule because none of your resources are within the rule’s scope. To get evaluation results, edit the rule and change its scope, or add resources for Amazon Config to record by using the Settings page.

    • Evaluations failed - For information that can help you determine the problem, choose the rule name to open its details page and see the error message.

Activating an Amazon Managed Rule (Amazon CLI)

Use the put-config-rule command.

Activating an Amazon Managed Rule (API)

Use the PutConfigRule action.