config_rules

Creates, updates, deletes or gets a config_rule resource or lists config_rules in a region

Overview

Name	config_rules
Type	Resource
Description	You must first create and start the CC configuration recorder in order to create CC managed rules with CFNlong. For more information, see Managing the Configuration Recorder. Adds or updates an CC rule to evaluate if your AWS resources comply with your desired configurations. For information on how many CC rules you can have per account, see Service Limits in the Developer Guide. There are two types of rules: Managed Rules and Custom Rules. You can use the ConfigRule resource to create both CC Managed Rules and CC Custom Rules. CC Managed Rules are predefined, customizable rules created by CC. For a list of managed rules, see List of Managed Rules. If you are adding an CC managed rule, you must specify the rule's identifier for the SourceIdentifier key. CC Custom Rules are rules that you create from scratch. There are two ways to create CC custom rules: with Lambda functions (Developer Guide) and with CFNGUARDshort (Guard GitHub Repository), a policy-as-code language. CC custom rules created with LAMlong are called Custom Lambda Rules and CC custom rules created with CFNGUARDshort are called Custom Policy Rules. If you are adding a new CC Custom LAM rule, you first need to create an LAMlong function that the rule invokes to evaluate your resources. When you use the ConfigRule resource to add a Custom LAM rule to CC, you must specify the Amazon Resource Name (ARN) that LAMlong assigns to the function. You specify the ARN in the SourceIdentifier key. This key is part of the Source object, which is part of the ConfigRule object. For any new CC rule that you add, specify the ConfigRuleName in the ConfigRule object. Do not specify the ConfigRuleArn or the ConfigRuleId. These values are generated by CC for new rules. If you are updating a rule that you added previously, you can specify the rule by ConfigRuleName, ConfigRuleId, or ConfigRuleArn in the ConfigRule data type that you use in this request. For more information about developing and using CC rules, see Evaluating Resources with Rules in the Developer Guide.
Id	awscc.config.config_rules

Fields

get (all properties)

Name	Datatype	Description
config_rule_id	string
description	string	The description that you provide for the CC rule.
▶scope	object	Defines which resources can trigger an evaluation for the rule. The scope can include one or more resource types, a combination of one resource type and one resource ID, or a combination of a tag key and value. Specify a scope to constrain the resources that can trigger an evaluation for the rule. If you do not specify a scope, evaluations are triggered when any resource in the recording group changes. The scope can be empty.
config_rule_name	string	A name for the CC rule. If you don't specify a name, CFN generates a unique physical ID and uses that ID for the rule name. For more information, see Name Type.
arn	string
▶compliance	object	Indicates whether an AWS resource or CC rule is compliant and provides the number of contributors that affect the compliance.
maximum_execution_frequency	string	The maximum frequency with which CC runs evaluations for a rule. You can specify a value for MaximumExecutionFrequency when: + You are using an AWS managed rule that is triggered at a periodic frequency. + Your custom rule is triggered when CC delivers the configuration snapshot. For more information, see ConfigSnapshotDeliveryProperties. By default, rules with a periodic trigger are evaluated every 24 hours. To change the frequency, specify a valid value for the MaximumExecutionFrequency parameter.
▶source	object	Provides the rule owner (` for managed rules, CUSTOM_POLICY for Custom Policy rules, and CUSTOM_LAMBDA` for Custom Lambda rules), the rule identifier, and the notifications that cause the function to evaluate your AWS resources.
input_parameters	object	A string, in JSON format, that is passed to the CC rule Lambda function.
▶evaluation_modes	array	The modes the CC rule can be evaluated in. The valid values are distinct objects. By default, the value is Detective evaluation mode only.
region	string	AWS region.

list (identifiers only)

Name	Datatype	Description
config_rule_name	string	A name for the CC rule. If you don't specify a name, CFN generates a unique physical ID and uses that ID for the rule name. For more information, see Name Type.
region	string	AWS region.

For more information, see AWS::Config::ConfigRule.

Methods

Name	Resource	Accessible by	Required Params
create_resource	config_rules	INSERT	Source, region
delete_resource	config_rules	DELETE	Identifier, region
update_resource	config_rules	UPDATE	Identifier, PatchDocument, region
list_resources	config_rules_list_only	SELECT	region
get_resource	config_rules	SELECT	Identifier, region

SELECT examples

get (all properties)

Gets all properties from an individual config_rule.

