# Components of an AWS Config Rule
<a name="evaluate-config_components"></a>

AWS Config rules evaluate the configuration settings of your AWS resources. This page discusses the components of a rule.

**Topics**
+ [

## How AWS Config Rules Work
](#evaluate-config-how-rules-work)
+ [

## Trigger Types
](#evaluate-config_use-managed-rules-trigger)
+ [

## Evaluation Modes
](#evaluate-config_use-managed-rules-proactive-detective)
+ [Rule Metadata](#evaluate-config_components_metadata)

## How AWS Config Rules Work
<a name="evaluate-config-how-rules-work"></a>

While AWS Config continuously tracks the configuration changes that occur among your resources, it checks whether these changes do not comply with the conditions in your rules. If a resource does not comply with rule, AWS Config flags the resource and the rule as *noncompliant*.

There are four possible evaluation results for an AWS Config rule.


| **Evaluation result** | **Description** | 
| --- | --- | 
| COMPLIANT | The rule passes the conditions of the compliance check. | 
| NON\$1COMPLIANT | The rule fails the conditions of the compliance check. | 
| ERROR | The one of the required/optional parameters is not valid, not of the correct type, or is formatted incorrectly. | 
| NOT\$1APPLICABLE | Used to filter out resources that the logic of the rule cannot be applied to. For example, the [alb-desync-mode-check](https://docs.aws.amazon.com/config/latest/developerguide/alb-desync-mode-check.html) rule only checks Application Load Balancers, and ignores Network Load Balancers and Gateway Load Balancers. | 

For example, when an EC2 volume is created, AWS Config can evaluate the volume against a rule that requires volumes to be encrypted. If the volume is not encrypted, AWS Config flags the volume and the rule as noncompliant. AWS Config can also check all of your resources for account-wide requirements. For example, AWS Config can check whether the number of EC2 volumes in an account stays within a desired total, or whether an account uses AWS CloudTrail for logging.

## Trigger Types
<a name="evaluate-config_use-managed-rules-trigger"></a>

After you add a rule to your account, AWS Config compares your resources to the conditions of the rule. After this initial evaluation, AWS Config continues to run evaluations each time one is triggered. The evaluation triggers are defined as part of the rule, and they can include the following types.


| **Trigger type** | **Description** | 
| --- | --- | 
| Configuration changes | AWS Config runs evaluations for the rule when there is a resource that matches the rule's scope and there is a change in configuration of the resource. The evaluation runs after AWS Config sends a configuration item change notification. You choose which resources initiate the evaluation by defining the rule's *scope*. The scope can include the following: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_components.html) AWS Config runs the evaluation when it detects a change to a resource that matches the rule's scope. You can use the scope to define which resources initiate evaluations. | 
| Periodic | AWS Config runs evaluations for the rule at a frequency that you choose; for example, every 24 hours. | 
| Hybrid | Some rules have both configuration change and periodic triggers. For these rules, AWS Config evaluates your resources when it detects a configuration change and also at the frequency that you specify.  | 

## Evaluation Modes
<a name="evaluate-config_use-managed-rules-proactive-detective"></a>

There are two evaluation modes for AWS Config rules.


| **Evaluation mode** | **Description** | 
| --- | --- | 
| Proactive | Use proactive evaluation to evaluate resources before they have been deployed. This allows you to evaluate whether a set of resource properties, if used to define an AWS resource, would be COMPLIANT or NON\$1COMPLIANT given the set of proactive rules that you have in your account in your Region.  | 
| Detective | Use detective evaluation to evaluate resources that have already been deployed. This allows you to evaluate the configuration settings of your existing resources. | 

**Note**  
Proactive rules do not remediate resources that are flagged as NON\$1COMPLIANT or prevent them from being deployed.

For more information, see [Turning on Proactive Evaluation for AWS Config Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_turn-on-proactive-rules.html).

### List of managed rules with proactive evaluation
<a name="list-proactive-rules"></a>

For a list of managed rules that support proactive evaluation, see [List of AWS Config Managed Rules by Evaluation Mode](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-evaluation-mode.html).

### List of supported resource types for proactive evaluation
<a name="list-proactive-resource-types"></a>

The following is a list of resource types that are supported for proactive evaluation:
+ `AWS::EC2::EIP`
+ `AWS::EC2::Subnet`

## AWS Config Rule Metadata
<a name="evaluate-config_components_metadata"></a>

AWS Config rules can contain the following mutable metadata:

**defaultName**  
The defaultName is the name that instances of a rule will get by default.

**description**  
The rule description provides context for what the rule evaluates. The AWS Config Console has a limit of 256 characters. As a best practice, the rule description should begin with “Checks if” and include a description of the NON\$1COMPLIANT scenario. Service Names should be written in full beginning with AWS or Amazon when first mentioned in the rule description. For example, AWS CloudTrail or Amazon CloudWatch instead of CloudTrail or CloudWatch for first use. Services names can be abbreviated after subsequent reference. 

**scope**  
The scope determines which resource types the rule targets. For a list of supported resource types, see [Supported Resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources.html).

**compulsoryInputParameterDetails**  
The compulsoryInputParameterDetails are used for parameters that are required for a rule to do its evaluation. For example, the `access-keys-rotated` managed rule includes `maxAccessKeyAge` as a required parameter. If a parameter is required, it will not be marked as (Optional). For each parameter, a type must be specified. Type can be one of "String", "int", "double", "CSV", "boolean" and "StringMap".

**optionalInputParameterDetails**  
The optionalInputParameterDetails are used for parameters that are optional for a rule to do its evaluation. For example, the `elasticsearch-logs-to-cloudwatch` managed rule includes `logTypes` as an optional parameter. For each parameter, a type must be specified. Type can be one of "String", "int", "double", "CSV", "boolean" and "StringMap".

**supportedEvaluationModes**  
The supportedEvaluationModes determines when resources will be evaluated, either before a resource has been deployed or after a resource has been deployed.  
 `DETECTIVE` is used to evaluate resources which have already been deployed. This allows you to evaluate the configuration settings of your existing resources. `PROACTIVE` is used to evaluate resources before they have been deployed.   
This allows you to evaluate whether a set of resource properties, if used to define an AWS resource, would be COMPLIANT or NON\$1COMPLIANT given the set of proactive rules that you have in your account in your Region.   
You can specify the supportedEvaluationModes to `DETECTIVE`, `PROACTIVE`, or both `DETECTIVE` and `PROACTIVE`. You must specify an evaluation mode and this field cannot remain empty.  
Proactive rules do not remediate resources that are flagged as NON\$1COMPLIANT or prevent them from being deployed.