Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Components of an AWS Config Rule

PDF
RSS
Focus mode
Components of an AWS Config Rule - AWS Config
How AWS Config Rules WorkTrigger TypesEvaluation ModesRule Metadata

AWS Config rules evaluate the configuration settings of your AWS resources. This page discusses the components of a rule.

How AWS Config Rules Work

While AWS Config continuously tracks the configuration changes that occur among your resources, it checks whether these changes do not comply with the conditions in your rules. If a resource does not comply with rule, AWS Config flags the resource and the rule as noncompliant.

There are four possible evaluation results for an AWS Config rule.

Evaluation result Description
COMPLIANT The rule passes the conditions of the compliance check.
NON_COMPLIANT The rule fails the conditions of the compliance check.
ERROR The one of the required/optional parameters is not valid, not of the correct type, or is formatted incorrectly.
NOT_APPLICABLE Used to filter out resources that the logic of the rule cannot be applied to. For example, the alb-desync-mode-check rule only checks Application Load Balancers, and ignores Network Load Balancers and Gateway Load Balancers.

For example, when an EC2 volume is created, AWS Config can evaluate the volume against a rule that requires volumes to be encrypted. If the volume is not encrypted, AWS Config flags the volume and the rule as noncompliant. AWS Config can also check all of your resources for account-wide requirements. For example, AWS Config can check whether the number of EC2 volumes in an account stays within a desired total, or whether an account uses AWS CloudTrail for logging.

Trigger Types

After you add a rule to your account, AWS Config compares your resources to the conditions of the rule. After this initial evaluation, AWS Config continues to run evaluations each time one is triggered. The evaluation triggers are defined as part of the rule, and they can include the following types.

Trigger type Description
Configuration changes AWS Config runs evaluations for the rule when there is a resource that matches the rule's scope and there is a change in configuration of the resource. The evaluation runs after AWS Config sends a configuration item change notification.

You choose which resources initiate the evaluation by defining the rule's scope. The scope can include the following:

  • One or more resource types

  • A combination of a resource type and a resource ID

  • A combination of a tag key and value

  • When any recorded resource is created, updated, or deleted

AWS Config runs the evaluation when it detects a change to a resource that matches the rule's scope. You can use the scope to define which resources initiate evaluations.
Periodic AWS Config runs evaluations for the rule at a frequency that you choose; for example, every 24 hours.
Hybrid Some rules have both configuration change and periodic triggers. For these rules, AWS Config evaluates your resources when it detects a configuration change and also at the frequency that you specify.

Evaluation Modes

There are two evaluation modes for AWS Config rules.

Evaluation mode Description
Proactive

Use proactive evaluation to evaluate resources before they have been deployed. This allows you to evaluate whether a set of resource properties, if used to define an AWS resource, would be COMPLIANT or NON_COMPLIANT given the set of proactive rules that you have in your account in your Region.
Detective Use detective evaluation to evaluate resources that have already been deployed. This allows you to evaluate the configuration settings of your existing resources.
Note

Proactive rules do not remediate resources that are flagged as NON_COMPLIANT or prevent them from being deployed.

For more information, see Turning on Proactive Evaluation for AWS Config Rules.

List of managed rules with proactive evaluation

For a list of managed rules that support proactive evaluation, see List of AWS Config Managed Rules by Evaluation Mode.

List of supported resource types for proactive evaluation

The following is a list of resource types that are supported for proactive evaluation:

  • AWS::ApiGateway::Stage

  • AWS::AutoScaling::AutoScalingGroup

  • AWS::EC2::EIP

  • AWS::EC2::Instance

  • AWS::EC2::Subnet

  • AWS::Elasticsearch::Domain

  • AWS::Lambda::Function

  • AWS::RDS::DBInstance

  • AWS::Redshift::Cluster

  • AWS::S3::Bucket

  • AWS::SNS::Topic

AWS Config Rule Metadata

AWS Config rules can contain the following mutable metadata:

defaultName

The defaultName is the name that instances of a rule will get by default.

description

The rule description provides context for what the rule evaluates. The AWS Config Console has a limit of 256 characters. As a best practice, the rule description should begin with “Checks if” and include a description of the NON_COMPLIANT scenario. Service Names should be written in full beginning with AWS or Amazon when first mentioned in the rule description. For example, AWS CloudTrail or Amazon CloudWatch instead of CloudTrail or CloudWatch for first use. Services names can be abbreviated after subsequent reference.

scope

The scope determines which resource types the rule targets. For a list of supported resource types, see Supported Resource Types.

compulsoryInputParameterDetails

The compulsoryInputParameterDetails are used for parameters that are required for a rule to do its evaluation. For example, the access-keys-rotated managed rule includes maxAccessKeyAge as a required parameter. If a parameter is required, it will not be marked as (Optional). For each parameter, a type must be specified. Type can be one of "String", "int", "double", "CSV", "boolean" and "StringMap".

optionalInputParameterDetails

The optionalInputParameterDetails are used for parameters that are optional for a rule to do its evaluation. For example, the elasticsearch-logs-to-cloudwatch managed rule includes logTypes as an optional parameter. For each parameter, a type must be specified. Type can be one of "String", "int", "double", "CSV", "boolean" and "StringMap".

supportedEvaluationModes

The supportedEvaluationModes determines when resources will be evaluated, either before a resource has been deployed or after a resource has been deployed.

DETECTIVE is used to evaluate resources which have already been deployed. This allows you to evaluate the configuration settings of your existing resources. PROACTIVE is used to evaluate resources before they have been deployed.

This allows you to evaluate whether a set of resource properties, if used to define an AWS resource, would be COMPLIANT or NON_COMPLIANT given the set of proactive rules that you have in your account in your Region.

You can specify the supportedEvaluationModes to DETECTIVE, PROACTIVE, or both DETECTIVE and PROACTIVE. You must specify an evaluation mode and this field cannot remain empty.

Note

Proactive rules do not remediate resources that are flagged as NON_COMPLIANT or prevent them from being deployed.

On this page

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.