AWS Config provides AWS managed rules, which are predefined, customizable rules that AWS Config uses to evaluate whether your AWS resources comply with common best practices.
You can enable and customize these rules in the AWS Config console according to these instructions. See To set up and activate an AWS managed rule (Console).
...but of course we prefer to automate.
All config rules have a SourceIdentifier
key/attribute. For AWS Managed config rules, the value is one of the identifiers from any of the supplied managed rules found in the table here. In the non-managed case, the SourceIdentifier
value is set to the AWS Lambda function ARN where the rule's logic lives. Don't confuse this with ConfigRuleArn
, which you do not need to supply when creating a rule (managed or not). This value is generated by AWS Config for new rules.
Example manage rule identifiers:
CLOUD_TRAIL_ENABLED
EIP_ATTACHED
ENCRYPTED_VOLUMES
INCOMING_SSH_DISABLED
INSTANCES_IN_VPC
REQUIRED_TAGS
RESTRICTED_INCOMING_TRAFFIC
We'll use the PutConfigRule
call to create the rules. The ConfigRuleName
attribute will be required (managed or not). If you are updating a rule that you have added previously, specify the rule's ConfigRuleName , ConfigRuleId , or ConfigRuleArn in the ConfigRule data type that you use in this request.
Automatically configure and enable all managed rules for all applicable regions where AWS Config is available.
Source Details
Provides the source and type of the event that causes AWS Config to evaluate your AWS resources
Scope
Defines which resources can trigger an evaluation for the rule. The scope can include one or more resource types, a combination of one resource type and one resource ID, or a combination of a tag key and value. Specify a scope to constrain the resources that can trigger an evaluation for the rule. If you do not specify a scope, evaluations are triggered when any resource in the recording group changes.
As of 04/07/2016, the maximum number of rules that AWS Config supports is 25 per account.
AWS Config Supported Regions
AWS Config Common Parameters
PutConfigRule