# Use `PutConfigRule` with an AWS SDK or CLI The following code examples show how to use `PutConfigRule`. ------ #### [ CLI ] **AWS CLI** **To add an AWS managed Config rule** The following command provides JSON code to add an AWS managed Config rule: ``` aws configservice put-config-rule --config-rule file://RequiredTagsForEC2Instances.json ``` `RequiredTagsForEC2Instances.json` is a JSON file that contains the rule configuration: ``` { "ConfigRuleName": "RequiredTagsForEC2Instances", "Description": "Checks whether the CostCenter and Owner tags are applied to EC2 instances.", "Scope": { "ComplianceResourceTypes": [ "AWS::EC2::Instance" ] }, "Source": { "Owner": "AWS", "SourceIdentifier": "REQUIRED_TAGS" }, "InputParameters": "{\"tag1Key\":\"CostCenter\",\"tag2Key\":\"Owner\"}" } ``` For the `ComplianceResourceTypes` attribute, this JSON code limits the scope to resources of the `AWS::EC2::Instance` type, so AWS Config will evaluate only EC2 instances against the rule. Because the rule is a managed rule, the `Owner` attribute is set to `AWS`, and the `SourceIdentifier` attribute is set to the rule identifier, `REQUIRED_TAGS`. For the `InputParameters` attribute, the tag keys that the rule requires, `CostCenter` and `Owner`, are specified. If the command succeeds, AWS Config returns no output. To verify the rule configuration, run the describe-config-rules command, and specify the rule name. **To add a customer managed Config rule** The following command provides JSON code to add a customer managed Config rule: ``` aws configservice put-config-rule --config-rule file://InstanceTypesAreT2micro.json ``` `InstanceTypesAreT2micro.json` is a JSON file that contains the rule configuration: ``` { "ConfigRuleName": "InstanceTypesAreT2micro", "Description": "Evaluates whether EC2 instances are the t2.micro type.", "Scope": { "ComplianceResourceTypes": [ "AWS::EC2::Instance" ] }, "Source": { "Owner": "CUSTOM_LAMBDA", "SourceIdentifier": "arn:aws:lambda:us-east-1:123456789012:function:InstanceTypeCheck", "SourceDetails": [ { "EventSource": "aws.config", "MessageType": "ConfigurationItemChangeNotification" } ] }, "InputParameters": "{\"desiredInstanceType\":\"t2.micro\"}" } ``` For the `ComplianceResourceTypes` attribute, this JSON code limits the scope to resources of the `AWS::EC2::Instance` type, so AWS Config will evaluate only EC2 instances against the rule. Because this rule is a customer managed rule, the `Owner` attribute is set to `CUSTOM_LAMBDA`, and the `SourceIdentifier` attribute is set to the ARN of the AWS Lambda function. The `SourceDetails` object is required. The parameters that are specified for the `InputParameters` attribute are passed to the AWS Lambda function when AWS Config invokes it to evaluate resources against the rule. If the command succeeds, AWS Config returns no output. To verify the rule configuration, run the describe-config-rules command, and specify the rule name. + For API details, see [PutConfigRule](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/put-config-rule.html) in *AWS CLI Command Reference*. ------ #### [ Python ] **SDK for Python (Boto3)** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/config#code-examples). ``` class ConfigWrapper: """ Encapsulates AWS Config functions. """ def __init__(self, config_client): """ :param config_client: A Boto3 AWS Config client. """ self.config_client = config_client def put_config_rule(self, rule_name): """ Sets a configuration rule that prohibits making Amazon S3 buckets publicly readable. :param rule_name: The name to give the rule. """ try: self.config_client.put_config_rule( ConfigRule={ "ConfigRuleName": rule_name, "Description": "S3 Public Read Prohibited Bucket Rule", "Scope": { "ComplianceResourceTypes": [ "AWS::S3::Bucket", ], }, "Source": { "Owner": "AWS", "SourceIdentifier": "S3_BUCKET_PUBLIC_READ_PROHIBITED", }, "InputParameters": "{}", "ConfigRuleState": "ACTIVE", } ) logger.info("Created configuration rule %s.", rule_name) except ClientError: logger.exception("Couldn't create configuration rule %s.", rule_name) raise ``` + For API details, see [PutConfigRule](https://docs.aws.amazon.com/goto/boto3/config-2014-11-12/PutConfigRule) in *AWS SDK for Python (Boto3) API Reference*. ------ #### [ SAP ABAP ] **SDK for SAP ABAP** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/cfs#code-examples). ``` " Create a config rule for S3 bucket public read prohibition lo_cfs->putconfigrule( io_configrule = NEW /aws1/cl_cfsconfigrule( iv_configrulename = iv_rule_name iv_description = |S3 Public Read Prohibited Bucket Rule| io_scope = NEW /aws1/cl_cfsscope( it_complianceresourcetypes = VALUE /aws1/cl_cfscplncresrctypes_w=>tt_complianceresourcetypes( ( NEW /aws1/cl_cfscplncresrctypes_w( |AWS::S3::Bucket| ) ) ) ) io_source = NEW /aws1/cl_cfssource( iv_owner = |AWS| iv_sourceidentifier = |S3_BUCKET_PUBLIC_READ_PROHIBITED| ) iv_inputparameters = '{}' iv_configrulestate = |ACTIVE| ) ). MESSAGE 'Created AWS Config rule.' TYPE 'I'. ``` + For API details, see [PutConfigRule](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html) in *AWS SDK for SAP ABAP API reference*. ------ For a complete list of AWS SDK developer guides and code examples, see [Using AWS Config with an AWS SDK](sdk-general-information-section.md). This topic also includes information about getting started and details about previous SDK versions.