Evaluating Resources with AWS Config Rules
Use AWS Config to evaluate the configuration settings of your AWS resources. You do this by creating AWS Config rules, which represent your ideal configuration settings. AWS Config provides customizable, predefined rules called managed rules to help you get started.
How AWS Config Rules Work
While AWS Config continuously tracks the configuration changes that occur among your resources, it checks whether these changes do not comply with the conditions in your rules. If a resource does not comply with rule, AWS Config flags the resource and the rule as noncompliant. The following are the possible evaluation results for an AWS Config rule:
-
COMPLIANT- the rule passes the conditions of the compliance check. -
NON_COMPLIANT- the rule fails the conditions of the compliance check. -
ERROR- one of the required/optional parameters is not valid, or not of the correct type, or is formatted incorrectly. -
NOT_APPLICABLE- used to filter out resources that the logic of the rule cannot be applied to. For example, the alb-desync-mode-check rule only checks Application Load Balancers, and ignores Network Load Balancers and Gateway Load Balancers.
For example, when an EC2 volume is created, AWS Config can evaluate the volume against a rule that requires volumes to be encrypted. If the volume is not encrypted, AWS Config flags the volume and the rule as noncompliant. AWS Config can also check all of your resources for account-wide requirements. For example, AWS Config can check whether the number of EC2 volumes in an account stays within a desired total, or whether an account uses AWS CloudTrail for logging.
Service-linked Rules
Service-linked rules are a unique type of managed rule that support other AWS services to create AWS Config rules in your account. These rules are predefined to include all the permissions required to call other AWS services on your behalf. These rules are similar to standards that an AWS service recommends in your AWS account for compliance verification. For more information, see Service-Linked AWS Config Rules.
Custom Rules
You can also create custom rules to evaluate additional resources that AWS Config doesn't yet record. For more information, see AWS Config Custom Rules and Evaluating Additional Resource Types.
Viewing Compliance
The AWS Config console shows the compliance status of your rules and resources. You can see how your AWS resources comply overall with your desired configurations, and learn which specific resources are noncompliant. You can also use the AWS CLI, the AWS Config API, and AWS SDKs to make requests to the AWS Config service for compliance information.
By using AWS Config to evaluate your resource configurations, you can assess how well your resource configurations comply with internal practices, industry guidelines, and regulations.
Limitations
For the maximum number of AWS Config rules for each Region for each account and other service limits, see AWS Config Service Limits.
Cost Considerations
For details about the costs associated with resource recording, see
AWS Config pricing
Recommendation: Stop recording resource compliance before deleting rules
It is highly recommended that you stop recording for the AWS::Config::ResourceCompliance resource type before you delete rules in your account.
Deleting rules creates configuration items (CIs) for AWS::Config::ResourceCompliance and can affect your AWS Config configuration recorder costs.
If you are deleting rules which evaluate a large number of resource types,
this can lead to a spike in the number of CIs recorded.
Best practice:
Stop recording
AWS::Config::ResourceComplianceDelete rule(s)
Turn on recording for
AWS::Config::ResourceCompliance
Recommendation: Add logic to handle the evaluation of deleted resources for custom lambda rules
When creating AWS Config custom lambda rules, it is highly recommended that you add logic to handle the evaluation of deleted resources.
When evaluation results are marked as NOT_APPLICABLE, they will be marked for deletion and cleaned up.
If they're NOT marked as NOT_APPLICABLE,
the evaluation results will remain unchanged until the rule is deleted, which can cause an unexpected spike in the creation of CIs for AWS::Config::ResourceCompliance upon rule deletion.
For information on how to set AWS Config custom lambda rules to return NOT_APPLICABLE for deleted resources,
see Managing deleted resources with AWS Config custom lambda rules.
Recommendation: Provide the resources in scope for custom lambda rules
AWS Config Custom Lambda Rules can cause a high number of Lambda function invocations if the rule is not scoped to one or more resource types. To avoid increased activity associated with your account, it is highly recommended to provide resources in scope for your Custom Lambda rules. If no resource types are selected, the rule will invoke the Lambda function for all resources in the account.
