AWS Config Config Rule
This page shows how to write Terraform and CloudFormation for AWS Config Config Rule and write them securely.
aws_config_config_rule (Terraform)
The Config Rule in AWS Config can be configured in Terraform with the resource name aws_config_config_rule. The following sections describe 2 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_config_config_rule" "volume_inuse" {
count = var.set_guardrails_detection || var.check_ec2_volume_inuse ? 1 : 0
name = "Compasso-Baseline-EC2VolumeInUseCheck"
description = "A Config rule that checks whether EBS volumes are attached to EC2 instances. Optionally checks if EBS volumes are marked for deletion when an instance is terminated."
resource "aws_config_config_rule" "cloud_trail_enabled" {
name = "cloud_trail_enabled"
source {
owner = "AWS"
source_identifier = "CLOUD_TRAIL_ENABLED"
Parameters
-
arnoptional computed - string -
descriptionoptional - string -
idoptional computed - string -
input_parametersoptional - string -
maximum_execution_frequencyoptional - string -
namerequired - string -
rule_idoptional computed - string -
tagsoptional - map from string to string -
scopelist block-
compliance_resource_idoptional - string -
compliance_resource_typesoptional - set of string -
tag_keyoptional - string -
tag_valueoptional - string
-
-
sourcelist block-
ownerrequired - string -
source_identifierrequired - string -
source_detailset block-
event_sourceoptional - string -
maximum_execution_frequencyoptional - string -
message_typeoptional - string
-
-
Explanation in Terraform Registry
Provides an AWS Config Rule.
Note: Config Rule requires an existing Configuration Recorder to be present. Use of
depends_onis recommended (as shown below) to avoid race conditions.
Tips: Best Practices for The Other AWS Config Resources
In addition to the aws_config_configuration_aggregator, AWS Config has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_config_configuration_aggregator
Ensure to enable AWS Config in all Regions
It's better to enable AWS Config in all Regions. AWS Config can aggregate configurations from all regions. It will reduce the risk that unmonitored configurations might cause.
AWS::Config::ConfigRule (CloudFormation)
The ConfigRule in Config can be configured in CloudFormation with the resource name AWS::Config::ConfigRule. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: "AWS::Config::ConfigRule"
Properties:
ConfigRuleName: "cloud-trail-enabled"
Description: "Checks whether AWS CloudTrail is enabled in your AWS account. Optionally, you can specify which S3 bucket, SNS topic, and Amazon CloudWatch Logs ARN to use."
Source:
Owner: "AWS"
Type: AWS::Config::ConfigRule
Condition: MainRegion
Properties:
ConfigRuleName: 'CloudTrailEnabled'
Description: 'Verifies that CloudTrail is enabled.'
Source:
Type: AWS::Config::ConfigRule
AccountPartOfOrganizations:
Properties:
ConfigRuleName: account-part-of-organizations
Source:
Owner: AWS
Type: AWS::Config::ConfigRule
AcmCertificateExpirationCheck:
Properties:
ConfigRuleName: acm-certificate-expiration-check
InputParameters:
daysToExpiration:
Type: "AWS::Config::ConfigRule"
Properties:
Scope:
ComplianceResourceTypes:
- "AWS::EC2::Instance"
Source:
"Type": "AWS::Config::ConfigRule",
"DependsOn": [
"ConfigDeliveryChannel",
"ConfigConfigurationRecorder"
],
"Properties": {
"path": "/PropertyTypes/AWS::Config::ConfigRule.Scope/Properties/ComplianceResourceTypes/Value",
"value": {
"ValueType": "AWS::Config::ConfigurationRecorder.ResourceTypes"
}
},
{
"path": "/PropertyTypes/AWS::Config::ConfigRule.Scope/Properties/ComplianceResourceTypes/Value",
"value": {
"ValueType": "AWS::Config::ConfigurationRecorder.ResourceTypes"
}
},
{
