config_rules

Creates, updates, deletes or gets a config_rule resource or lists config_rules in a region

Overview

Name	`config_rules`
Type	Resource
Description	You must first create and start the CC configuration recorder in order to create CC managed rules with CFNlong. For more information, see [Managing the Configuration Recorder](https://docs.aws.amazon.com/config/latest/developerguide/stop-start-recorder.html). Adds or updates an CC rule to evaluate if your AWS resources comply with your desired configurations. For information on how many CC rules you can have per account, see [Service Limits](https://docs.aws.amazon.com/config/latest/developerguide/configlimits.html) in the Developer Guide. There are two types of rules: Managed Rules and Custom Rules. You can use the ``ConfigRule`` resource to create both CC Managed Rules and CC Custom Rules. CC Managed Rules are predefined, customizable rules created by CC. For a list of managed rules, see [List of Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html). If you are adding an CC managed rule, you must specify the rule's identifier for the ``SourceIdentifier`` key. CC Custom Rules are rules that you create from scratch. There are two ways to create CC custom rules: with Lambda functions ([Developer Guide](https://docs.aws.amazon.com/config/latest/developerguide/gettingstarted-concepts.html#gettingstarted-concepts-function)) and with CFNGUARDshort ([Guard GitHub Repository](https://docs.aws.amazon.com/https://github.com/aws-cloudformation/cloudformation-guard)), a policy-as-code language. CC custom rules created with LAMlong are called Custom Lambda Rules and CC custom rules created with CFNGUARDshort are called Custom Policy Rules. If you are adding a new CC Custom LAM rule, you first need to create an LAMlong function that the rule invokes to evaluate your resources. When you use the ``ConfigRule`` resource to add a Custom LAM rule to CC, you must specify the Amazon Resource Name (ARN) that LAMlong assigns to the function. You specify the ARN in the ``SourceIdentifier`` key. This key is part of the ``Source`` object, which is part of the ``ConfigRule`` object. For any new CC rule that you add, specify the ``ConfigRuleName`` in the ``ConfigRule`` object. Do not specify the ``ConfigRuleArn`` or the ``ConfigRuleId``. These values are generated by CC for new rules. If you are updating a rule that you added previously, you can specify the rule by ``ConfigRuleName``, ``ConfigRuleId``, or ``ConfigRuleArn`` in the ``ConfigRule`` data type that you use in this request. For more information about developing and using CC rules, see [Evaluating Resources with Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html) in the Developer Guide.
Id	`awscc.config.config_rules`

Fields

get (all properties)
list (identifiers only)

Name	Datatype	Description
`config_rule_id`	`string`
`description`	`string`	The description that you provide for the CC rule.
▶`scope`	`object`	Defines which resources can trigger an evaluation for the rule. The scope can include one or more resource types, a combination of one resource type and one resource ID, or a combination of a tag key and value. Specify a scope to constrain the resources that can trigger an evaluation for the rule. If you do not specify a scope, evaluations are triggered when any resource in the recording group changes.<br />The scope can be empty.
`config_rule_name`	`string`	A name for the CC rule. If you don't specify a name, CFN generates a unique physical ID and uses that ID for the rule name. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html).
`arn`	`string`
▶`compliance`	`object`	Indicates whether an AWS resource or CC rule is compliant and provides the number of contributors that affect the compliance.
`maximum_execution_frequency`	`string`	The maximum frequency with which CC runs evaluations for a rule. You can specify a value for ``MaximumExecutionFrequency`` when:<br />+ You are using an AWS managed rule that is triggered at a periodic frequency.<br />+ Your custom rule is triggered when CC delivers the configuration snapshot. For more information, see [ConfigSnapshotDeliveryProperties](https://docs.aws.amazon.com/config/latest/APIReference/API_ConfigSnapshotDeliveryProperties.html).<br /><br />By default, rules with a periodic trigger are evaluated every 24 hours. To change the frequency, specify a valid value for the ``MaximumExecutionFrequency`` parameter.
▶`source`	`object`	Provides the rule owner (```` for managed rules, ``CUSTOM_POLICY`` for Custom Policy rules, and ``CUSTOM_LAMBDA`` for Custom Lambda rules), the rule identifier, and the notifications that cause the function to evaluate your AWS resources.
`input_parameters`	`object`	A string, in JSON format, that is passed to the CC rule Lambda function.
▶`evaluation_modes`	`array`	The modes the CC rule can be evaluated in. The valid values are distinct objects. By default, the value is Detective evaluation mode only.
`region`	`string`	AWS region.

