AWS Config Config Rule
This page shows how to write Terraform and CloudFormation for AWS Config Config Rule and write them securely.
aws_config_config_rule (Terraform)
The Config Rule in AWS Config can be configured in Terraform with the resource name aws_config_config_rule
. The following sections describe 2 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_config_config_rule" "volume_inuse" {
count = var.set_guardrails_detection || var.check_ec2_volume_inuse ? 1 : 0
name = "Compasso-Baseline-EC2VolumeInUseCheck"
description = "A Config rule that checks whether EBS volumes are attached to EC2 instances. Optionally checks if EBS volumes are marked for deletion when an instance is terminated."
resource "aws_config_config_rule" "cloud_trail_enabled" {
name = "cloud_trail_enabled"
source {
owner = "AWS"
source_identifier = "CLOUD_TRAIL_ENABLED"
Parameters
-
arn
optional computed - string -
description
optional - string -
id
optional computed - string -
input_parameters
optional - string -
maximum_execution_frequency
optional - string -
name
required - string -
rule_id
optional computed - string -
tags
optional - map from string to string -
scope
list block-
compliance_resource_id
optional - string -
compliance_resource_types
optional - set of string -
tag_key
optional - string -
tag_value
optional - string
-
-
source
list block-
owner
required - string -
source_identifier
required - string -
source_detail
set block-
event_source
optional - string -
maximum_execution_frequency
optional - string -
message_type
optional - string
-
-
Explanation in Terraform Registry
Provides an AWS Config Rule.
Note: Config Rule requires an existing Configuration Recorder to be present. Use of
depends_on
is recommended (as shown below) to avoid race conditions.
Tips: Best Practices for The Other AWS Config Resources
In addition to the aws_config_configuration_aggregator, AWS Config has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_config_configuration_aggregator
Ensure to enable AWS Config in all Regions
It's better to enable AWS Config in all Regions. AWS Config can aggregate configurations from all regions. It will reduce the risk that unmonitored configurations might cause.
AWS::Config::ConfigRule (CloudFormation)
The ConfigRule in Config can be configured in CloudFormation with the resource name AWS::Config::ConfigRule
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: "AWS::Config::ConfigRule"
Properties:
ConfigRuleName: "cloud-trail-enabled"
Description: "Checks whether AWS CloudTrail is enabled in your AWS account. Optionally, you can specify which S3 bucket, SNS topic, and Amazon CloudWatch Logs ARN to use."
Source:
Owner: "AWS"
Type: AWS::Config::ConfigRule
Condition: MainRegion
Properties:
ConfigRuleName: 'CloudTrailEnabled'
Description: 'Verifies that CloudTrail is enabled.'
Source:
Type: AWS::Config::ConfigRule
AccountPartOfOrganizations:
Properties:
ConfigRuleName: account-part-of-organizations
Source:
Owner: AWS
Type: AWS::Config::ConfigRule
AcmCertificateExpirationCheck:
Properties:
ConfigRuleName: acm-certificate-expiration-check
InputParameters:
daysToExpiration:
Type: "AWS::Config::ConfigRule"
Properties:
Scope:
ComplianceResourceTypes:
- "AWS::EC2::Instance"
Source:
"Type": "AWS::Config::ConfigRule",
"DependsOn": [
"ConfigDeliveryChannel",
"ConfigConfigurationRecorder"
],
"Properties": {
"path": "/PropertyTypes/AWS::Config::ConfigRule.Scope/Properties/ComplianceResourceTypes/Value",
"value": {
"ValueType": "AWS::Config::ConfigurationRecorder.ResourceTypes"
}
},
{
"path": "/PropertyTypes/AWS::Config::ConfigRule.Scope/Properties/ComplianceResourceTypes/Value",
"value": {
"ValueType": "AWS::Config::ConfigurationRecorder.ResourceTypes"
}
},
{