SELECT
  region,
  config_rule_id,
  description,
  scope,
  config_rule_name,
  arn,
  compliance,
  maximum_execution_frequency,
  source,
  input_parameters,
  evaluation_modes
FROM awscc.config.config_rules
WHERE
  region = '{{ region }}' AND
  Identifier = '{{ config_rule_name }}';

list (identifiers only)

Lists all config_rules in a region.

SELECT
  region,
  config_rule_name
FROM awscc.config.config_rules_list_only
WHERE
  region = '{{ region }}';

INSERT example

Use the following StackQL query and manifest file to create a new config_rule resource, using stack-deploy.

Required Properties

/*+ create */
INSERT INTO awscc.config.config_rules (
  Source,
  region
)
SELECT
  '{{ source }}',
  '{{ region }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

All Properties

/*+ create */
INSERT INTO awscc.config.config_rules (
  Description,
  Scope,
  ConfigRuleName,
  Compliance,
  MaximumExecutionFrequency,
  Source,
  InputParameters,
  EvaluationModes,
  region
)
SELECT
  '{{ description }}',
  '{{ scope }}',
  '{{ config_rule_name }}',
  '{{ compliance }}',
  '{{ maximum_execution_frequency }}',
  '{{ source }}',
  '{{ input_parameters }}',
  '{{ evaluation_modes }}',
  '{{ region }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

Manifest

version: 1
name: stack name
description: stack description
providers:
- aws
globals:
- name: region
  value: '{{ vars.AWS_REGION }}'
resources:
- name: config_rule
  props:
    - name: description
      value: '{{ description }}'
    - name: scope
      value:
        tag_key: '{{ tag_key }}'
        compliance_resource_types:
          - '{{ compliance_resource_types[0] }}'
        tag_value: '{{ tag_value }}'
        compliance_resource_id: '{{ compliance_resource_id }}'
    - name: config_rule_name
      value: '{{ config_rule_name }}'
    - name: compliance
      value:
        type: '{{ type }}'
    - name: maximum_execution_frequency
      value: '{{ maximum_execution_frequency }}'
    - name: source
      value:
        custom_policy_details:
          enable_debug_log_delivery: '{{ enable_debug_log_delivery }}'
          policy_text: '{{ policy_text }}'
          policy_runtime: '{{ policy_runtime }}'
        source_identifier: '{{ source_identifier }}'
        owner: '{{ owner }}'
        source_details:
          - event_source: '{{ event_source }}'
            maximum_execution_frequency: '{{ maximum_execution_frequency }}'
            message_type: '{{ message_type }}'
    - name: input_parameters
      value: {}
    - name: evaluation_modes
      value:
        - mode: '{{ mode }}'

UPDATE example

Use the following StackQL query and manifest file to update a config_rule resource, using stack-deploy.

/*+ update */
UPDATE awscc.config.config_rules
SET PatchDocument = string('{{ {
    "Description": description,
    "Scope": scope,
    "MaximumExecutionFrequency": maximum_execution_frequency,
    "Source": source,
    "InputParameters": input_parameters,
    "EvaluationModes": evaluation_modes
} | generate_patch_document }}')
WHERE
  region = '{{ region }}' AND
  Identifier = '{{ config_rule_name }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

DELETE example

/*+ delete */
DELETE FROM awscc.config.config_rules
WHERE
  Identifier = '{{ config_rule_name }}' AND
  region = '{{ region }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

Additional Parameters

Mutable resources in the Cloud Control provider support additional optional parameters which can be supplied with INSERT, UPDATE, or DELETE operations. These include:

Parameter	Description
ClientToken	A unique identifier to ensure the idempotency of the resource request. This allows the provider to accurately distinguish between retries and new requests. A client token is valid for 36 hours once used. After that, a resource request with the same client token is treated as a new request. If you do not specify a client token, one is generated for inclusion in the request.
RoleArn	The ARN of the IAM role used to perform this resource operation. The role specified must have the permissions required for this operation. If you do not specify a role, a temporary session is created using your AWS user credentials.
TypeVersionId	For private resource types, the type version to use in this resource operation. If you do not specify a resource version, the default version is used.

Permissions

To operate on the config_rules resource, the following permissions are required:

Create

config:PutConfigRule,
config:DescribeConfigRules

Read

config:DescribeConfigRules,
config:DescribeComplianceByConfigRule

Delete

config:DeleteConfigRule,
config:DescribeConfigRules

List

config:DescribeConfigRules

Update

config:PutConfigRule,
config:DescribeConfigRules