Evaluating Your Resources with AWS Config Rules - AWS Config
This documentation is a draft for private preview for regions in the AWS European Sovereign Cloud. Documentation content will continue to evolve. Published: December 30, 2025.

Evaluating Your Resources with AWS Config Rules

When you create custom rules or use managed rules, AWS Config evaluates your resources against those rules. You can run on-demand evaluations for resources against your rules. For example, this is helpful when you create a custom rule and want to check that AWS Config is correctly evaluating your resources or to identify if there is an issue with the evaluation logic of your AWS Lambda function.

Example

  1. You create a custom rule that evaluates whether your IAM users have active access keys.

  2. AWS Config evaluates your resources against your custom rule.

  3. An IAM user who doesn't have an active access key exists in your account. Your rule doesn't correctly flag this resource as NON_COMPLIANT.

  4. You fix the rule and start the evaluation again.

  5. Because you fixed your rule, the rule correctly evaluates your resources, and flags the IAM user resource as NON_COMPLIANT.

When you add a rule to your account, you can specify when in the resource creation and management process that you want AWS Config to evaluate your resources. The resource creation and management process is known as resource provisioning. You choose the evaluation mode to specify when in this process you want AWS Config to evaluate your resources.

Depending on the rule, AWS Config can evaluate your resource configurations before a resource has been deployed, after a resource has been deployed, or both. Evaluating a resource before it has been deployed is proactive evaluation. Evaluating a resource after it has been deployed is detective evaluation.

Use detective evaluation to evaluate resources that have already been deployed. This allows you to evaluate the configuration settings of your existing resources.

Evaluating your Resources (Console)

  1. Sign in to the AWS Management Console and open the AWS Config console at https://eusc-de-east-1.console.amazonaws-eusc.eu/config/home.

  2. In the AWS Management Console menu, check that the region selector is set to a Region that supports AWS Config rules. For the list of supported regions, see AWS Config Regions and Endpoints in the Amazon Web Services General Reference.

  3. In the navigation pane, choose Rules. The Rules page shows the name, associated remediation action, and compliance status of each rule.

  4. Choose a rule from the table.

  5. From the Actions dropdown list, choose Re-evaluate.

  6. AWS Config starts evaluating the resources against your rule.

Note

You can re-evaluate a rule one time each minute. You must wait for AWS Config to complete the evaluation for your rule before you start another evaluation. You can't run an evaluation if at the same time the rule is being updated or if the rule is being deleted.

Evaluating your Resources (CLI)

  • Use the start-config-rules-evaluation command:

    $ aws configservice start-config-rules-evaluation --config-rule-names ConfigRuleName

    AWS Config starts evaluating the recorded resource configurations against your rule. You can also specify multiple rules in your request:

    $ aws configservice start-config-rules-evaluation --config-rule-names ConfigRuleName1 ConfigRuleName2 ConfigRuleName3

Evaluating your Resources (API)

Use the StartConfigRulesEvaluation action.