"TemplateBody": "################################################################################\n#\n# Conformance Pack:\n# Operational Best Practices for AWS Identity and Access Management\n#\n# See Parameters section for names and descriptions of required parameters.\n#\n################################################################################\n\nParameters:\n AccessKeysRotatedParameterMaxAccessKeyAge:\n Description: Maximum number of days without rotation. Default 90.\n Type: String\n Default: 90\n IAMUserUnusedCredentialsCheckParameterMaxCredentialUsageAge:\n Description: Maximum number of days a credential cannot be used. The default value\n is 90 days.\n Type: String\n Default: 90\nResources:\n AccessKeysRotated:\n Properties:\n ConfigRuleName: AccessKeysRotated\n Description: Checks whether the active access keys are rotated within the number\n of days specified in maxAccessKeyAge. The rule is non-compliant if the access\n keys have not been rotated for more than maxAccessKeyAge number of days.\n InputParameters:\n maxAccessKeyAge:\n Ref: AccessKeysRotatedParameterMaxAccessKeyAge\n Source:\n Owner: AWS\n SourceIdentifier: ACCESS_KEYS_ROTATED\n Type: AWS::Config::ConfigRule\n IAMGroupHasUsersCheck:\n Properties:\n ConfigRuleName: IAMGroupHasUsersCheck\n Description: Checks whether IAM groups have at least one IAM user.\n Source:\n Owner: AWS\n SourceIdentifier: IAM_GROUP_HAS_USERS_CHECK\n Type: AWS::Config::ConfigRule\n IAMPasswordPolicy:\n Properties:\n ConfigRuleName: IAMPasswordPolicy\n Description: Checks whether the account password policy for IAM users meets\n the specified requirements.\n Source:\n Owner: AWS\n SourceIdentifier: IAM_PASSWORD_POLICY\n Type: AWS::Config::ConfigRule\n IAMPolicyNoStatementsWithAdminAccess:\n Properties:\n ConfigRuleName: IAMPolicyNoStatementsWithAdminAccess\n Description: 'Checks whether the default version of AWS Identity and Access\n Management (IAM) policies do not have administrator access. If any statement\n has \"Effect\": \"Allow\" with \"Action\": \"*\" over \"Resource\": \"*\", the rule is\n non-compliant.'\n Source:\n Owner: AWS\n SourceIdentifier: IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS\n Type: AWS::Config::ConfigRule\n IAMRootAccessKeyCheck:\n Properties:\n ConfigRuleName: IAMRootAccessKeyCheck\n Description: Checks whether the root user access key is available. The rule\n is compliant if the user access key does not exist.\n Source:\n Owner: AWS\n SourceIdentifier: IAM_ROOT_ACCESS_KEY_CHECK\n Type: AWS::Config::ConfigRule\n IAMUserGroupMembershipCheck:\n Properties:\n ConfigRuleName: IAMUserGroupMembershipCheck\n Description: Checks whether IAM users are members of at least one IAM group.\n Source:\n Owner: AWS\n SourceIdentifier: IAM_USER_GROUP_MEMBERSHIP_CHECK\n Type: AWS::Config::ConfigRule\n IAMUserMFAEnabled:\n Properties:\n ConfigRuleName: IAMUserMFAEnabled\n Description: Checks whether the AWS Identity and Access Management users have\n multi-factor authentication (MFA) enabled.\n Source:\n Owner: AWS\n SourceIdentifier: IAM_USER_MFA_ENABLED\n Type: AWS::Config::ConfigRule\n IAMUserNoPoliciesCheck:\n Properties:\n ConfigRuleName: IAMUserNoPoliciesCheck\n Description: Checks that none of your IAM users have policies attached. IAM\n users must inherit permissions from IAM groups or roles.\n Source:\n Owner: AWS\n SourceIdentifier: IAM_USER_NO_POLICIES_CHECK\n Type: AWS::Config::ConfigRule\n IAMUserUnusedCredentialsCheck:\n Properties:\n ConfigRuleName: IAMUserUnusedCredentialsCheck\n Description: Checks whether your AWS Identity and Access Management (IAM) users\n have passwords or active access keys that have not been used within the specified\n number of days you provided.