Region Support
Currently, the AWS Config Rule feature is supported in the following AWS regions. For a list of which individual AWS Config rules are supported in which Regions, see List of AWS Config Managed Rules by Region Availability.
| Region Name | Region | Endpoint | Protocol |
|---|---|---|---|
| US East (Ohio) | us-east-2 |
config.us-east-2.amazonaws.com config-fips.us-east-2.amazonaws.com |
HTTPS HTTPS |
| US East (N. Virginia) | us-east-1 |
config.us-east-1.amazonaws.com config-fips.us-east-1.amazonaws.com |
HTTPS HTTPS |
| US West (N. California) | us-west-1 |
config.us-west-1.amazonaws.com config-fips.us-west-1.amazonaws.com |
HTTPS HTTPS |
| US West (Oregon) | us-west-2 |
config.us-west-2.amazonaws.com config-fips.us-west-2.amazonaws.com |
HTTPS HTTPS |
| Africa (Cape Town) | af-south-1 | config.af-south-1.amazonaws.com | HTTPS |
| Asia Pacific (Hong Kong) | ap-east-1 | config.ap-east-1.amazonaws.com | HTTPS |
| Asia Pacific (Hyderabad) | ap-south-2 | config.ap-south-2.amazonaws.com | HTTPS |
| Asia Pacific (Jakarta) | ap-southeast-3 | config.ap-southeast-3.amazonaws.com | HTTPS |
| Asia Pacific (Melbourne) | ap-southeast-4 | config.ap-southeast-4.amazonaws.com | HTTPS |
| Asia Pacific (Mumbai) | ap-south-1 | config.ap-south-1.amazonaws.com | HTTPS |
| Asia Pacific (Osaka) | ap-northeast-3 | config.ap-northeast-3.amazonaws.com | HTTPS |
| Asia Pacific (Seoul) | ap-northeast-2 | config.ap-northeast-2.amazonaws.com | HTTPS |
| Asia Pacific (Singapore) | ap-southeast-1 | config.ap-southeast-1.amazonaws.com | HTTPS |
| Asia Pacific (Sydney) | ap-southeast-2 | config.ap-southeast-2.amazonaws.com | HTTPS |
| Asia Pacific (Tokyo) | ap-northeast-1 | config.ap-northeast-1.amazonaws.com | HTTPS |
| Canada (Central) | ca-central-1 | config.ca-central-1.amazonaws.com | HTTPS |
| Canada West (Calgary) | ca-west-1 | config.ca-west-1.amazonaws.com | HTTPS |
| Europe (Frankfurt) | eu-central-1 | config.eu-central-1.amazonaws.com | HTTPS |
| Europe (Ireland) | eu-west-1 | config.eu-west-1.amazonaws.com | HTTPS |
| Europe (London) | eu-west-2 | config.eu-west-2.amazonaws.com | HTTPS |
| Europe (Milan) | eu-south-1 | config.eu-south-1.amazonaws.com | HTTPS |
| Europe (Paris) | eu-west-3 | config.eu-west-3.amazonaws.com | HTTPS |
| Europe (Spain) | eu-south-2 | config.eu-south-2.amazonaws.com | HTTPS |
| Europe (Stockholm) | eu-north-1 | config.eu-north-1.amazonaws.com | HTTPS |
| Europe (Zurich) | eu-central-2 | config.eu-central-2.amazonaws.com | HTTPS |
| Israel (Tel Aviv) | il-central-1 | config.il-central-1.amazonaws.com | HTTPS |
| Middle East (Bahrain) | me-south-1 | config.me-south-1.amazonaws.com | HTTPS |
| Middle East (UAE) | me-central-1 | config.me-central-1.amazonaws.com | HTTPS |
| South America (São Paulo) | sa-east-1 | config.sa-east-1.amazonaws.com | HTTPS |
| AWS GovCloud (US-East) | us-gov-east-1 | config.us-gov-east-1.amazonaws.com | HTTPS |
| AWS GovCloud (US-West) | us-gov-west-1 | config.us-gov-west-1.amazonaws.com | HTTPS |
Deploying AWS Config Rules across member accounts in an AWS Organization is supported in the following Regions.
