PutConformancePack
Creates or updates a conformance pack. A conformance pack is a collection of AWS Config rules that can be easily deployed in an account and a region and across an organization. For information on how many conformance packs you can have per account, see Service Limits in the AWS Config Developer Guide.
This API creates a service-linked role AWSServiceRoleForConfigConforms
in your account.
The service-linked role is created only when the role does not exist in your account.
Note
You must specify only one of the follow parameters: TemplateS3Uri
, TemplateBody
or TemplateSSMDocumentDetails
.
Request Syntax
{
"ConformancePackInputParameters": [
{
"ParameterName": "string
",
"ParameterValue": "string
"
}
],
"ConformancePackName": "string
",
"DeliveryS3Bucket": "string
",
"DeliveryS3KeyPrefix": "string
",
"TemplateBody": "string
",
"TemplateS3Uri": "string
",
"TemplateSSMDocumentDetails": {
"DocumentName": "string
",
"DocumentVersion": "string
"
}
}
Request Parameters
For information about the parameters that are common to all actions, see Common Parameters.
The request accepts the following data in JSON format.
- ConformancePackInputParameters
-
A list of
ConformancePackInputParameter
objects.Type: Array of ConformancePackInputParameter objects
Array Members: Minimum number of 0 items. Maximum number of 60 items.
Required: No
- ConformancePackName
-
The unique name of the conformance pack you want to deploy.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 256.
Pattern:
[a-zA-Z][-a-zA-Z0-9]*
Required: Yes
- DeliveryS3Bucket
-
The name of the Amazon S3 bucket where AWS Config stores conformance pack templates.
Note
This field is optional.
Type: String
Length Constraints: Minimum length of 0. Maximum length of 63.
Required: No
- DeliveryS3KeyPrefix
-
The prefix for the Amazon S3 bucket.
Note
This field is optional.
Type: String
Length Constraints: Minimum length of 0. Maximum length of 1024.
Required: No
- TemplateBody
-
A string containing the full conformance pack template body. The structure containing the template body has a minimum length of 1 byte and a maximum length of 51,200 bytes.
Note
You can use a YAML template with two resource types: AWS Config rule (
AWS::Config::ConfigRule
) and remediation action (AWS::Config::RemediationConfiguration
).Type: String
Length Constraints: Minimum length of 1. Maximum length of 51200.
Required: No
- TemplateS3Uri
-
The location of the file containing the template body (
s3://bucketname/prefix
). The uri must point to a conformance pack template (max size: 300 KB) that is located in an Amazon S3 bucket in the same Region as the conformance pack.Note
You must have access to read Amazon S3 bucket. In addition, in order to ensure a successful deployment, the template object must not be in an archived storage class if this parameter is passed.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 1024.
Pattern:
s3://.*
Required: No
- TemplateSSMDocumentDetails
-
An object of type
TemplateSSMDocumentDetails
, which contains the name or the Amazon Resource Name (ARN) of the AWS Systems Manager document (SSM document) and the version of the SSM document that is used to create a conformance pack.Type: TemplateSSMDocumentDetails object
Required: No
Response Syntax
{
"ConformancePackArn": "string"
}
Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
- ConformancePackArn
-
ARN of the conformance pack.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 2048.
Errors
For information about the errors that are common to all actions, see Common Errors.
- ConformancePackTemplateValidationException
-
You have specified a template that is not valid or supported.
HTTP Status Code: 400
- InsufficientPermissionsException
-
Indicates one of the following errors:
-
For PutConfigRule, the rule cannot be created because the IAM role assigned to AWS Config lacks permissions to perform the config:Put* action.
-
For PutConfigRule, the AWS Lambda function cannot be invoked. Check the function ARN, and check the function's permissions.
-
For PutOrganizationConfigRule, organization AWS Config rule cannot be created because you do not have permissions to call IAM
GetRole
action or create a service-linked role. -
For PutConformancePack and PutOrganizationConformancePack, a conformance pack cannot be created because you do not have the following permissions:
-
You do not have permission to call IAM
GetRole
action or create a service-linked role. -
You do not have permission to read Amazon S3 bucket or call SSM:GetDocument.
-
HTTP Status Code: 400
-
- InvalidParameterValueException
-
One or more of the specified parameters are not valid. Verify that your parameters are valid and try again.
HTTP Status Code: 400
- MaxNumberOfConformancePacksExceededException
-
You have reached the limit of the number of conformance packs you can create in an account. For more information, see Service Limits in the AWS Config Developer Guide.
HTTP Status Code: 400
- ResourceInUseException
-
You see this exception in the following cases:
-
For DeleteConfigRule, AWS Config is deleting this rule. Try your request again later.
-
For DeleteConfigRule, the rule is deleting your evaluation results. Try your request again later.
-
For DeleteConfigRule, a remediation action is associated with the rule and AWS Config cannot delete this rule. Delete the remediation action associated with the rule before deleting the rule and try your request again later.
-
For PutConfigOrganizationRule, organization AWS Config rule deletion is in progress. Try your request again later.
-
For DeleteOrganizationConfigRule, organization AWS Config rule creation is in progress. Try your request again later.
-
For PutConformancePack and PutOrganizationConformancePack, a conformance pack creation, update, and deletion is in progress. Try your request again later.
-
For DeleteConformancePack, a conformance pack creation, update, and deletion is in progress. Try your request again later.
HTTP Status Code: 400
-
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following: