How AWS Config Rules Work Trigger Types Rule Metadata

Components of an AWS Config Rule

AWS Config rules evaluate the configuration settings of your AWS resources. This page discusses the components of a rule.

Topics

How AWS Config Rules Work
Trigger Types
Rule Metadata

How AWS Config Rules Work

While AWS Config continuously tracks the configuration changes that occur among your resources, it checks whether these changes do not comply with the conditions in your rules. If a resource does not comply with rule, AWS Config flags the resource and the rule as noncompliant.

There are four possible evaluation results for an AWS Config rule.

Evaluation result	Description
`COMPLIANT`	The rule passes the conditions of the compliance check.
`NON_COMPLIANT`	The rule fails the conditions of the compliance check.
`ERROR`	The one of the required/optional parameters is not valid, not of the correct type, or is formatted incorrectly.
`NOT_APPLICABLE`	Used to filter out resources that the logic of the rule cannot be applied to. For example, the alb-desync-mode-check rule only checks Application Load Balancers, and ignores Network Load Balancers and Gateway Load Balancers.

For example, when an EC2 volume is created, AWS Config can evaluate the volume against a rule that requires volumes to be encrypted. If the volume is not encrypted, AWS Config flags the volume and the rule as noncompliant. AWS Config can also check all of your resources for account-wide requirements. For example, AWS Config can check whether the number of EC2 volumes in an account stays within a desired total, or whether an account uses AWS CloudTrail for logging.

Trigger Types

After you add a rule to your account, AWS Config compares your resources to the conditions of the rule. After this initial evaluation, AWS Config continues to run evaluations each time one is triggered. The evaluation triggers are defined as part of the rule, and they can include the following types.

Trigger type	Description
Configuration changes	AWS Config runs evaluations for the rule when there is a resource that matches the rule's scope and there is a change in configuration of the resource. The evaluation runs after AWS Config sends a configuration item change notification. You choose which resources initiate the evaluation by defining the rule's scope. The scope can include the following: One or more resource types A combination of a resource type and a resource ID A combination of a tag key and value When any recorded resource is created, updated, or deleted AWS Config runs the evaluation when it detects a change to a resource that matches the rule's scope. You can use the scope to define which resources initiate evaluations.
Periodic	AWS Config runs evaluations for the rule at a frequency that you choose; for example, every 24 hours.
Hybrid	Some rules have both configuration change and periodic triggers. For these rules, AWS Config evaluates your resources when it detects a configuration change and also at the frequency that you specify.

Trigger type

Description

Configuration changes

AWS Config runs evaluations for the rule when there is a resource that matches the rule's scope and there is a change in configuration of the resource. The evaluation runs after AWS Config sends a configuration item change notification.

You choose which resources initiate the evaluation by defining the rule's scope. The scope can include the following:

One or more resource types
A combination of a resource type and a resource ID
A combination of a tag key and value
When any recorded resource is created, updated, or deleted

AWS Config runs the evaluation when it detects a change to a resource that matches the rule's scope. You can use the scope to define which resources initiate evaluations.

Periodic

AWS Config runs evaluations for the rule at a frequency that you choose; for example, every 24 hours.

Hybrid

Some rules have both configuration change and periodic triggers. For these rules, AWS Config evaluates your resources when it detects a configuration change and also at the frequency that you specify.

AWS Config Rule Metadata

AWS Config rules can contain the following mutable metadata:

defaultName: The defaultName is the name that instances of a rule will get by default.
description: The rule description provides context for what the rule evaluates. The AWS Config Console has a limit of 256 characters. As a best practice, the rule description should begin with “Checks if” and include a description of the NON_COMPLIANT scenario. Service Names should be written in full beginning with AWS or Amazon when first mentioned in the rule description. For example, AWS CloudTrail or Amazon CloudWatch instead of CloudTrail or CloudWatch for first use. Services names can be abbreviated after subsequent reference.
scope: The scope determines which resource types the rule targets. For a list of supported resource types, see Supported Resource Types.
compulsoryInputParameterDetails: The compulsoryInputParameterDetails are used for parameters that are required for a rule to do its evaluation. For example, the access-keys-rotated managed rule includes maxAccessKeyAge as a required parameter. If a parameter is required, it will not be marked as (Optional). For each parameter, a type must be specified. Type can be one of "String", "int", "double", "CSV", "boolean" and "StringMap".
optionalInputParameterDetails: The optionalInputParameterDetails are used for parameters that are optional for a rule to do its evaluation. For example, the elasticsearch-logs-to-cloudwatch managed rule includes logTypes as an optional parameter. For each parameter, a type must be specified. Type can be one of "String", "int", "double", "CSV", "boolean" and "StringMap".

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS Config Rules

Managed Rules