AWS::Config::ConfigRule Scope - AWS CloudFormation
SyntaxPropertiesExamples
Services or capabilities described in AWS documentation might vary by Region. To see the differences applicable to the AWS European Sovereign Cloud Region, see the AWS European Sovereign Cloud User Guide.

This is the new CloudFormation Template Reference Guide. Please update your bookmarks and links. For help getting started with CloudFormation, see the AWS CloudFormation User Guide.

AWS::Config::ConfigRule Scope

Defines which resources trigger an evaluation for an AWS Config rule. The scope can include one or more resource types, a combination of a tag key and value, or a combination of one resource type and one resource ID. Specify a scope to constrain which resources trigger an evaluation for a rule. Otherwise, evaluations for the rule are triggered when any resource in your recording group changes in configuration.

Syntax

To declare this entity in your CloudFormation template, use the following syntax:

JSON

{
  "ComplianceResourceId" : String,
  "ComplianceResourceTypes" : [ String, ... ],
  "TagKey" : String,
  "TagValue" : String
}

YAML

  ComplianceResourceId: String
  ComplianceResourceTypes: 
    - String
  TagKey: String
  TagValue: String

Properties

ComplianceResourceId

The ID of the only AWS resource that you want to trigger an evaluation for the rule. If you specify a resource ID, you must specify one resource type for ComplianceResourceTypes.

Required: No

Type: String

Minimum: 1

Maximum: 768

Update requires: No interruption

ComplianceResourceTypes

The resource types of only those AWS resources that you want to trigger an evaluation for the rule. You can only specify one type if you also specify a resource ID for ComplianceResourceId.

Required: No

Type: Array of String

Minimum: 0

Maximum: 100

Update requires: No interruption

TagKey

The tag key that is applied to only those AWS resources that you want to trigger an evaluation for the rule.

Required: No

Type: String

Minimum: 1

Maximum: 128

Update requires: No interruption

TagValue

The tag value applied to only those AWS resources that you want to trigger an evaluation for the rule. If you specify a value for TagValue, you must also specify a value for TagKey.

Required: No

Type: String

Minimum: 1

Maximum: 256

Update requires: No interruption

Examples

Multiple Resource Types with Tag-Based Scope

This example configures AWS Config to evaluate both Amazon EC2 instances and volumes that are tagged with "Environment=Production". This is useful when you want to monitor compliance for multiple resource types that share specific tags.

YAML

Scope:
  ComplianceResourceTypes:
    - "AWS::EC2::Instance"
    - "AWS::EC2::Volume"
  TagKey: "Environment"
  TagValue: "Production"

JSON

{
  "Scope": {
    "ComplianceResourceTypes": [
      "AWS::EC2::Instance",
      "AWS::EC2::Volume"
    ],
    "TagKey": "Environment",
    "TagValue": "Production"
  }
}

Single Resource Specific Scope

This example shows how to target a specific Amazon EC2 instance for evaluation using its resource ID. When using ComplianceResourceId, you must specify exactly one resource type in ComplianceResourceTypes.

YAML

Scope:
  ComplianceResourceId: "i-1234567890abcdef0"
  ComplianceResourceTypes: 
    - "AWS::EC2::Instance"

JSON

{
  "Scope": {
    "ComplianceResourceId": "i-1234567890abcdef0",
    "ComplianceResourceTypes": [
      "AWS::EC2::Instance"
    ]
  }
}