Service-Linked Amazon Config Rules - Amazon Config
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Service-Linked Amazon Config Rules

A service-linked Amazon Config rule is a unique type of Amazon Config managed rules that supports other Amazon services to create Amazon Config rules in your account. Service-linked rules are predefined to include all the permissions required to call other Amazon services on your behalf. These rules are similar to standards that an Amazon service recommends in your Amazon Web Services account for compliance verification.

These service-linked Amazon Config rules are owned by Amazon service teams. The Amazon service team creates these rules in your Amazon Web Services account. You have read-only access to these rules. You cannot edit or delete these rules if you are subscribed to Amazon service that these rules are linked to.

Service-linked rules and the Amazon Command Line Interface

With the Amazon CLI, the PutConfigRule, DeleteConfigRule, and DeleteEvaluationResults APIs return access denied with the following error message:

INSUFFICIENT_SLCR_PERMISSIONS = "An AWS service owns ServiceLinkedConfigRule. You do not have permissions to take action on this rule."

Service-linked rules and the Amazon Config console

In the Amazon Config console, the service-linked Amazon Config rules are visible in the Rules page. The Edit and Delete results buttons are greyed in the console to restrict you from editing the rule. You can view details of the rule by choosing the rule.

Service-linked rules, remediation actions, and conformance packs

To add remediation actions to a service-linked rules in a conformance pack, you need to add the remediation action to the conformance pack template itself, and then update the conformance pack with your updated template. For information on updating conformance packs, see Deploying a Conformance Pack (Console), Deploying a Conformance Pack (Amazon CLI) and Managing Organizational Conformance Packs.

Editing and deleting service-linked rules

To edit or delete a service-linked rule, contact the Amazon service that created the rule. For example, for service-linked rules created by Amazon Security Hub, you can remove a service-linked rule by following these steps in the Amazon Security Hub User Guide: Disabling a security standard.