Name	Datatype	Description
`config_rule_name`	`string`	A name for the CC rule. If you don't specify a name, CFN generates a unique physical ID and uses that ID for the rule name. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html).
`region`	`string`	AWS region.

For more information, see AWS::Config::ConfigRule.

Methods

Name	Resource	Accessible by	Required Params
`create_resource`	`config_rules`	`INSERT`	`Source, region`
`delete_resource`	`config_rules`	`DELETE`	`Identifier, region`
`update_resource`	`config_rules`	`UPDATE`	`Identifier, PatchDocument, region`
`list_resources`	`config_rules_list_only`	`SELECT`	`region`
`get_resource`	`config_rules`	`SELECT`	`Identifier, region`

`SELECT` examples

get (all properties)
list (identifiers only)

Gets all properties from an individual config_rule.

SELECT
  region,
  config_rule_id,
  description,
  scope,
  config_rule_name,
  arn,
  compliance,
  maximum_execution_frequency,
  source,
  input_parameters,
  evaluation_modes
FROM awscc.config.config_rules
WHERE
  region = 'us-east-1' AND
  Identifier = '{{ config_rule_name }}';

Lists all config_rules in a region.

SELECT
  region,
  config_rule_name
FROM awscc.config.config_rules_list_only
WHERE
  region = 'us-east-1';

`INSERT` example

Use the following StackQL query and manifest file to create a new config_rule resource, using stack-deploy.

Required Properties
All Properties
Manifest

/*+ create */
INSERT INTO awscc.config.config_rules (
  Source,
  region
)
SELECT
  '{{ source }}',
  '{{ region }}';

/*+ create */
INSERT INTO awscc.config.config_rules (
  Description,
  Scope,
  ConfigRuleName,
  Compliance,
  MaximumExecutionFrequency,
  Source,
  InputParameters,
  EvaluationModes,
  region
)
SELECT
  '{{ description }}',
  '{{ scope }}',
  '{{ config_rule_name }}',
  '{{ compliance }}',
  '{{ maximum_execution_frequency }}',
  '{{ source }}',
  '{{ input_parameters }}',
  '{{ evaluation_modes }}',
  '{{ region }}';

version: 1
name: stack name
description: stack description
providers:
  - aws
globals:
  - name: region
    value: '{{ vars.AWS_REGION }}'
resources:
  - name: config_rule
    props:
      - name: description
        value: '{{ description }}'
      - name: scope
        value:
          tag_key: '{{ tag_key }}'
          compliance_resource_types:
            - '{{ compliance_resource_types[0] }}'
          tag_value: '{{ tag_value }}'
          compliance_resource_id: '{{ compliance_resource_id }}'
      - name: config_rule_name
        value: '{{ config_rule_name }}'
      - name: compliance
        value:
          type: '{{ type }}'
      - name: maximum_execution_frequency
        value: '{{ maximum_execution_frequency }}'
      - name: source
        value:
          custom_policy_details:
            enable_debug_log_delivery: '{{ enable_debug_log_delivery }}'
            policy_text: '{{ policy_text }}'
            policy_runtime: '{{ policy_runtime }}'
          source_identifier: '{{ source_identifier }}'
          owner: '{{ owner }}'
          source_details:
            - event_source: '{{ event_source }}'
              maximum_execution_frequency: '{{ maximum_execution_frequency }}'
              message_type: '{{ message_type }}'
      - name: input_parameters
        value: {}
      - name: evaluation_modes
        value:
          - mode: '{{ mode }}'

`UPDATE` example

Use the following StackQL query and manifest file to update a config_rule resource, using stack-deploy.

/*+ update */
UPDATE awscc.config.config_rules
SET PatchDocument = string('{{ {
    "Description": description,
    "Scope": scope,
    "MaximumExecutionFrequency": maximum_execution_frequency,
    "Source": source,
    "InputParameters": input_parameters,
    "EvaluationModes": evaluation_modes
} | generate_patch_document }}')
WHERE
  region = '{{ region }}' AND
  Identifier = '{{ config_rule_name }}';

`DELETE` example

/*+ delete */
DELETE FROM awscc.config.config_rules
WHERE
  Identifier = '{{ config_rule_name }}' AND
  region = 'us-east-1';

Permissions

To operate on the config_rules resource, the following permissions are required:

Create
Read
Delete
List
Update

config:PutConfigRule,
config:DescribeConfigRules

config:DescribeConfigRules,
config:DescribeComplianceByConfigRule

config:DeleteConfigRule,
config:DescribeConfigRules

config:DescribeConfigRules

config:PutConfigRule,
config:DescribeConfigRules

Overview​

Fields​

Methods​

SELECT examples​

INSERT example​

UPDATE example​

DELETE example​

Permissions​