Considerations Trigger Types Evaluation Modes

AWS Config Managed Rules

AWS Config provides AWS managed rules, which are predefined, customizable rules that AWS Config uses to evaluate whether your AWS resources comply with common best practices. For example, you could use a managed rule to quickly start assessing whether your Amazon Elastic Block Store (Amazon EBS) volumes are encrypted or whether specific tags are applied to your resources. The AWS Config console guides you through the process of configuring and activating a managed rule. You can also use the AWS Command Line Interface or AWS Config API to pass the JSON code that defines your configuration of a managed rule.

You can customize the behavior of a managed rule to suit your needs. For example, you can define the rule's scope to constrain which resources trigger an evaluation for the rule, such as EC2 instances or volumes. You can customize the rule's parameters to define attributes that your resources must have to comply with the rule. For example, you can customize a parameter to specify that your security group should block incoming traffic to a specific port number.

Considerations

Defaut Values for Managed Rules

The default values specified for managed rules are pre-populated only when using the AWS console. Default values are not supplied for the API, CLI, or SDK.

Configuration Item Recording Delays

AWS Config usually records configuration changes to your resources right after a change is detected, or at the frequency that you specify. However, this is on a best effort basis and can take longer at times. Some resource types with known delays include: AWS::SecretsManager::Secret and AWS::SQS::Queue. These resource types are examples, and this list is non-exhaustive.

Policies and compliance results

IAM policies and other policies managed in AWS Organizations can impact whether AWS Config has permissions to record configuration changes for your resources. Additionally, rules directly evaluate the configuration of a resource and rules don't take into account these policies when running evaluations. Make sure that the policies in effect align with how you intend to use AWS Config.

Directory Buckets Are Not Supported

Managed rules only support general purpose buckets when evaluating Amazon Simple Storage Service (Amazon S3) resources. AWS Config doesn’t record configuration changes for directory buckets. For more information on general purpose buckets and directory buckets, see Buckets overview and Directory buckets in the Amazon S3 User Guide.

Managed Rules and Global IAM Resource Types

The global IAM resource types onboarded before February 2022 (AWS::IAM::Group, AWS::IAM::Policy, AWS::IAM::Role, and AWS::IAM::User) can only be recorded by AWS Config in AWS Regions where AWS Config was available before February 2022. These resource types cannot be recorded in Regions supported by AWS Config after February 2022. For a list of those Regions, see Recording AWS Resources | Global Resources.

If you record a global IAM resource type in at least one Region, periodic rules that report compliance on the global IAM resource type will run evaluations in all Regions where the periodic rule is added, even if you have not enabled the recording of the global IAM resource type in the Region where the periodic rule was added.

To avoid unnecessary evaluations, you should only deploy periodic rules that report compliance on a global IAM resource type to one of the supported Regions. For a list of which managed rules are supported in which Regions, see List of AWS Config Managed Rules by Region Availability.

Trigger Types

After you add a rule to your account, AWS Config compares your resources to the conditions of the rule. After this initial evaluation, AWS Config continues to run evaluations each time one is triggered. The evaluation triggers are defined as part of the rule, and they can include the following types.

Trigger type	Description
Configuration changes	AWS Config runs evaluations for the rule when there is a resource that matches the rule's scope and there is a change in configuration of the resource. The evaluation runs after AWS Config sends a configuration item change notification. You choose which resources initiate the evaluation by defining the rule's scope. The scope can include the following: One or more resource types A combination of a resource type and a resource ID A combination of a tag key and value When any recorded resource is created, updated, or deleted AWS Config runs the evaluation when it detects a change to a resource that matches the rule's scope. You can use the scope to define which resources initiate evaluations.
Periodic	AWS Config runs evaluations for the rule at a frequency that you choose; for example, every 24 hours.
Hybrid	Some rules have both configuration change and periodic triggers. For these rules, AWS Config evaluates your resources when it detects a configuration change and also at the frequency that you specify.

Trigger type

Description

Configuration changes

AWS Config runs evaluations for the rule when there is a resource that matches the rule's scope and there is a change in configuration of the resource. The evaluation runs after AWS Config sends a configuration item change notification.

You choose which resources initiate the evaluation by defining the rule's scope. The scope can include the following:

One or more resource types
A combination of a resource type and a resource ID
A combination of a tag key and value
When any recorded resource is created, updated, or deleted

AWS Config runs the evaluation when it detects a change to a resource that matches the rule's scope. You can use the scope to define which resources initiate evaluations.

Periodic

AWS Config runs evaluations for the rule at a frequency that you choose; for example, every 24 hours.

Hybrid

Some rules have both configuration change and periodic triggers. For these rules, AWS Config evaluates your resources when it detects a configuration change and also at the frequency that you specify.

Evaluation Modes

There are two evaluation modes for AWS Config rules.

Evaluation mode	Description
Proactive	Use proactive evaluation to evaluate resources before they have been deployed. This allows you to evaluate whether a set of resource properties, if used to define an AWS resource, would be COMPLIANT or NON_COMPLIANT given the set of proactive rules that you have in your account in your Region. For more information, see Evaluation modes. For a list of managed rules that support proactive evaluation, see List of AWS Config Managed Rules by Evaluation Mode.
Detective	Use detective evaluation to evaluate resources that have already been deployed. This allows you to evaluate the configuration settings of your existing resources.

Evaluation mode

Description

Proactive

Use proactive evaluation to evaluate resources before they have been deployed. This allows you to evaluate whether a set of resource properties, if used to define an AWS resource, would be COMPLIANT or NON_COMPLIANT given the set of proactive rules that you have in your account in your Region.

For more information, see Evaluation modes. For a list of managed rules that support proactive evaluation, see List of AWS Config Managed Rules by Evaluation Mode.

Detective

Use detective evaluation to evaluate resources that have already been deployed. This allows you to evaluate the configuration settings of your existing resources.

Note

Proactive rules do not remediate resources that are flagged as NON_COMPLIANT or prevent them from being deployed.

Topics

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Evaluation Mode

List of Managed Rules