config_rules
Creates, updates, deletes or gets a config_rule resource or lists config_rules in a region
Overview
| Name | config_rules |
| Type | Resource |
| Description | You must first create and start the CC configuration recorder in order to create CC managed rules with CFNlong. For more information, see [Managing the Configuration Recorder](https://docs.aws.amazon.com/config/latest/developerguide/stop-start-recorder.html). Adds or updates an CC rule to evaluate if your AWS resources comply with your desired configurations. For information on how many CC rules you can have per account, see [Service Limits](https://docs.aws.amazon.com/config/latest/developerguide/configlimits.html) in the *Developer Guide*. There are two types of rules: *Managed Rules* and *Custom Rules*. You can use the ConfigRule resource to create both CC Managed Rules and CC Custom Rules.CC Managed Rules are predefined, customizable rules created by CC. For a list of managed rules, see [List of Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html). If you are adding an CC managed rule, you must specify the rule's identifier for the SourceIdentifier key.CC Custom Rules are rules that you create from scratch. There are two ways to create CC custom rules: with Lambda functions ([Developer Guide](https://docs.aws.amazon.com/config/latest/developerguide/gettingstarted-concepts.html#gettingstarted-concepts-function)) and with CFNGUARDshort ([Guard GitHub Repository](https://docs.aws.amazon.com/https://github.com/aws-cloudformation/cloudformation-guard)), a policy-as-code language. CC custom rules created with LAMlong are called *Custom Lambda Rules* and CC custom rules created with CFNGUARDshort are called *Custom Policy Rules*. If you are adding a new CC Custom LAM rule, you first need to create an LAMlong function that the rule invokes to evaluate your resources. When you use the ConfigRule resource to add a Custom LAM rule to CC, you must specify the Amazon Resource Name (ARN) that LAMlong assigns to the function. You specify the ARN in the SourceIdentifier key. This key is part of the Source object, which is part of the ConfigRule object. For any new CC rule that you add, specify the ConfigRuleName in the ConfigRule object. Do not specify the ConfigRuleArn or the ConfigRuleId. These values are generated by CC for new rules.If you are updating a rule that you added previously, you can specify the rule by ConfigRuleName, ConfigRuleId, or ConfigRuleArn in the ConfigRule data type that you use in this request.For more information about developing and using CC rules, see [Evaluating Resources with Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html) in the *Developer Guide*. |
| Id | aws.config.config_rules |
Fields
| Name | Datatype | Description |
|---|---|---|
config_rule_id | string | |
description | string | The description that you provide for the CC rule. |
scope | object | Defines which resources can trigger an evaluation for the rule. The scope can include one or more resource types, a combination of one resource type and one resource ID, or a combination of a tag key and value. Specify a scope to constrain the resources that can trigger an evaluation for the rule. If you do not specify a scope, evaluations are triggered when any resource in the recording group changes. The scope can be empty. |
config_rule_name | string | A name for the CC rule. If you don't specify a name, CFN generates a unique physical ID and uses that ID for the rule name. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html). |
arn | string | |
compliance | object | Indicates whether an AWS resource or CC rule is compliant and provides the number of contributors that affect the compliance. |
maximum_execution_frequency | string | The maximum frequency with which CC runs evaluations for a rule. You can specify a value for MaximumExecutionFrequency when:+ You are using an AWS managed rule that is triggered at a periodic frequency. + Your custom rule is triggered when CC delivers the configuration snapshot. For more information, see [ConfigSnapshotDeliveryProperties](https://docs.aws.amazon.com/config/latest/APIReference/API_ConfigSnapshotDeliveryProperties.html). By default, rules with a periodic trigger are evaluated every 24 hours. To change the frequency, specify a valid value for the MaximumExecutionFrequency parameter. |
source | object | Provides the rule owner (CUSTOM_POLICY for Custom Policy rules, and CUSTOM_LAMBDA for Custom Lambda rules), the rule identifier, and the notifications that cause the function to evaluate your AWS resources. |
input_parameters | object | A string, in JSON format, that is passed to the CC rule Lambda function. |
evaluation_modes | array | The modes the CC rule can be evaluated in. The valid values are distinct objects. By default, the value is Detective evaluation mode only. |
region | string | AWS region. |
Methods
| Name | Accessible by | Required Params |
|---|---|---|
create_resource | INSERT | Source, region |
delete_resource | DELETE | data__Identifier, region |
update_resource | UPDATE | data__Identifier, data__PatchDocument, region |
list_resources | SELECT | region |
get_resource | SELECT | data__Identifier, region |
SELECT examples
Gets all config_rules in a region.