"TemplateBody": "################################################################################\n#\n# Conformance Pack:\n# Operational Best Practices for AWS Identity and Access Management\n#\n# See Parameters section for names and descriptions of required parameters.\n#\n################################################################################\n\nParameters:\n AccessKeysRotatedParameterMaxAccessKeyAge:\n Description: Maximum number of days without rotation. Default 90.\n Type: String\n Default: 90\n IAMUserUnusedCredentialsCheckParameterMaxCredentialUsageAge:\n Description: Maximum number of days a credential cannot be used. The default value\n is 90 days.\n Type: String\n Default: 90\nResources:\n AccessKeysRotated:\n Properties:\n ConfigRuleName: AccessKeysRotated\n Description: Checks whether the active access keys are rotated within the number\n of days specified in maxAccessKeyAge. The rule is non-compliant if the access\n keys have not been rotated for more than maxAccessKeyAge number of days.\n InputParameters:\n maxAccessKeyAge:\n Ref: AccessKeysRotatedParameterMaxAccessKeyAge\n Source:\n Owner: AWS\n SourceIdentifier: ACCESS_KEYS_ROTATED\n Type: AWS::Config::ConfigRule\n IAMGroupHasUsersCheck:\n Properties:\n ConfigRuleName: IAMGroupHasUsersCheck\n Description: Checks whether IAM groups have at least one IAM user.\n Source:\n Owner: AWS\n SourceIdentifier: IAM_GROUP_HAS_USERS_CHECK\n Type: AWS::Config::ConfigRule\n IAMPasswordPolicy:\n Properties:\n ConfigRuleName: IAMPasswordPolicy\n Description: Checks whether the account password policy for IAM users meets\n the specified requirements.\n Source:\n Owner: AWS\n SourceIdentifier: IAM_PASSWORD_POLICY\n Type: AWS::Config::ConfigRule\n IAMPolicyNoStatementsWithAdminAccess:\n Properties:\n ConfigRuleName: IAMPolicyNoStatementsWithAdminAccess\n Description: 'Checks whether the default version of AWS Identity and Access\n Management (IAM) policies do not have administrator access. If any statement\n has \"Effect\": \"Allow\" with \"Action\": \"*\" over \"Resource\": \"*\", the rule is\n non-compliant.'\n Source:\n Owner: AWS\n SourceIdentifier: IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS\n Type: AWS::Config::ConfigRule\n IAMRootAccessKeyCheck:\n Properties:\n ConfigRuleName: IAMRootAccessKeyCheck\n Description: Checks whether the root user access key is available. The rule\n is compliant if the user access key does not exist.\n Source:\n Owner: AWS\n SourceIdentifier: IAM_ROOT_ACCESS_KEY_CHECK\n Type: AWS::Config::ConfigRule\n IAMUserGroupMembershipCheck:\n Properties:\n ConfigRuleName: IAMUserGroupMembershipCheck\n Description: Checks whether IAM users are members of at least one IAM group.\n Source:\n Owner: AWS\n SourceIdentifier: IAM_USER_GROUP_MEMBERSHIP_CHECK\n Type: AWS::Config::ConfigRule\n IAMUserMFAEnabled:\n Properties:\n ConfigRuleName: IAMUserMFAEnabled\n Description: Checks whether the AWS Identity and Access Management users have\n multi-factor authentication (MFA) enabled.\n Source:\n Owner: AWS\n SourceIdentifier: IAM_USER_MFA_ENABLED\n Type: AWS::Config::ConfigRule\n IAMUserNoPoliciesCheck:\n Properties:\n ConfigRuleName: IAMUserNoPoliciesCheck\n Description: Checks that none of your IAM users have policies attached. IAM\n users must inherit permissions from IAM groups or roles.\n Source:\n Owner: AWS\n SourceIdentifier: IAM_USER_NO_POLICIES_CHECK\n Type: AWS::Config::ConfigRule\n IAMUserUnusedCredentialsCheck:\n Properties:\n ConfigRuleName: IAMUserUnusedCredentialsCheck\n Description: Checks whether your AWS Identity and Access Management (IAM) users\n have passwords or active access keys that have not been used within the specified\n number of days you provided.\n InputParameters:\n maxCredentialUsageAge:\n Ref: IAMUserUnusedCredentialsCheckParameterMaxCredentialUsageAge\n Source:\n Owner: AWS\n SourceIdentifier: IAM_USER_UNUSED_CREDENTIALS_CHECK\n Type: AWS::Config::ConfigRule\n MFAEnabledForIAMConsoleAccess:\n Properties:\n ConfigRuleName: MFAEnabledForIAMConsoleAccess\n Description: Checks whether AWS Multi-Factor Authentication (MFA) is enabled\n for all AWS Identity and Access Management (IAM) users that use a console\n password. The rule is compliant if MFA is enabled.\n Source:\n Owner: AWS\n SourceIdentifier: MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS\n Type: AWS::Config::ConfigRule\n RootAccountHardwareMFAEnabled:\n Properties:\n ConfigRuleName: RootAccountHardwareMFAEnabled\n Description: Checks whether your AWS account is enabled to use multi-factor\n authentication (MFA) hardware device to sign in with root credentials.\n Source:\n Owner: AWS\n SourceIdentifier: ROOT_ACCOUNT_HARDWARE_MFA_ENABLED\n Type: AWS::Config::ConfigRule\n RootAccountMFAEnabled:\n Properties:\n ConfigRuleName: RootAccountMFAEnabled\n Description: Checks whether the root user of your AWS account requires multi-factor\n authentication for console sign-in.\n Source:\n Owner: AWS\n SourceIdentifier: ROOT_ACCOUNT_MFA_ENABLED\n Type: AWS::Config::ConfigRule"
},
"DependsOn": [
"ConfigEnabledPromiseConfigRecorder0A75B039"
],
"Metadata": {
"Type": "AWS::Config::ConfigRule",
"Properties": {
"Source": {
"Owner": "AWS",
"SourceIdentifier": "ENCRYPTED_VOLUMES"
}
Parameters
-
ConfigRuleName
optional - String -
Description
optional - String -
InputParameters
optional - Json -
MaximumExecutionFrequency
optional - String -
Scope
optional - Scope -
Source
required - Source
Explanation in CloudFormation Registry
Specifies an AWS Config rule for evaluating whether your AWS resources comply with your desired configurations.
You can use this action for custom AWS Config rules and AWS managed Config rules. A custom AWS Config rule is a rule that you develop and maintain. An AWS managed Config rule is a customizable, predefined rule that AWS Config provides.
If you are adding a new custom AWS Config rule, you must first create the AWS Lambda function that the rule invokes to evaluate your resources. When you use the
PutConfigRule
action to add the rule to AWS Config, you must specify the Amazon Resource Name (ARN) that AWS Lambda assigns to the function. Specify the ARN for theSourceIdentifier
key. This key is part of theSource
object, which is part of theConfigRule
object. If you are adding an AWS managed Config rule, specify the rule's identifier for theSourceIdentifier
key. To reference AWS managed Config rule identifiers, see About AWS Managed Config Rules.For any new rule that you add, specify the
ConfigRuleName
in theConfigRule
object. Do not specify theConfigRuleArn
or theConfigRuleId
. These values are generated by AWS Config for new rules.If you are updating a rule that you added previously, you can specify the rule by
ConfigRuleName
,ConfigRuleId
, orConfigRuleArn
in theConfigRule
data type that you use in this request.The maximum number of rules that AWS Config supports is 150.
For information about requesting a rule limit increase, see AWS Config Limits in the AWS General Reference Guide.
For more information about developing and using AWS Config rules, see Evaluating AWS Resource Configurations with AWS Config in the AWS Config Developer Guide.
Frequently asked questions
What is AWS Config Config Rule?
AWS Config Config Rule is a resource for Config of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Config Config Rule?
For Terraform, the jslopes8/aws_account_setup and affinitywaterltd/terraform-aws-config source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the gabe1314/aws_cloudformation, PatrickJD/AWS and mewil/aws-config-rules source code examples are useful. See the CloudFormation Example section for further details.