Troubleshooting
Check the following issues to troubleshoot if you cannot delete an Amazon Config rule or receive an error similair to the following: "An error has occurred with Amazon Config."
The Amazon Identity and Access Management (IAM) entity has permissions for the DeleteConfigRule API
Open the IAM console at https://console.amazonaws.cn/iam/
. In the navigation pane choose Users or Roles.
Choose the user or role that you used to delete the Amazon Config rule, and expand Permissions policies.
In the Permissions tab, choose JSON.
In the JSON preview pane, confirm that the IAM policy allows permissions for the DeleteConfigRule API.
The IAM entity permission boundary allows the DeleteConfigRule API
If the IAM entity has a permissions boundary, be sure that it allows permissions for the the DeleteConfigRule API.
Open the IAM console at https://console.amazonaws.cn/iam/
. In the navigation pane choose Users or Roles.
Choose the user or role that you used to delete the Amazon Config rule, expand Permissions boundary, and then choose JSON.
In the JSON preview pane, confirm that the IAM policy allows permissions for the DeleteConfigRule API.
Warning
IAM users have long-term credentials, which presents a security risk. To help mitigate this risk, we recommend that you provide these users with only the permissions they require to perform the task and that you remove these users when they are no longer needed.
The service control policy (SCP) allows the DeleteConfigRule API
Open the Amazon Organizations console at https://console.amazonaws.cn/organizations/ using the management account for the organization.
In Account name, choose the Amazon Web Services account.
In Policies, expand Service control policies and note the SCP policies that are attached.
At the top of the page, choose Policies.
Select the policy, and then choose View details.
In the JSON preview pane, confirm that the policy allows the DeleteConfigRule API.
The rule is not a service-linked rule
When you enable a security standard, Amazon Security Hub creates service-linked rules for you. You can't delete these service-linked rules using Amazon Config, and the delete button is grayed out. To remove a service-linked rule, see Disabling a security standard in the Security Hub User Guide.
No remediation actions are in progress
You cannot delete Amazon Config rules that have remediation actions in progress. Follow the steps to delete the remediation action that is associated with that rule. Then, try deleting the rule again.
Important
Only delete remediation actions that are in failed or successful states.