Creating templates for Custom Conformance Packs for AWS Config
A custom conformance pack is a unique collection of AWS Config rules and remediation actions that you can deploy together in an account and an AWS Region, or across an organization in AWS Organizations.
To make a custom conformance pack, follow the steps in the following Customizing the template section to author a YAML file that contains the list of AWS Config Managed Rules or AWS Config Custom Rules that you want to work with.
Terminology
AWS Config Managed Rules are predefined rules owned by AWS Config.
AWS Config Custom Rules are rules that you create from scratch.
There are two ways to create
AWS Config custom rules: with Lambda functions (AWS Lambda Developer Guide) and with Guard (Guard GitHub
Repository
Customizing the template
Creating your YAML file
To create a YAML file, open a text editor and save the file as .yaml.
Note
Your file will contain a Parameters and Resources section.
Parameters
The Parameters
section in your YAML file is for the rule parameters for
the set of AWS Config rules that you will add later in the Resources
section.
Create the Parameters
section by copying and pasting the following code
block into your YAML file, customizing it as needed and repeating for each rule
parameter.
Parameters:
NameOfRule
ParamNameOfRuleParameter
: Default:Parameter value
Type:Type
...
For example:
Parameters: IamPasswordPolicyParamMinimumPasswordLength: Default: '14' Type: String
Note
When selecting the AWS Config Rules to build your custom conformance pack, check you have the resources provisioned within your account that will be evaluated for the AWS Config Rules.
-
The first line in the parameter section after
Parameters:
is a concatenated string ofNameOfRule
+ Param +NameOfRuleParameter
.-
Replace
with a consistent name that you create for the rule. For example, that could be IamPasswordPolicy for the iam-password-policy rule.NameOfRule
-
Type
Param
. -
Then, replace
with the name of the rule parameter for your specific rule. For AWS Config Managed Rules, the name of the rule parameter is located in the List of AWS Config Managed Rules (for example, MinimumPasswordLength is a name of a rule parameter for the iam-password-policy rule). For AWS Config Custom Rules, the name of the rule parameter is the name that you chose when you created the rule.NameOfRuleParameter
-
-
If you are using an AWS Config Managed Rule, find the appropriate AWS Config rule in the list of managed rules so you'll know the accepted values for
Default
andType
for your particular rule. For AWS Config Custom Rules, use the values you selected when creating your rule.Note
For each parameter,
Type
must be specified.Type
can be one of "String", "int", "double", "CSV", "boolean" and "StringMap".
Resources
The Resources
section lists the rules that are being added to your Custom
Conformance Pack. Add the following Resources
block directly beneath your
Parameters
section, customizing it as needed and repeating for each
rule. For more information on the specifications, see AWS::Config::ConfigRule.
Resources:
NameOfRule
: Properties: ConfigRuleName:ActualConfigRuleName
InputParameters:NameOfRuleParameter
:NameOfRule
ParamNameOfRuleParameter
Source: Owner:Owner
SourceIdentifier:SOURCE_IDENTIFIER
Type: AWS::Config::ConfigRule...
For example:
Resources: IamPasswordPolicy: Properties: ConfigRuleName: iam-password-policy InputParameters: MinimumPasswordLength: IamPasswordPolicyParamMinimumPasswordLength Source: Owner: AWS SourceIdentifier: IAM_PASSWORD_POLICY Type: AWS::Config::ConfigRule
Note
When selecting the AWS Config rules to build your custom conformance pack, check that you have the resources that will be evaluated for the AWS Config rules provisioned within your account. For more information, see Supported Resource Types.
-
Replace
with the same name you created in theNameOfRule
Parameters
section. -
For AWS Config Managed Rules, replace
with the title of the appropriate rule page on the List of AWS Config Managed Rules. For AWS Config Custom Rules, use the Config Rule name you chose at the time of the rule's creation.ActualConfigRuleName
-
Replace
with the same name you used in theNameOfRuleParameter
Parameters
section. After the colon, copy and paste the same concatenated string ofNameOfRule
+ Param +NameOfRuleParameter
that you created inParameters
section. -
Change
to the appropriate value.Owner
Note
AWS Config Managed Rules
For AWS Config Managed Rules, the value for
Owner
will beAWS
.AWS Config Custom Rules
For AWS Config custom rules created with Guard, the value for
Owner
will beCUSTOM_POLICY
. For AWS Config custom rules created with Lambda, the value forOwner
will beCUSTOM_LAMBDA
. -
Change
to the appropriate value.SOURCE_IDENTIFIER
Note
AWS Config Managed Rules
For AWS Config Managed Rules, copy the identifier by following the link from the rule you select from the List of AWS Config Managed Rules (for example, the source identifier for the access-keys-rotated rule is ACCESS_KEYS_ROTATED).
AWS Config Custom Rules
For AWS Config custom rules created with Lambda, the
SourceIdentifier
is the Amazon Resource Name (ARN) of the rule's AWS Lambda function, such asarn:aws:lambda:us-east-2:123456789012:function:
. For AWS Config custom rules created with Guard, this field is not needed.ActualConfigRuleName
Altogether, your filled out custom conformance pack should begin to look similar to the following, which is an example using these AWS Config Managed Rules: iam-password-policy, access-keys-rotated, and iam-user-unused-credentials-check.
Parameters: IamPasswordPolicyParamMinimumPasswordLength: Default: '14' Type: String AccessKeysRotatedParamMaxAccessKeyAge: Default: '90' Type: String IamUserUnusedCredentialsCheckParamMaxCredentialUsageAge: Default: '45' Type: String Resources: IamPasswordPolicy: Properties: ConfigRuleName: iam-password-policy InputParameters: MinimumPasswordLength: IamPasswordPolicyParamMinimumPasswordLength Source: Owner: AWS SourceIdentifier: IAM_PASSWORD_POLICY Type: AWS::Config::ConfigRule AccessKeysRotated: Properties: ConfigRuleName: access-keys-rotated InputParameters: maxAccessKeyAge: AccessKeysRotatedParamMaxAccessKeyAge Source: Owner: AWS SourceIdentifier: ACCESS_KEYS_ROTATED Type: AWS::Config::ConfigRule IamUserUnusedCredentialsCheck: Properties: ConfigRuleName: iam-user-unused-credentials-check InputParameters: maxCredentialUsageAge: IamUserUnusedCredentialsCheckParamMaxCredentialUsageAge Source: Owner: AWS SourceIdentifier: IAM_USER_UNUSED_CREDENTIALS_CHECK Type: AWS::Config::ConfigRule