SELECT
region,
config_rule_id,
description,
scope,
config_rule_name,
arn,
compliance,
maximum_execution_frequency,
source,
input_parameters,
evaluation_modes
FROM aws.config.config_rules
WHERE region = 'us-east-1';
Gets all properties from an individual config_rule.
SELECT
region,
config_rule_id,
description,
scope,
config_rule_name,
arn,
compliance,
maximum_execution_frequency,
source,
input_parameters,
evaluation_modes
FROM aws.config.config_rules
WHERE region = 'us-east-1' AND data__Identifier = '<ConfigRuleName>';
INSERT example
Use the following StackQL query and manifest file to create a new config_rule resource, using stack-deploy.
- Required Properties
- All Properties
- Manifest
/*+ create */
INSERT INTO aws.config.config_rules (
Source,
region
)
SELECT
'{{ Source }}',
'{{ region }}';
/*+ create */
INSERT INTO aws.config.config_rules (
Description,
Scope,
ConfigRuleName,
Compliance,
MaximumExecutionFrequency,
Source,
InputParameters,
EvaluationModes,
region
)
SELECT
'{{ Description }}',
'{{ Scope }}',
'{{ ConfigRuleName }}',
'{{ Compliance }}',
'{{ MaximumExecutionFrequency }}',
'{{ Source }}',
'{{ InputParameters }}',
'{{ EvaluationModes }}',
'{{ region }}';
version: 1
name: stack name
description: stack description
providers:
- aws
globals:
- name: region
value: '{{ vars.AWS_REGION }}'
resources:
- name: config_rule
props:
- name: Description
value: '{{ Description }}'
- name: Scope
value:
TagKey: '{{ TagKey }}'
ComplianceResourceTypes:
- '{{ ComplianceResourceTypes[0] }}'
TagValue: '{{ TagValue }}'
ComplianceResourceId: '{{ ComplianceResourceId }}'
- name: ConfigRuleName
value: '{{ ConfigRuleName }}'
- name: Compliance
value:
Type: '{{ Type }}'
- name: MaximumExecutionFrequency
value: '{{ MaximumExecutionFrequency }}'
- name: Source
value:
CustomPolicyDetails:
EnableDebugLogDelivery: '{{ EnableDebugLogDelivery }}'
PolicyText: '{{ PolicyText }}'
PolicyRuntime: '{{ PolicyRuntime }}'
SourceIdentifier: '{{ SourceIdentifier }}'
Owner: '{{ Owner }}'
SourceDetails:
- EventSource: '{{ EventSource }}'
MaximumExecutionFrequency: '{{ MaximumExecutionFrequency }}'
MessageType: '{{ MessageType }}'
- name: InputParameters
value: {}
- name: EvaluationModes
value:
- Mode: '{{ Mode }}'
DELETE example
/*+ delete */
DELETE FROM aws.config.config_rules
WHERE data__Identifier = '<ConfigRuleName>'
AND region = 'us-east-1';
Permissions
To operate on the config_rules resource, the following permissions are required:
Create
config:PutConfigRule,
config:DescribeConfigRules
Read
config:DescribeConfigRules,
config:DescribeComplianceByConfigRule
Delete
config:DeleteConfigRule,
config:DescribeConfigRules
List
config:DescribeConfigRules
Update
config:PutConfigRule,
config:DescribeConfigRules