Service-Linked AWS Config Rules - AWS Config

Service-Linked AWS Config Rules

A service-linked AWS Config rule is a unique type of AWS Config managed rules that supports other AWS services to create AWS Config rules in your account. Service-linked rules are predefined to include all the permissions required to call other AWS services on your behalf. These rules are similar to standards that an AWS service recommends in your AWS account for compliance verification.

These service-linked AWS Config rules are owned by AWS service teams. The AWS service team creates these rules in your AWS account. You have read-only access to these rules. You cannot edit or delete these rules if you are subscribed to AWS service that these rules are linked to.

Service-linked rules and the AWS Command Line Interface

With the AWS CLI, the PutConfigRule, DeleteConfigRule, and DeleteEvaluationResults APIs return access denied with the following error message:

INSUFFICIENT_SLCR_PERMISSIONS = "An AWS service owns ServiceLinkedConfigRule. You do not have permissions to take action on this rule."

Service-linked rules and the AWS Config console

In the AWS Config console, the service-linked AWS Config rules are visible in the Rules page. The Edit and Delete results buttons are greyed in the console to restrict you from editing the rule. You can view details of the rule by choosing the rule.

Service-linked rules, remediation actions, and conformance packs

To add remediation actions to a service-linked rules in a conformance pack, you need to add the remediation action to the conformance pack template itself, and then update the conformance pack with your updated template. For information on updating conformance packs, see Deploying a Conformance Pack (Console), Deploying a Conformance Pack (AWS CLI) and Managing Organizational Conformance Packs.

Editing and deleting service-linked rules

To edit or delete a service-linked rule, contact the AWS service that created the rule. For example, for service-linked rules created by AWS Security Hub, you can remove a service-linked rule by following these steps in the AWS Security Hub User Guide: Disabling a security standard.