\n InputParameters:\n maxCredentialUsageAge:\n Ref: IAMUserUnusedCredentialsCheckParameterMaxCredentialUsageAge\n Source:\n Owner: AWS\n SourceIdentifier: IAM_USER_UNUSED_CREDENTIALS_CHECK\n Type: AWS::Config::ConfigRule\n MFAEnabledForIAMConsoleAccess:\n Properties:\n ConfigRuleName: MFAEnabledForIAMConsoleAccess\n Description: Checks whether AWS Multi-Factor Authentication (MFA) is enabled\n for all AWS Identity and Access Management (IAM) users that use a console\n password. The rule is compliant if MFA is enabled.\n Source:\n Owner: AWS\n SourceIdentifier: MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS\n Type: AWS::Config::ConfigRule\n RootAccountHardwareMFAEnabled:\n Properties:\n ConfigRuleName: RootAccountHardwareMFAEnabled\n Description: Checks whether your AWS account is enabled to use multi-factor\n authentication (MFA) hardware device to sign in with root credentials.\n Source:\n Owner: AWS\n SourceIdentifier: ROOT_ACCOUNT_HARDWARE_MFA_ENABLED\n Type: AWS::Config::ConfigRule\n RootAccountMFAEnabled:\n Properties:\n ConfigRuleName: RootAccountMFAEnabled\n Description: Checks whether the root user of your AWS account requires multi-factor\n authentication for console sign-in.\n Source:\n Owner: AWS\n SourceIdentifier: ROOT_ACCOUNT_MFA_ENABLED\n Type: AWS::Config::ConfigRule"
},
"DependsOn": [
"ConfigEnabledPromiseConfigRecorder0A75B039"
],
"Metadata": {
"Type": "AWS::Config::ConfigRule",
"Properties": {
"Source": {
"Owner": "AWS",
"SourceIdentifier": "ENCRYPTED_VOLUMES"
}
Parameters
-
ConfigRuleNameoptional - String -
Descriptionoptional - String -
InputParametersoptional - Json -
MaximumExecutionFrequencyoptional - String -
Scopeoptional - Scope -
Sourcerequired - Source
Explanation in CloudFormation Registry
Specifies an AWS Config rule for evaluating whether your AWS resources comply with your desired configurations.
You can use this action for custom AWS Config rules and AWS managed Config rules. A custom AWS Config rule is a rule that you develop and maintain. An AWS managed Config rule is a customizable, predefined rule that AWS Config provides.
If you are adding a new custom AWS Config rule, you must first create the AWS Lambda function that the rule invokes to evaluate your resources. When you use the
PutConfigRuleaction to add the rule to AWS Config, you must specify the Amazon Resource Name (ARN) that AWS Lambda assigns to the function. Specify the ARN for theSourceIdentifierkey. This key is part of theSourceobject, which is part of theConfigRuleobject. If you are adding an AWS managed Config rule, specify the rule's identifier for theSourceIdentifierkey. To reference AWS managed Config rule identifiers, see About AWS Managed Config Rules.For any new rule that you add, specify the
ConfigRuleNamein theConfigRuleobject. Do not specify theConfigRuleArnor theConfigRuleId. These values are generated by AWS Config for new rules.If you are updating a rule that you added previously, you can specify the rule by
ConfigRuleName,ConfigRuleId, orConfigRuleArnin theConfigRuledata type that you use in this request.The maximum number of rules that AWS Config supports is 150.
For information about requesting a rule limit increase, see AWS Config Limits in the AWS General Reference Guide.
For more information about developing and using AWS Config rules, see Evaluating AWS Resource Configurations with AWS Config in the AWS Config Developer Guide.
Frequently asked questions
What is AWS Config Config Rule?
AWS Config Config Rule is a resource for Config of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Config Config Rule?
For Terraform, the jslopes8/aws_account_setup and affinitywaterltd/terraform-aws-config source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the gabe1314/aws_cloudformation, PatrickJD/AWS and mewil/aws-config-rules source code examples are useful. See the CloudFormation Example section for further details.
