PutConfigRule - AWS Config

PutConfigRule

Adds or updates an AWS Config rule to evaluate if your AWS resources comply with your desired configurations. For information on how many AWS Config rules you can have per account, see Service Limits in the AWS Config Developer Guide.

There are two types of rules: AWS Config Managed Rules and AWS Config Custom Rules. You can use PutConfigRule to create both AWS Config Managed Rules and AWS Config Custom Rules.

AWS Config Managed Rules are predefined, customizable rules created by AWS Config. For a list of managed rules, see List of AWS Config Managed Rules. If you are adding an AWS Config managed rule, you must specify the rule's identifier for the SourceIdentifier key.

AWS Config Custom Rules are rules that you create from scratch. There are two ways to create AWS Config custom rules: with Lambda functions (AWS Lambda Developer Guide) and with Guard (Guard GitHub Repository), a policy-as-code language. AWS Config custom rules created with AWS Lambda are called AWS Config Custom Lambda Rules and AWS Config custom rules created with Guard are called AWS Config Custom Policy Rules.

If you are adding a new AWS Config Custom Lambda rule, you first need to create an AWS Lambda function that the rule invokes to evaluate your resources. When you use PutConfigRule to add a Custom Lambda rule to AWS Config, you must specify the Amazon Resource Name (ARN) that AWS Lambda assigns to the function. You specify the ARN in the SourceIdentifier key. This key is part of the Source object, which is part of the ConfigRule object.

For any new AWS Config rule that you add, specify the ConfigRuleName in the ConfigRule object. Do not specify the ConfigRuleArn or the ConfigRuleId. These values are generated by AWS Config for new rules.

If you are updating a rule that you added previously, you can specify the rule by ConfigRuleName, ConfigRuleId, or ConfigRuleArn in the ConfigRule data type that you use in this request.

For more information about developing and using AWS Config rules, see Evaluating Resources with AWS Config Rules in the AWS Config Developer Guide.

Note

Tags are added at creation and cannot be updated with this operation

PutConfigRule is an idempotent API. Subsequent requests won’t create a duplicate resource if one was already created. If a following request has different tags values, AWS Config will ignore these differences and treat it as an idempotent request of the previous. In this case, tags will not be updated, even if they are different.

Use TagResource and UntagResource to update tags after creation.

Request Syntax

{ "ConfigRule": { "ConfigRuleArn": "string", "ConfigRuleId": "string", "ConfigRuleName": "string", "ConfigRuleState": "string", "CreatedBy": "string", "Description": "string", "EvaluationModes": [ { "Mode": "string" } ], "InputParameters": "string", "MaximumExecutionFrequency": "string", "Scope": { "ComplianceResourceId": "string", "ComplianceResourceTypes": [ "string" ], "TagKey": "string", "TagValue": "string" }, "Source": { "CustomPolicyDetails": { "EnableDebugLogDelivery": boolean, "PolicyRuntime": "string", "PolicyText": "string" }, "Owner": "string", "SourceDetails": [ { "EventSource": "string", "MaximumExecutionFrequency": "string", "MessageType": "string" } ], "SourceIdentifier": "string" } }, "Tags": [ { "Key": "string", "Value": "string" } ] }

Request Parameters

For information about the parameters that are common to all actions, see Common Parameters.

The request accepts the following data in JSON format.

ConfigRule

The rule that you want to add to your account.

Type: ConfigRule object

Required: Yes

Tags

An array of tag object.

Type: Array of Tag objects

Array Members: Minimum number of 0 items. Maximum number of 50 items.

Required: No

Response Elements

If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

Errors

For information about the errors that are common to all actions, see Common Errors.

InsufficientPermissionsException

Indicates one of the following errors:

  • For PutConfigRule, the rule cannot be created because the IAM role assigned to AWS Config lacks permissions to perform the config:Put* action.

  • For PutConfigRule, the AWS Lambda function cannot be invoked. Check the function ARN, and check the function's permissions.

  • For PutOrganizationConfigRule, organization AWS Config rule cannot be created because you do not have permissions to call IAM GetRole action or create a service-linked role.

  • For PutConformancePack and PutOrganizationConformancePack, a conformance pack cannot be created because you do not have the following permissions:

    • You do not have permission to call IAM GetRole action or create a service-linked role.

    • You do not have permission to read Amazon S3 bucket or call SSM:GetDocument.

  • For PutServiceLinkedConfigurationRecorder, a service-linked configuration recorder cannot be created because you do not have the following permissions: IAM CreateServiceLinkedRole.

HTTP Status Code: 400

InvalidParameterValueException

One or more of the specified parameters are not valid. Verify that your parameters are valid and try again.

HTTP Status Code: 400

MaxNumberOfConfigRulesExceededException

Failed to add the AWS Config rule because the account already contains the maximum number of 1000 rules. Consider deleting any deactivated rules before you add new rules.

HTTP Status Code: 400

NoAvailableConfigurationRecorderException

There are no customer managed configuration recorders available to record your resources. Use the PutConfigurationRecorder operation to create the customer managed configuration recorder.

HTTP Status Code: 400

ResourceInUseException

You see this exception in the following cases:

  • For DeleteConfigRule, AWS Config is deleting this rule. Try your request again later.

  • For DeleteConfigRule, the rule is deleting your evaluation results. Try your request again later.

  • For DeleteConfigRule, a remediation action is associated with the rule and AWS Config cannot delete this rule. Delete the remediation action associated with the rule before deleting the rule and try your request again later.

  • For PutConfigOrganizationRule, organization AWS Config rule deletion is in progress. Try your request again later.

  • For DeleteOrganizationConfigRule, organization AWS Config rule creation is in progress. Try your request again later.

  • For PutConformancePack and PutOrganizationConformancePack, a conformance pack creation, update, and deletion is in progress. Try your request again later.

  • For DeleteConformancePack, a conformance pack creation, update, and deletion is in progress. Try your request again later.

HTTP Status Code: 400

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: