config_rules
Creates, updates, deletes or gets a config_rule resource or lists config_rules in a region
Overview
| Name | config_rules |
| Type | Resource |
| Description | You must first create and start the CC configuration recorder in order to create CC managed rules with CFNlong. For more information, see [Managing the Configuration Recorder](https://docs.aws.amazon.com/config/latest/developerguide/stop-start-recorder.html). Adds or updates an CC rule to evaluate if your AWS resources comply with your desired configurations. For information on how many CC rules you can have per account, see [Service Limits](https://docs.aws.amazon.com/config/latest/developerguide/configlimits.html) in the *Developer Guide*. There are two types of rules: *Managed Rules* and *Custom Rules*. You can use the ``ConfigRule`` resource to create both CC Managed Rules and CC Custom Rules. CC Managed Rules are predefined, customizable rules created by CC. For a list of managed rules, see [List of Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html). If you are adding an CC managed rule, you must specify the rule's identifier for the ``SourceIdentifier`` key. CC Custom Rules are rules that you create from scratch. There are two ways to create CC custom rules: with Lambda functions ([Developer Guide](https://docs.aws.amazon.com/config/latest/developerguide/gettingstarted-concepts.html#gettingstarted-concepts-function)) and with CFNGUARDshort ([Guard GitHub Repository](https://docs.aws.amazon.com/https://github.com/aws-cloudformation/cloudformation-guard)), a policy-as-code language. CC custom rules created with LAMlong are called *Custom Lambda Rules* and CC custom rules created with CFNGUARDshort are called *Custom Policy Rules*. If you are adding a new CC Custom LAM rule, you first need to create an LAMlong function that the rule invokes to evaluate your resources. When you use the ``ConfigRule`` resource to add a Custom LAM rule to CC, you must specify the Amazon Resource Name (ARN) that LAMlong assigns to the function. You specify the ARN in the ``SourceIdentifier`` key. This key is part of the ``Source`` object, which is part of the ``ConfigRule`` object. For any new CC rule that you add, specify the ``ConfigRuleName`` in the ``ConfigRule`` object. Do not specify the ``ConfigRuleArn`` or the ``ConfigRuleId``. These values are generated by CC for new rules. If you are updating a rule that you added previously, you can specify the rule by ``ConfigRuleName``, ``ConfigRuleId``, or ``ConfigRuleArn`` in the ``ConfigRule`` data type that you use in this request. For more information about developing and using CC rules, see [Evaluating Resources with Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html) in the *Developer Guide*. |
| Id | awscc.config.config_rules |
Fields
| Name | Datatype | Description |
|---|---|---|
config_rule_id | string | |
description | string | The description that you provide for the CC rule. |
scope | object | Defines which resources can trigger an evaluation for the rule. The scope can include one or more resource types, a combination of one resource type and one resource ID, or a combination of a tag key and value. Specify a scope to constrain the resources that can trigger an evaluation for the rule. If you do not specify a scope, evaluations are triggered when any resource in the recording group changes.<br />The scope can be empty. |
config_rule_name | string | A name for the CC rule. If you don't specify a name, CFN generates a unique physical ID and uses that ID for the rule name. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html). |
arn | string | |
compliance | object | Indicates whether an AWS resource or CC rule is compliant and provides the number of contributors that affect the compliance. |
maximum_execution_frequency | string | The maximum frequency with which CC runs evaluations for a rule. You can specify a value for ``MaximumExecutionFrequency`` when:<br />+ You are using an AWS managed rule that is triggered at a periodic frequency.<br />+ Your custom rule is triggered when CC delivers the configuration snapshot. For more information, see [ConfigSnapshotDeliveryProperties](https://docs.aws.amazon.com/config/latest/APIReference/API_ConfigSnapshotDeliveryProperties.html).<br /><br />By default, rules with a periodic trigger are evaluated every 24 hours. To change the frequency, specify a valid value for the ``MaximumExecutionFrequency`` parameter. |
source | object | Provides the rule owner (```` for managed rules, ``CUSTOM_POLICY`` for Custom Policy rules, and ``CUSTOM_LAMBDA`` for Custom Lambda rules), the rule identifier, and the notifications that cause the function to evaluate your AWS resources. |
input_parameters | object | A string, in JSON format, that is passed to the CC rule Lambda function. |
evaluation_modes | array | The modes the CC rule can be evaluated in. The valid values are distinct objects. By default, the value is Detective evaluation mode only. |
region | string | AWS region. |
For more information, see AWS::Config::ConfigRule.
Methods
| Name | Accessible by | Required Params |
|---|---|---|
create_resource | INSERT | Source, region |
delete_resource | DELETE | data__Identifier, region |
update_resource | UPDATE | data__Identifier, data__PatchDocument, region |
list_resources | SELECT | region |
get_resource | SELECT | data__Identifier, region |
SELECT examples
Gets all properties from an individual config_rule.
SELECT
region,
config_rule_id,
description,
scope,
config_rule_name,
arn,
compliance,
maximum_execution_frequency,
source,
input_parameters,
evaluation_modes
FROM awscc.config.config_rules
WHERE region = 'us-east-1' AND data__Identifier = '<ConfigRuleName>';
INSERT example
Use the following StackQL query and manifest file to create a new config_rule resource, using stack-deploy.
- Required Properties
- All Properties
- Manifest
/*+ create */
INSERT INTO awscc.config.config_rules (
Source,
region
)
SELECT
'{{ Source }}',
'{{ region }}';
/*+ create */
INSERT INTO awscc.config.config_rules (
Description,
Scope,
ConfigRuleName,
Compliance,
MaximumExecutionFrequency,
Source,
InputParameters,
EvaluationModes,
region
)
SELECT
'{{ Description }}',
'{{ Scope }}',
'{{ ConfigRuleName }}',
'{{ Compliance }}',
'{{ MaximumExecutionFrequency }}',
'{{ Source }}',
'{{ InputParameters }}',
'{{ EvaluationModes }}',
'{{ region }}';
version: 1
name: stack name
description: stack description
providers:
- aws
globals:
- name: region
value: '{{ vars.AWS_REGION }}'
resources:
- name: config_rule
props:
- name: Description
value: '{{ Description }}'
- name: Scope
value:
TagKey: '{{ TagKey }}'
ComplianceResourceTypes:
- '{{ ComplianceResourceTypes[0] }}'
TagValue: '{{ TagValue }}'
ComplianceResourceId: '{{ ComplianceResourceId }}'
- name: ConfigRuleName
value: '{{ ConfigRuleName }}'
- name: Compliance
value:
Type: '{{ Type }}'
- name: MaximumExecutionFrequency
value: '{{ MaximumExecutionFrequency }}'
- name: Source
value:
CustomPolicyDetails:
EnableDebugLogDelivery: '{{ EnableDebugLogDelivery }}'
PolicyText: '{{ PolicyText }}'
PolicyRuntime: '{{ PolicyRuntime }}'
SourceIdentifier: '{{ SourceIdentifier }}'
Owner: '{{ Owner }}'
SourceDetails:
- EventSource: '{{ EventSource }}'
MaximumExecutionFrequency: '{{ MaximumExecutionFrequency }}'
MessageType: '{{ MessageType }}'
- name: InputParameters
value: {}
- name: EvaluationModes
value:
- Mode: '{{ Mode }}'
DELETE example
/*+ delete */
DELETE FROM awscc.config.config_rules
WHERE data__Identifier = '<ConfigRuleName>'
AND region = 'us-east-1';
Permissions
To operate on the config_rules resource, the following permissions are required:
Create
config:PutConfigRule,
config:DescribeConfigRules
Read
config:DescribeConfigRules,
config:DescribeComplianceByConfigRule
Delete
config:DeleteConfigRule,
config:DescribeConfigRules
List
config:DescribeConfigRules
Update
config:PutConfigRule,
config:DescribeConfigRules