| Region Name | Region | Endpoint | Protocol |
|---|---|---|---|
| US East (Ohio) | us-east-2 | config.us-east-2.amazonaws.com | HTTPS |
| US East (N. Virginia) | us-east-1 | config.us-east-1.amazonaws.com | HTTPS |
| US West (N. California) | us-west-1 | config.us-west-1.amazonaws.com | HTTPS |
| US West (Oregon) | us-west-2 | config.us-west-2.amazonaws.com | HTTPS |
| Asia Pacific (Jakarta) | ap-southeast-3 | config.ap-southeast-3.amazonaws.com | HTTPS |
| Asia Pacific (Melbourne) | ap-southeast-4 | config.ap-southeast-4.amazonaws.com | HTTPS |
| Asia Pacific (Mumbai) | ap-south-1 | config.ap-south-1.amazonaws.com | HTTPS |
| Asia Pacific (Seoul) | ap-northeast-2 | config.ap-northeast-2.amazonaws.com | HTTPS |
| Asia Pacific (Singapore) | ap-southeast-1 | config.ap-southeast-1.amazonaws.com | HTTPS |
| Asia Pacific (Sydney) | ap-southeast-2 | config.ap-southeast-2.amazonaws.com | HTTPS |
| Asia Pacific (Tokyo) | ap-northeast-1 | config.ap-northeast-1.amazonaws.com | HTTPS |
| Canada (Central) | ca-central-1 | config.ca-central-1.amazonaws.com | HTTPS |
| Europe (Frankfurt) | eu-central-1 | config.eu-central-1.amazonaws.com | HTTPS |
| Europe (Ireland) | eu-west-1 | config.eu-west-1.amazonaws.com | HTTPS |
| Europe (London) | eu-west-2 | config.eu-west-2.amazonaws.com | HTTPS |
| Europe (Paris) | eu-west-3 | config.eu-west-3.amazonaws.com | HTTPS |
| Europe (Stockholm) | eu-north-1 | config.eu-north-1.amazonaws.com | HTTPS |
| South America (São Paulo) | sa-east-1 | config.sa-east-1.amazonaws.com | HTTPS |
| AWS GovCloud (US-East) | us-gov-east-1 | config.us-gov-east-1.amazonaws.com | HTTPS |
| AWS GovCloud (US-West) | us-gov-west-1 | config.us-gov-west-1.amazonaws.com | HTTPS |
Troubleshooting
Check the following issues to troubleshoot if you cannot delete an AWS Config rule or receive an error similair to the following: "An error has occurred with AWS Config."
The AWS Identity and Access Management (IAM) entity has permissions for the DeleteConfigRule API
Open the IAM console at https://console.aws.amazon.com/iam/
. In the navigation pane choose Users or Roles.
Choose the user or role that you used to delete the AWS Config rule, and expand Permissions policies.
In the Permissions tab, choose JSON.
In the JSON preview pane, confirm that the IAM policy allows permissions for the DeleteConfigRule API.
The IAM entity permission boundary allows the DeleteConfigRule API
If the IAM entity has a permissions boundary, be sure that it allows permissions for the the DeleteConfigRule API.
Open the IAM console at https://console.aws.amazon.com/iam/
. In the navigation pane choose Users or Roles.
Choose the user or role that you used to delete the AWS Config rule, expand Permissions boundary, and then choose JSON.
In the JSON preview pane, confirm that the IAM policy allows permissions for the DeleteConfigRule API.
Warning
IAM users have long-term credentials, which presents a security risk. To help mitigate this risk, we recommend that you provide these users with only the permissions they require to perform the task and that you remove these users when they are no longer needed.
The service control policy (SCP) allows the DeleteConfigRule API
Open the AWS Organizations console at https://console.aws.amazon.com/organizations/ using the management account for the organization.
In Account name, choose the AWS account.
In Policies, expand Service control policies and note the SCP policies that are attached.
At the top of the page, choose Policies.
Select the policy, and then choose View details.
In the JSON preview pane, confirm that the policy allows the DeleteConfigRule API.
The rule is not a service-linked rule
When you enable a security standard, AWS Security Hub creates service-linked rules for you. You can't delete these service-linked rules using AWS Config, and the delete button is grayed out. To remove a service-linked rule, see Disabling a security standard in the Security Hub User Guide.
No remediation actions are in progress
You cannot delete AWS Config rules that have remediation actions in progress. Follow the steps to delete the remediation action that is associated with that rule. Then, try deleting the rule again.
Important
Only delete remediation actions that are in failed or successful states.
